Full Disclosure mailing list archives
Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows
From: "T Biehn" <tbiehn () gmail com>
Date: Sun, 27 Jul 2008 21:55:15 -0400
I thought Francis E Dec died... On Sat, Jul 26, 2008 at 7:04 AM, n3td3v <xploitable () gmail com> wrote:
On Sat, Jul 26, 2008 at 6:02 AM, eugaaa () gmail com <eugaaa () gmail com> wrote:Instead of criticizing someone for releasing an exploit (which is a bit like criticizing a cow for making milk) direct your attention to the fact that and industry of professional security researchers sat indian style (albeit with respectable posture) eagerly awaiting the release of this exploit when they had an advisory almost a month in advance. Sat like this, in the face of overwhelming, and nearly embarrassing, media-whoring. An advisory was released to foreshadow the release of a later exploit release. Nothing says discreet like a banner advertising a bomb. This entire saga has been revealing.Hi bro, I just had too high an expectation of HD Moore, I thought he had turned good into a responsible and respected security researcher, although he still is a gangster in the gangsters paradise. At least behind a keyboard :) He will grow up one day and become a role model for the younger generation, he's not at that stage yet. One day he will be a Bruce Schneier who blogs away about shit, right now HD Moore is hell bent on being an exploit code gangster. We gotta do something bout them exploit code gangsters, they got no head about them, they just go free styling and releasing code all over the town, they don't care bout shit accept street cred, cash and chicks... the cops, they're chasing their tails, but them the exploit code gangsters, they always one step ahead of the game, jumping and diving hoops and loops through the laws, to get away with the shit they do, they are the exploit code gangsters... we gotta do something bout those exploit code gangsters, like tighten the grip on the law and get them mofo's off our mailing list, raining on peoples parade and shit. The F.B.I they ain't impressed, they sit and grin it, they can't do nothin' bout those exploit code gangsters, cos they are within the law to do their shit, and gain the credibility and gloat bout their exploit code crimes, while surfing the law. What we gonna do bout those exploit code gangsters? We can't do shit, they're within the law to do their shit, we just need to grin and bear it like the mother foookin F, B to the mother fuckin' I. The exploit code gangsters, they get away with it, cause they are the exploit code gangsters, they know that, we know that, who doesn't know that? All the best, n3td3vIce Breaker: On Fri, Jul 25, 2008 at 3:38 PM, n3td3v <xploitable () gmail com> wrote:On Fri, Jul 25, 2008 at 7:37 PM, Fredrick Diggle <fdiggle () gmail com> wrote:8. PROFIT!!!!The security conference (Black hat) will make the most money, out of ticket sales. On the matter of the blog entry leak, I always thought that was a pretend accidental leak and not a real accidental leak. I mean we're not talking about newbies here, these guys are highly intelligent folks focused on information security issues, not the type of folks who genuinely press send on a blog entry by mistake and not know that the blog data gets cached around the internet within seconds of the post going live. We shouldn't get into the conspiracy bullshit because it distracts us from more important stuff, but I was always under the assumption, that the information leak was done on purpose, and made to look like an accidental leak. My focus is away from bashing Dan Kaminsky now about the over hype, and now focused on HD Moore and his partner I)ruid and the legality of their exploit code disclosure and their gloating that is now happening as we speak. Attacks are starting to be reported on unpatched DNS via Nanog mailing list and SANS internet storm center blog, and im not completely convinced that HD Moore and I)ruid should be walking away from this and not being criticized. Infact, im calling for big names in the industry to criticize HD Moore on the mailing lists, and /or in the media. What I have noticed in is no big names have come out in support of what HD Moore has done, so thats a good thing. I praise Cnet News's Robert Vamosi for not writing a single mention of HD Moore or Metasploit in his recent blog write up of the exploit code in the wild coverage http://news.cnet.com/8301-1009_3-9998406-83.html, because to me the whole thing feels criminal, even though it might not be, there is still a sense of criminality and wrongness in what HD Moore has done. Perhaps Nate McFeters can start following Robert Vamosi's lead in not mentioning HD Moore, I)ruid and the Metasploit frame work. Its too late though because Nate McFeters has been promoting HD Moore and I)ruid's name and the Metasploit frame work all week, so perhaps the ZDnet Zero-Day blog is a lost cause already of unrepairable damage of promoting the name of the bad guys who released the exploit code to the wild in the first place, of which im told by Valdis Kletnieks isn't a criminal offense, but in the eyes of n3td3v and the rest of the industry bloody well is the wrong precedence to set in info sec in promoting responsible disclosure or any kind of ethical standard. Hell people like HD Moore are supposed to be role models for a lot of people, scratch that, HD Moore is no role model for anything anymore. :( What have you become HD Moore and who is it you're trying to impress? Not anyone important, maybe a lot of cyber criminal circles, but certainly not the people you should be keeping on side on the mailing list scene or the wider security community and industry. You're not a hax0r anymore who can just do what he wants and f*** around releasing exploit code anymore, you're looked up to by a lot of the young generation HDM, so think about that the next time you go freestyle on going behind the industry's back to bring yourself five minutes of fame, we all know you can program... you don't need to keep proving yourself with these ridiculous irresponsible exploit code disclosures anymore. I have one question to ask you HD Moore, What the hell are you playing at??? All the best, n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows Fredrick Diggle (Jul 25)
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows coderman (Jul 25)
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows Fredrick Diggle (Jul 25)
- Message not available
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows Fredrick Diggle (Jul 25)
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows coderman (Jul 25)
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows n3td3v (Jul 25)
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows eugaaa () gmail com (Jul 25)
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows n3td3v (Jul 26)
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows T Biehn (Jul 27)
- Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows eugaaa () gmail com (Jul 25)