Ka's msg re: Bugtraq delay/censorship

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

Sorry to re-include the entire message, but it
is germane.

Ka, your concerns about Bugtraq delaying or
otherwise holding vulnerability posts are
well founded. 

Since 9/11, all of the "major" security forums,
such as Bugtraq, have been co-opted by one or
more national governments. Also, notice how quickly
commercial PGP support went "poof!" post 9/11? How
about Zero-Knowledge's Freedom? No Grassy Knoll
mysteries here, folks. It's right out in plain
sight.

For instance, when the SNMP/ASN.1 vulnerability went 
down, people in U.S. security companies that recognized 
the danger and talked about it were called by one or 
more agencies and essentially told to STFU about 
it immediately. And no, none of us found that "uber-sekret
OUSPG web page" amd got our mitts on PROTOS before we 
were supposed to know about it...really we didn't!
*cough cough*

Of course, that only led to less open discussion, which
in turn forced CERT to release the information earlier
than they wanted to. The end result was the same but
those with a clue knew the boundaries had just
been radically redrawn. And that it was time to 
get our arses well outside those newly constructed
walls...again...

There is also a theory that once SecurityFocus
co-opted Bugtraq, business considerations came first. 
Read into that what you will. All I know is that 
I liked the SecurityFocus gang much better when they 
were that brash Ballista crew. Now it's all about the 
money. Can you say "Symantec"? I thought you could. ;) 
All the content we created was sold for $75 million. 
I don't know about you, but my cut was zilch. We should
get free copies of NAV for about...oh, the next thousand
years will do.

Full Disclosure is about the only place left for
the unfiltered, unfettered truth to get out. Kudos 
to Len. Brave dude.

As for the recent spate of what some call "noise",
blame iDefense's crass commercialism and "anything
to generate press releases" pseudo-marketing
campaign. What a crock. But I bet it looks good
to the Capitol Hill crowd, eh? Gettin' that 
"post 9/11 Cyberterror pork" aren't you? Yummy. 
Sluurrrrp! You and @Steak..sorry, I meant @Snake
...errm...long, long way from Black Crawling 
Systems, whatever you want to call 'em. And who
was Brian Oblivion in real life, anyway? I've
always wondered about that...

The "underground", regardless of how it is
perceived or how it chooses to portray some 
elements of itself, is alive and kicking - same 
as it ever was even in the days of L0pht,
root.org, and folks like Ice9. 

But I wonder if the time has come to begin 
construction of Gibson's "Walled City" (see his 
novel "Idoru") or Stephenson's "Metaverse" (from 
his "Snow Crash") and totally unplug from
the made-for-TV tragedy called "The Taming of 
the 'Net"...just a thought...

HC

-----
"Communication is only possible among equals."


> -----BEGIN PGP SIGNED MESSAGE----- 
> Hash: SHA1 
>
> Dear Dave, 
>
> please let me post this private question to the list, 
> it's part of the current discussion and the necessity 
> for open-disclosure. 
>
> At Montag, 19. August 2002 22:59 Dave Ahmad wrote: 
> > > [Ka:]I'm appreciating this list very much, in fact after recognizing 
> > > that for example bugtraq is withholding critical information 
> > > often for weeks, I 
> >
> > [Dave:] Often for weeks? 
> > I am very interested in knowing when this has occured. 
> > Care to cite some occasions? 
>
> On the 15th of May Dustin Childers reported a DOS bug 
> in Qpopper in bugtraq 
> Date: 15 Mar 2002 01:51:10 -0000 
> From: Dustin Childers <dustin () acm org> 
> To: bugtraq () securityfocus com 
> Subject: Bug in QPopper (All Versions?) 
>
> The following discussions among the qpopper developers 
> centered mainly about the question which OS might 
> be vulnerable. This discussion was mystified, because 
> most members of the list did not have the actual exploit 
> available (a CPU-hog after sending a very long string 
> AND then disconnecting). Most of them just tested 
> the long string while keeping the tcp-connection open 
> and therefore erronously believed their systems 
> to be 'not vulnerable'. 
>
> I send some postings immediatedly to bugtraq, trying 
> to circumvent the problem -- rather ineffective and 
> faulty, but nevertheless my postings have been withheld 
> by the buqtraq editors. At that time questions regarding 
> that DOS have been seen by me in buqtraq, but no relevant 
> info made it into the list. Only Dustin Childers himself 
> put information about the vulnerable OSs on his site, 
> but buqtraq kept silent and thus fostered the illusion, 
> that only rare and special OS might be vulnerable. 
>
> The Qpopper community (Clifton Royston) created a patch 
> for that flaw within days 
>
> Date: Sun, 17 Mar 2002 14:18:12 -1000 
> From: Clifton Royston <cliftonr () lava net> 
> To: Michael Zimmermann <zim () vegaa de> 
> Cc: Subscribers of Qpopper <qpopper () lists pensive org>, 
> dustin () acm org 
>
> and even provided an rpm with the patched program (Kenneth Porter) 
>
> Mon, 18 Mar 2002 08:50:16 -0800 (PST) 
> Subject: Re: Additional patch - should help 'bulletproofing' 
> From: Kenneth Porter <shiva () well com> 
> To: Subscribers of Qpopper <qpopper () lists pensive org> 
>
> But as the vendor Qualcomm lacked the manpower to address 
> the problem directly (Qpopper had been given into the open source 
> earlier, and Qualcomm had only one man for the product, I think), 
> the whole community waited for the official release, which came 
> on Fri, Apr 12, 2002 at 05:03:38PM -0700, 
> Randall Gellens wrote: 
> Qpopper 4.0.4 (final) is available at 
> <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/>. 
>
> with the following change list: 
>
> Changes from 4.0.3 to 4.0.4: 
> ---------------------------- 
> 1. Fixed DOS attack seen on some systems. 
> ... 
>
>
> These 'some systems' included all linux distros, if I 
> remember correctly -- all back releases up the the 
> newest -- and some other NIXes plus M$-Windoze, Apple, 
> and so on, practically every OS on which Qpopper runs 
> except BSD (due to BSD's different hup-signal handling). 
> And all newer qpopper versions. 
>
> With the xploit (a one-liner shell-script) I could bring 
> an empty server to it's knees within 10 seconds 
> (allthough the attacking IP would show up in the inetd-logs, 
> because POP3 requires to establish a tcp-ip connection 
> of course). 
>
> With a handfull of spare rooted servers and some hours 
> I could have made a DOS-party on 15% of all POP-servers 
> of the world (or how many Qpopper installations are there?). 
>
>
> Please understand me correctly: I'm not against the withholding 
> of that xploit until the new unofficial patch-version was 
> available on the 18th of March. But the weeks afterwards 
> were just 'politeness' towards Qualcomm. And in these weeks 
> where the public was left unaware of the severity of the 
> bug even a non-programmer could've figured out the xploit 
> by himself (and in fact, that was done by simakin () dtd peterstar com 
> and published on Fri, 22 Mar 2002 11:32:41 +0300 
>
> perl -e '{print 'A'x'2049'}' | nc my.pop3.host 110 
>
>
> But we simply kept quiet in public. 
> Not really suppressing the information totally, but playing 
> it down with a smile and the phrase 'only on some systems' 
> or not answering questions about it at all. 
> A concert of silence from 18th of March to 12th of April. 
> I bet my bugtraq postings have not been the only qpopper 
> posts regarding that problem to be delayed and/or rejected 
> during that weeks. 
>
>
> Greetings 
> Ka 
> -----BEGIN PGP SIGNATURE----- 
> Version: GnuPG v1.0.6 (GNU/Linux) 
> Comment: For info see http://www.gnupg.org 
>
> iD8DBQE9YXVk72vu22ltWBERAusmAJ9yS8XtZRs4YR7Xk2A4AVbguxAeiwCcC7w0 
> VfnQrbmq1aBoU9qeqzc3eYU= 
> =HQjN 
> -----END PGP SIGNATURE----- 




Get your free encrypted email at https://www.hushmail.com