lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2d6724810807271855l6a9ff88bje8d8505d05ddccbd@mail.gmail.com>
Date: Sun, 27 Jul 2008 21:55:15 -0400
From: "T Biehn" <tbiehn@...il.com>
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Dan Kaminsky Disclosure Methodology + Super
	Critical vulnerability disclosure in Windows

I thought Francis E Dec died...

On Sat, Jul 26, 2008 at 7:04 AM, n3td3v <xploitable@...il.com> wrote:
> On Sat, Jul 26, 2008 at 6:02 AM, eugaaa@...il.com <eugaaa@...il.com> wrote:
>> Instead of criticizing someone for releasing an exploit (which is a bit like
>> criticizing a cow for making milk) direct your attention to the fact that
>> and industry of professional security researchers sat indian style (albeit
>> with respectable posture) eagerly awaiting the release of this exploit when
>> they had an advisory almost a month in advance. Sat like this, in the face
>> of overwhelming, and nearly embarrassing, media-whoring. An advisory was
>> released to foreshadow the release of a later exploit release. Nothing says
>> discreet like a banner advertising a bomb. This entire saga has been
>> revealing.
>>
>
> Hi bro,
>
> I just had too high an expectation of HD Moore, I thought he had
> turned good into a responsible and respected security researcher,
> although he still is a gangster in the gangsters paradise. At least
> behind a keyboard :) He will grow up one day and become a role model
> for the younger generation, he's not at that stage yet. One day he
> will be a Bruce Schneier who blogs away about shit, right now HD Moore
> is hell bent on being an exploit code gangster.
>
> We gotta do something bout them exploit code gangsters, they got no
> head about them, they just go free styling and releasing code all over
> the town, they don't care bout shit accept street cred, cash and
> chicks... the cops, they're chasing their tails, but them the exploit
> code gangsters, they always one step ahead of the game, jumping and
> diving hoops and loops through the laws, to get away with the shit
> they do, they are the exploit code gangsters... we gotta do something
> bout those exploit code gangsters, like tighten the grip on the law
> and get them mofo's off our mailing list, raining on peoples parade
> and shit. The F.B.I they ain't impressed, they sit and grin it, they
> can't do nothin' bout those exploit code gangsters, cos they are
> within the law to do their shit, and gain the credibility and gloat
> bout their exploit code crimes, while surfing the law. What we gonna
> do bout those exploit code gangsters? We can't do shit, they're within
> the law to do their shit, we just need to grin and bear it like the
> mother foookin F, B to the mother fuckin' I. The exploit code
> gangsters, they get away with it, cause they are the exploit code
> gangsters, they know that, we know that, who doesn't know that?
>
> All the best,
>
> n3td3v
>
>> Ice Breaker:
>>
>> On Fri, Jul 25, 2008 at 3:38 PM, n3td3v <xploitable@...il.com> wrote:
>>>
>>> On Fri, Jul 25, 2008 at 7:37 PM, Fredrick Diggle <fdiggle@...il.com>
>>> wrote:
>>> > 8. PROFIT!!!!
>>> >
>>>
>>> The security conference (Black hat) will make the most money, out of
>>> ticket sales.
>>>
>>> On the matter of the blog entry leak, I always thought that was a
>>> pretend accidental leak and not a real accidental leak. I mean we're
>>> not talking about newbies here, these guys are highly intelligent
>>> folks focused on information security issues, not the type of folks
>>> who genuinely press send on a blog entry by mistake and not know that
>>> the blog data gets cached around the internet within seconds of the
>>> post going live. We shouldn't get into the conspiracy bullshit because
>>> it distracts us from more important stuff, but I was always under the
>>> assumption, that the information leak was done on purpose, and made to
>>> look like an accidental leak.
>>>
>>> My focus is away from bashing Dan Kaminsky now about the over hype,
>>> and now focused on HD Moore and his partner I)ruid and the legality of
>>> their exploit code disclosure and their gloating that is now happening
>>> as we speak.
>>>
>>> Attacks are starting to be reported on unpatched DNS via Nanog mailing
>>> list and SANS internet storm center blog, and im not completely
>>> convinced that HD Moore and I)ruid should be walking away from this
>>> and not being criticized.
>>>
>>> Infact, im calling for big names in the industry to criticize HD Moore
>>> on the mailing lists, and /or in the media.
>>>
>>> What I have noticed in is no big names have come out in support of
>>> what HD Moore has done, so thats a good thing.
>>>
>>> I praise Cnet News's Robert Vamosi for not writing a single mention of
>>> HD Moore or Metasploit in his recent blog write up of the exploit code
>>> in the wild coverage http://news.cnet.com/8301-1009_3-9998406-83.html,
>>> because to me the whole thing feels criminal, even though it might not
>>> be, there is still a sense of criminality and wrongness in what HD
>>> Moore has done.
>>>
>>> Perhaps Nate McFeters can start following Robert Vamosi's lead in not
>>> mentioning HD Moore, I)ruid and the Metasploit frame work. Its too
>>> late though because Nate McFeters has been promoting HD Moore and
>>> I)ruid's name and the Metasploit frame work all week, so perhaps the
>>> ZDnet Zero-Day blog is a lost cause already of unrepairable damage of
>>> promoting the name of the bad guys who released the exploit code to
>>> the wild in the first place, of which im told by Valdis Kletnieks
>>> isn't a criminal offense, but in the eyes of n3td3v and the rest of
>>> the industry bloody well is the wrong precedence to set in info sec in
>>> promoting responsible disclosure or any kind of ethical standard.
>>>
>>> Hell people like HD Moore are supposed to be role models for a lot of
>>> people, scratch that, HD Moore is no role model for anything anymore.
>>> :( What have you become HD Moore and who is it you're trying to
>>> impress? Not anyone important, maybe a lot of cyber criminal circles,
>>> but certainly not the people you should be keeping on side on the
>>> mailing list scene or the wider security community and industry.
>>>
>>> You're not a hax0r anymore who can just do what he wants and f***
>>> around releasing exploit code anymore, you're looked up to by a lot of
>>> the young generation HDM, so think about that the next time you go
>>> freestyle on going behind the industry's back to bring yourself five
>>> minutes of fame, we all know you can program... you don't need to keep
>>> proving yourself with these ridiculous irresponsible exploit code
>>> disclosures anymore.
>>>
>>> I have one question to ask you HD Moore, What the hell are you playing
>>> at???
>>>
>>> All the best,
>>>
>>> n3td3v
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ