Dailydave mailing list archives
Re: Moot choices, a sort of DD media party
From: Rodney Thayer <rodney () canola-jones com>
Date: Fri, 01 Jul 2005 08:31:47 -0700
Ok, here's a twist. I'm researching The Great IDN Disclosure. This is yet another tempest in a teapot you've probably never heard of. My fellow Shmoo, Eric, found some cases where you could construct a domain name that visually looked like one site (say, www.paypal.com) when in fact it was some crazy mutated unicode domain name from dotdashistan or something. What do you do when you find an exploit in a protocol spec? Do you disclose it to the standards body? Do you tell the vendor? Do you simply announce it? If you tell the vendor, is it ok for the vendor to choose to ignore you because they've faithfully implemented the standard and it's Not Their Problem? I guess my current allegedly interesting observation about disclosuers is - if you notify a vendor, and they ignore you or go into denial, then well they've just told you it's not an exploit and you can publish it whereever you damn well please. (not that I've ever had Cisco or Microsoft deny I've found bugs, oh, no, that'd never happen...) And if you think it's off topic, remember that the more trouble we make with primitive research tools, the more money we get to spend on copies of Canvas to do real security testing. Aleksander P. Czarnowski wrote:
Actually a bit related - but instead of operating on binary level we have a source code analysis approach presented here: http://www.securityfocus.com/news/11230 The whole disclosure debate is similar to the one regarding exploit publication etc. and I don't get really get it. The only explanation I can see it that fact that 99,99 of people who flood such debates with emails are not capable of doing real research or programming but they still want to be part of game. Just 2 cents Cheers, Aleksander Czarnowski AVET INS-----Original Message-----From: Dave Aitel [mailto:dave () immunitysec com] Sent: 1 lipca 2005 16:37To: dailydave Subject: [Dailydave] Moot choices, a sort of DD media partyReverse engineering patches making disclosure a moot choice? Robert Lemos, SecurityFocus 2005-07-01When Microsoft released limited information on a critical vulnerability in Internet Explorer last month, reverse engineer Halvar Flake decided to dig deeper....http://www.securityfocus.com/news/11235 My fav line: "Many people seem to pour time into the disclosure debate that should be spent elsewhere," [Halvar Flake] said. "It's fruitless and boring and has been for a few years." -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Moot choices, a sort of DD media party Dave Aitel (Jul 01)
- <Possible follow-ups>
- RE: Moot choices, a sort of DD media party Aleksander P. Czarnowski (Jul 01)
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Message not available
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Re: Moot choices, a sort of DD media party Aviram Jenik (Jul 02)
- Re: Re: Moot choices, a sort of DD media party Florian Weimer (Jul 02)
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Re: Moot choices, a sort of DD media party Florian Weimer (Jul 02)
- RE: Moot choices, a sort of DD media party Cesar (Jul 01)
- Re: Moot choices, a sort of DD media party Matt Hargett (Jul 01)