lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <025B5895F8BCCC40AC35F6CD6D972B1C0C0F111515@cca-mail1.commonwealthcare.org>
Date: Fri, 13 Dec 2013 10:06:48 -0500
From: "Mikhail A. Utin" <mutin@...monwealthcare.org>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Where are you guys standing re: the (full)
	disclosure

Answers:
1. Whether you are right and there is a bug, lrt the vendor (M$) know; that is ethical. They will decide if to consider your finding as a bug. Your following steps depend on their opinion on the finding.
2. If you keep it for yourself - no problems. If you disclose on Internet before informing M$, there is certain risk, but first of all it is not ethical. If you sell it as an exploit, and it will be widely used as 0-day, then it might be a hunt for your head with some bounty (you are not relly breaking a law as I wrote below, but angry government may find something suitable for you) . So, you need to consider risks and how to hide your identity. If you found bug not breaking MS code and not accessing to a computer illegally, you do not break any formal law. Breaking MS code may be considered as a violation of their property rights, but MS guys should be really angry to pursue such case.
As you describe, you did not do anything illegal and releasing the finding is up to you, again - ethics.
3. Will make you a star, but not shining brings more risks.

Shortly - inform M$ first and wait what they said. If they do not agree - you are free to go.

-----Original Message-----
From: Full-Disclosure [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of full-disclosure-request@...ts.grok.org.uk
Sent: Friday, December 13, 2013 7:00 AM
To: full-disclosure@...ts.grok.org.uk
Subject: Full-Disclosure Digest, Vol 106, Issue 12




----------------------------------------------------------------------

Humans, Dwarves, Elves, Fairies and all free folk on this list:

Meli Kalikimaka.

I think I found a relatively small bug with Windows Server running DNS with recursion turned off, that still allows the server to be used for DDOS amplification attacks. There are a sizable number of these on the net, and I do not think operators realize that the server is not totally silent with recursion turned off. 
I want to put my findings here on the list, as well as on my blog but I am unsure if :

1. should I tell MS first?
2. being this is possibly my first bug as a researcher, will this get me into trouble (legal or otherwise)?
3. will this make me a rock star?

I have details on the bug, as well as remediation steps. I would not say I "discovered" it per se, as I found it while studying an attack on a network I protect, but I do not see it documented anywhere either.

What say you, Wise List Readers?
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20131212/146ff9e6/attachment-0001.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

------------------------------

End of Full-Disclosure Digest, Vol 106, Issue 12
************************************************
CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ