Full Disclosure mailing list archives
Ka's msg re: Bugtraq delay/censorship
From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Mon, 19 Aug 2002 19:19:31 -0700
Sorry to re-include the entire message, but it is germane. Ka, your concerns about Bugtraq delaying or otherwise holding vulnerability posts are well founded. Since 9/11, all of the "major" security forums, such as Bugtraq, have been co-opted by one or more national governments. Also, notice how quickly commercial PGP support went "poof!" post 9/11? How about Zero-Knowledge's Freedom? No Grassy Knoll mysteries here, folks. It's right out in plain sight. For instance, when the SNMP/ASN.1 vulnerability went down, people in U.S. security companies that recognized the danger and talked about it were called by one or more agencies and essentially told to STFU about it immediately. And no, none of us found that "uber-sekret OUSPG web page" amd got our mitts on PROTOS before we were supposed to know about it...really we didn't! *cough cough* Of course, that only led to less open discussion, which in turn forced CERT to release the information earlier than they wanted to. The end result was the same but those with a clue knew the boundaries had just been radically redrawn. And that it was time to get our arses well outside those newly constructed walls...again... There is also a theory that once SecurityFocus co-opted Bugtraq, business considerations came first. Read into that what you will. All I know is that I liked the SecurityFocus gang much better when they were that brash Ballista crew. Now it's all about the money. Can you say "Symantec"? I thought you could. ;) All the content we created was sold for $75 million. I don't know about you, but my cut was zilch. We should get free copies of NAV for about...oh, the next thousand years will do. Full Disclosure is about the only place left for the unfiltered, unfettered truth to get out. Kudos to Len. Brave dude. As for the recent spate of what some call "noise", blame iDefense's crass commercialism and "anything to generate press releases" pseudo-marketing campaign. What a crock. But I bet it looks good to the Capitol Hill crowd, eh? Gettin' that "post 9/11 Cyberterror pork" aren't you? Yummy. Sluurrrrp! You and @Steak..sorry, I meant @Snake ...errm...long, long way from Black Crawling Systems, whatever you want to call 'em. And who was Brian Oblivion in real life, anyway? I've always wondered about that... The "underground", regardless of how it is perceived or how it chooses to portray some elements of itself, is alive and kicking - same as it ever was even in the days of L0pht, root.org, and folks like Ice9. But I wonder if the time has come to begin construction of Gibson's "Walled City" (see his novel "Idoru") or Stephenson's "Metaverse" (from his "Snow Crash") and totally unplug from the made-for-TV tragedy called "The Taming of the 'Net"...just a thought... HC ----- "Communication is only possible among equals."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Dave, please let me post this private question to the list, it's part of the current discussion and the necessity for open-disclosure. At Montag, 19. August 2002 22:59 Dave Ahmad wrote:[Ka:]I'm appreciating this list very much, in fact after recognizing that for example bugtraq is withholding critical information often for weeks, I[Dave:] Often for weeks? I am very interested in knowing when this has occured. Care to cite some occasions?On the 15th of May Dustin Childers reported a DOS bug in Qpopper in bugtraq Date: 15 Mar 2002 01:51:10 -0000 From: Dustin Childers <dustin () acm org> To: bugtraq () securityfocus com Subject: Bug in QPopper (All Versions?) The following discussions among the qpopper developers centered mainly about the question which OS might be vulnerable. This discussion was mystified, because most members of the list did not have the actual exploit available (a CPU-hog after sending a very long string AND then disconnecting). Most of them just tested the long string while keeping the tcp-connection open and therefore erronously believed their systems to be 'not vulnerable'. I send some postings immediatedly to bugtraq, trying to circumvent the problem -- rather ineffective and faulty, but nevertheless my postings have been withheld by the buqtraq editors. At that time questions regarding that DOS have been seen by me in buqtraq, but no relevant info made it into the list. Only Dustin Childers himself put information about the vulnerable OSs on his site, but buqtraq kept silent and thus fostered the illusion, that only rare and special OS might be vulnerable. The Qpopper community (Clifton Royston) created a patch for that flaw within days Date: Sun, 17 Mar 2002 14:18:12 -1000 From: Clifton Royston <cliftonr () lava net> To: Michael Zimmermann <zim () vegaa de> Cc: Subscribers of Qpopper <qpopper () lists pensive org>, dustin () acm org and even provided an rpm with the patched program (Kenneth Porter) Mon, 18 Mar 2002 08:50:16 -0800 (PST) Subject: Re: Additional patch - should help 'bulletproofing' From: Kenneth Porter <shiva () well com> To: Subscribers of Qpopper <qpopper () lists pensive org> But as the vendor Qualcomm lacked the manpower to address the problem directly (Qpopper had been given into the open source earlier, and Qualcomm had only one man for the product, I think), the whole community waited for the official release, which came on Fri, Apr 12, 2002 at 05:03:38PM -0700, Randall Gellens wrote: Qpopper 4.0.4 (final) is available at <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/>. with the following change list: Changes from 4.0.3 to 4.0.4: ---------------------------- 1. Fixed DOS attack seen on some systems. ... These 'some systems' included all linux distros, if I remember correctly -- all back releases up the the newest -- and some other NIXes plus M$-Windoze, Apple, and so on, practically every OS on which Qpopper runs except BSD (due to BSD's different hup-signal handling). And all newer qpopper versions. With the xploit (a one-liner shell-script) I could bring an empty server to it's knees within 10 seconds (allthough the attacking IP would show up in the inetd-logs, because POP3 requires to establish a tcp-ip connection of course). With a handfull of spare rooted servers and some hours I could have made a DOS-party on 15% of all POP-servers of the world (or how many Qpopper installations are there?). Please understand me correctly: I'm not against the withholding of that xploit until the new unofficial patch-version was available on the 18th of March. But the weeks afterwards were just 'politeness' towards Qualcomm. And in these weeks where the public was left unaware of the severity of the bug even a non-programmer could've figured out the xploit by himself (and in fact, that was done by simakin () dtd peterstar com and published on Fri, 22 Mar 2002 11:32:41 +0300 perl -e '{print 'A'x'2049'}' | nc my.pop3.host 110 But we simply kept quiet in public. Not really suppressing the information totally, but playing it down with a smile and the phrase 'only on some systems' or not answering questions about it at all. A concert of silence from 18th of March to 12th of April. I bet my bugtraq postings have not been the only qpopper posts regarding that problem to be delayed and/or rejected during that weeks. Greetings Ka -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9YXVk72vu22ltWBERAusmAJ9yS8XtZRs4YR7Xk2A4AVbguxAeiwCcC7w0 VfnQrbmq1aBoU9qeqzc3eYU= =HQjN -----END PGP SIGNATURE-----
Get your free encrypted email at https://www.hushmail.com
Current thread:
- Ka's msg re: Bugtraq delay/censorship full-disclosure () lists netsys com (Aug 19)
- Ka's msg re: Bugtraq delay/censorship full-disclosure () lists netsys com (Aug 20)
- <Possible follow-ups>
- Ka's msg re: Bugtraq delay/censorship full-disclosure () lists netsys com (Aug 19)
- Re: Ka's msg re: Bugtraq delay/censorship full-disclosure () lists netsys com (Aug 20)