Full Disclosure mailing list archives
Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)
From: Ureleet <ureleet () gmail com>
Date: Tue, 15 Jul 2008 22:34:02 -0400
most of what u wrote i actually agree with, let me just say a few things where you need to adjust. On Tue, Jul 15, 2008 at 3:48 PM, n3td3v <xploitable () gmail com> wrote:
Does he go to jail if he breaks the secrecy, or is this his own little crusade of half-disclosure?
no, but i am sure he has some kind of contract with all the vendors involved so that he can't disclose it.
Cnet News called him "The man who changed internet security", so does this mean the end of full-disclosure and a new trend of half disclosure? This has got to be a bad precedence he is setting if cnet news are right and everyone is going to start half-disclosures, and only the rich can afford to buy a ticket to the security conference. Information should be free to all not a small circle of people, who could be rogue employees or eavesdropping could of happened we don't know, the info could already be in the hands of the bad guys,
this sounds like ur jealous
And how much does it take to appear like a responsible security researcher on the surface while doing evils or doing cash for info behind the scenes?
ppl have to make money somehow, not everything is free u know.
It is dangerous that the info is out there, but not out there if you know what I mean, you just don't know who has the info anymore, what they're doing with it and who hasn't. At least with FULL disclosure you know everyones got the info and not an elite circle of friends and co-workers, of which some might be rogue or tempted to swap cash for info over a beer in a bar, or at the corporations cafe. The sad truth of the matter is, this exploit and how it works will be gossip all over a corporation floor on an open plan cube layout, even though its not on the mailing lists, a lot of people will know about it, and it just takes one person to be tempted to sell the info or become rogue and start exploiting with it on a spear-target basis of little enemies the rogue may have, that wouldn't be picked up by the internet security vendors honeypots and sensors. Security info should not be gossip over an office floor for a month, over phone calls, email, IM and at the corporation cafe and after work at the bar, because you don't know who is shoulder surfing you, or you don't know there won't be a rogue employee, cash for info deal or even a hacker managing to intercept the gossip electronically. We should not be making security info into gossip and rumor mill, just to make a security conference more popular. You think this is giving vendors a gap to patch, but infact its a gap for money deals to be done, gossip / exploit info to spread to unknown employees or rogues and other craziness.
we know what u are saying here, but u repeat yourself like 4x. and i still dont understand why u r bitching.
By the time the day before the talk comes, its gonna be a mess, more and more behind the scenes people will know and god knows what money deals done and possible rogue exploitation, and it won't be clear to everyone who actually knows and who doesn't know and even hard for Dan Kaminsky to keep track and remember, who knows and who doesn't and whether the info has been mis handled by one or two bad apples. No, while I see what you were thinking, a gap in disclosure to allow vendors to patch seems like a good saftey mechanism on paper, the truth is practically it isn't.
seems to be working so far.
The human species is a social, curious and inquisitive animal, there is no way this kind of thing is being kept secret with a select few, and I for one don't trust that everything is being kept hush hush.
because u arent in the inside of the circle?
Yes its being kept publically hush hush on a mailing list level, but lots of things can still be public and known without getting onto a mailing list and the internet, and this is where I see Dan Kaminsky's ideology on disclosure tactic as flawed in reality and unworkable, and it creates a feeling of uncertainty and tension on the security industry, and under world.
what, betwen u and dan?
I'm sure the intelligence service intercepted Dan Kaminsky chatter a long time ago and have the exploit code and may be using it for covert operations, or even just normal employees mishandling the information or even some of the trusted ppl exploiting ppl with the code on a low level or selling info for cash in small time deals.
get ur head out of mi6's ass.
This isn't a world I want to live in where the government and employees on certain corporate floors know all about it but the rest of us don't.
too late. theyve been doing it 4 years. ur too late.
So, Dan Kaminsky the man who changed internet security flaw disclosure by setting a new standard in disclosure, or Dan Kaminsky who is setting a new standard in a whole bunch of unknowns when researchers tell a select few people and its hard to keep track of who knows and who has or hasn't managed to keep it secret. And mailing list secret doesn't mean its secret, it just means its not on the published on the internet!
what mailing list is it on?
A month, is a month too long! I'm sure all DNS servers are now patched,
uh, no.
this is all for sure to make blackhat security conference and Dan Kaminsky more popular,
and whats wrong with that? its the biggest conference of the year.
with his security theater that he is currently doing, but in reality we are all left feeling insecure for a whole damn month. Feeling insecure can be worse than actually having your servers insecure, its just a feeling of insecurity people don't want to have to suffer for a whole damn month, and I for one am sick of it.
sounds like u have slow self estemm
Security theater, security conference ticket sale agendas and researchers looking for celebrity status while the actual security is taken second shelf. Who knows who has the exploit info, but we sure don't and i'm not even sure Dan Kaminsky knows who knows anymore. Yes he knows who he told, but does he know who they told or who may have intercepted the info? I'm sure its not just the government who knows how to eavesdrop, there could be terrorists, criminals or be in the hands of anybody. And I for one am sick of it if this is the way things are going to be happening around here from now on in the security scene, I just hope Cnet news are hell of wrong that people are going to start copying this Dan Kaminsky jerk and that he has set a new standard in information disclosure, because I think there are too many unknowns in his tactical half disclosure based around a security conference talk date and a ticket sales agenda.
i wouldnt consider cnet a news organization. its like a group of professional bloggers. always has been. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion), (continued)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Valdis . Kletnieks (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Robert Holgstad (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Nick FitzGerald (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Rob (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Ureleet (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) n3td3v (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mike Owen (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Ureleet (Jul 15)