Re: You shady bastards.

["Joey Mengele" <joey.mengele () hushmail com>]

This is clearly a forged electronic mail trolling attempt and 
attempt at assassinating the character of HD. The real HD Moore 
(famous inventor of the Millerpreter and Skapesploit) would not be 
so naive/ignorant in a matter like this.

Grow up list, don't feed the trolls.

J

On Wed, 06 Jun 2007 09:47:12 -0400 H D Moore 
<fdlist () digitaloffense net> wrote:
> Hello,
>
> Some friends and I were putting together a contact list for the 
> folks 
> attending the Defcon conference this year in Las Vegas. My friend 
> sent 
> out an email, with a large CC list, asking people to respond if 
> they 
> planned on attending. The email was addressed to quite a few 
> people, with 
> one of them being David Maynor. Unfortunately, his old SecureWorks 
>
> address was used, not his current address with ErrattaSec. 
>
> Since one of the messages sent to the group contained a URL to our 
> phone 
> numbers and names, I got paranoid and decided to determine whether 
>
> SecureWorks was still reading email addressed to David Maynor. I 
> sent an 
> email to David's old SecureWorks address, with a subject line 
> promising 
> 0-day, and a link to a non-public URL on the metasploit.com web 
> server 
> (via SSL). Twelve hours later, someone from a Comcast cable modem 
> in 
> Atlanta tried to access the link, and this someone was (confirmed) 
> not 
> David. SecureWorks is based in Atlanta. All times are CDT.
>
> I sent the following message last night at 7:02pm.
>
> ---
> From: H D Moore <hdm[at]metasploit.com>
> To: David Maynor <dmaynor[at]secureworks.com>
> Subject: Zero-day I promised
> Date: Tue, 5 Jun 2007 19:02:11 -0500
> User-Agent: KMail/1.9.3
> MIME-Version: 1.0
> Content-Type: text/plain;
>  charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> Message-Id: <200706051902.11544.hdm[at]metasploit.com>
> Status: RO
> X-Status: RSC
>
> https://metasploit.com/maynor.tar.gz
> ---
>
> Approximately 12 hours later, the following request shows up in my 
> Apache 
> log file. It looks like someone at SecureWorks is reading email 
> addressed 
> to David and tried to access the link I sent:
>
> 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz 
> HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; 
> en) 
> AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"
>
> This address resolves to:
> c-71-59-27-152.hsd1.ga.comcast.net
>
> The whois information is just the standard Comcast block 
> boilerplate.
>
> ---
>
> Is this illegal? I could see reading email addressed to him being 
> within 
> the bounds of the law, but it seems like trying to download the 
> "0day" 
> link crosses the line.
>
> Illegal or not, this is still pretty damned shady.
>
> Bastards.
>
> -HD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

--
Click here for free information on consolidating your debt.
http://tagline.hushmail.com/fc/CAaCXv1QPxZtJrSWfizeiMOCW4rzwcnw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/