lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 5 Aug 2008 13:58:55 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Media backlash begins against HD Moore and
	I)ruid

On Mon, Aug 4, 2008 at 4:44 AM,  <Valdis.Kletnieks@...edu> wrote:
> On Sun, 03 Aug 2008 22:36:09 BST, n3td3v said:
>
>> He has no excuse for what happened, he is a global international
>> hacker leading the release of the exploit code, its his entire
>> responsibility to make sure his company is secure, even if the servers
>> that were vulnerable were owned by AT&T.
>
> And how, *exactly*, is he supposed to fix servers that aren't under his
> administrative control?
>
> Tell you what - the next time that the company that you get Internet access
> from has an issue, why don't you go ahead and fix it for them, and let us
> know how that all works out, 'kay?
>

In security you're ment to think out of the box and think about ALL
eventualities BEFORE something happens..

Why did he phone up and get the AT&T servers patched AFTER the
incident and not BEFORE he released the exploit code to the world?
Because he is a lamer who didn't think out of the box and didn't think
about all eventualities BEFORE hand, therefore HD Moore on this
occasion was a fucking lamer.

Its funny how he managed to get the AT&T servers fixed NOT under his
administrative control pretty damn quick AFTER the incident. Which
makes us the security community believe he could have foreseen the
obvious and get the AT&T servers fixed BEFORE the incident happened
just as quick as AFTER it if he was as good at security as he makes
out to be.

Or are you gonna come out with the usual bull shit like, if HD Moore
had phoned up BEFORE the incident, they wouldn't have listened to him
or patched anything, so in fact the release of the exploit code is
justified and the hack is justified because it leaned on AT&T to patch
their infrastructure.

The above paragraph is a flawed statement that I believe is bullshit,
but one that security researchers use every day to loop hole and law
and release exploit code and/or hack things.

Even IBM are starting to wake up that releasing exploit code to make
world safer is fundamentally flawed bull shit to loop hole the law to
supply the bad guys with tools and/or code and to make a name for
themselves, while NOT making the security situation any more stable
out there on your web application and network security in the reality
of things.

HD Moore shouldn't have released the exploit code, thats the bottom
line of things and whoever hacked his crap web site via AT&T shouldn't
have done it, but who can HD Moore blame but himself? I suppose its
all AT&T's fault that HD Moore's website got hacked, and not his...
i've heard it all now. Its incredible the amount of bull shit you come
out with Valdis to support your super hero HD Moore, and the release
of exploit code to the wild as making web application and network
security safer for everyone in the long term.

I'm just glad a big player like IBM is waking up to the fundamental
flaw in the excuse that security researchers give for supplying the
bad guys with code, to get a name for themselves and that it doesn't
make the world safer in reality.

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ