Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows

["T Biehn" <tbiehn () gmail com>]

I thought Francis E Dec died...

On Sat, Jul 26, 2008 at 7:04 AM, n3td3v <xploitable () gmail com> wrote:
> On Sat, Jul 26, 2008 at 6:02 AM, eugaaa () gmail com <eugaaa () gmail com> wrote:
> > Instead of criticizing someone for releasing an exploit (which is a bit like
> > criticizing a cow for making milk) direct your attention to the fact that
> > and industry of professional security researchers sat indian style (albeit
> > with respectable posture) eagerly awaiting the release of this exploit when
> > they had an advisory almost a month in advance. Sat like this, in the face
> > of overwhelming, and nearly embarrassing, media-whoring. An advisory was
> > released to foreshadow the release of a later exploit release. Nothing says
> > discreet like a banner advertising a bomb. This entire saga has been
> > revealing.
>
> Hi bro,
>
> I just had too high an expectation of HD Moore, I thought he had
> turned good into a responsible and respected security researcher,
> although he still is a gangster in the gangsters paradise. At least
> behind a keyboard :) He will grow up one day and become a role model
> for the younger generation, he's not at that stage yet. One day he
> will be a Bruce Schneier who blogs away about shit, right now HD Moore
> is hell bent on being an exploit code gangster.
>
> We gotta do something bout them exploit code gangsters, they got no
> head about them, they just go free styling and releasing code all over
> the town, they don't care bout shit accept street cred, cash and
> chicks... the cops, they're chasing their tails, but them the exploit
> code gangsters, they always one step ahead of the game, jumping and
> diving hoops and loops through the laws, to get away with the shit
> they do, they are the exploit code gangsters... we gotta do something
> bout those exploit code gangsters, like tighten the grip on the law
> and get them mofo's off our mailing list, raining on peoples parade
> and shit. The F.B.I they ain't impressed, they sit and grin it, they
> can't do nothin' bout those exploit code gangsters, cos they are
> within the law to do their shit, and gain the credibility and gloat
> bout their exploit code crimes, while surfing the law. What we gonna
> do bout those exploit code gangsters? We can't do shit, they're within
> the law to do their shit, we just need to grin and bear it like the
> mother foookin F, B to the mother fuckin' I. The exploit code
> gangsters, they get away with it, cause they are the exploit code
> gangsters, they know that, we know that, who doesn't know that?
>
> All the best,
>
> n3td3v
>
> > Ice Breaker:
> >
> > On Fri, Jul 25, 2008 at 3:38 PM, n3td3v <xploitable () gmail com> wrote:
> > > On Fri, Jul 25, 2008 at 7:37 PM, Fredrick Diggle <fdiggle () gmail com>
> > > wrote:
> > > > 8. PROFIT!!!!
> > >
> > > The security conference (Black hat) will make the most money, out of
> > > ticket sales.
> > >
> > > On the matter of the blog entry leak, I always thought that was a
> > > pretend accidental leak and not a real accidental leak. I mean we're
> > > not talking about newbies here, these guys are highly intelligent
> > > folks focused on information security issues, not the type of folks
> > > who genuinely press send on a blog entry by mistake and not know that
> > > the blog data gets cached around the internet within seconds of the
> > > post going live. We shouldn't get into the conspiracy bullshit because
> > > it distracts us from more important stuff, but I was always under the
> > > assumption, that the information leak was done on purpose, and made to
> > > look like an accidental leak.
> > >
> > > My focus is away from bashing Dan Kaminsky now about the over hype,
> > > and now focused on HD Moore and his partner I)ruid and the legality of
> > > their exploit code disclosure and their gloating that is now happening
> > > as we speak.
> > >
> > > Attacks are starting to be reported on unpatched DNS via Nanog mailing
> > > list and SANS internet storm center blog, and im not completely
> > > convinced that HD Moore and I)ruid should be walking away from this
> > > and not being criticized.
> > >
> > > Infact, im calling for big names in the industry to criticize HD Moore
> > > on the mailing lists, and /or in the media.
> > >
> > > What I have noticed in is no big names have come out in support of
> > > what HD Moore has done, so thats a good thing.
> > >
> > > I praise Cnet News's Robert Vamosi for not writing a single mention of
> > > HD Moore or Metasploit in his recent blog write up of the exploit code
> > > in the wild coverage http://news.cnet.com/8301-1009_3-9998406-83.html,
> > > because to me the whole thing feels criminal, even though it might not
> > > be, there is still a sense of criminality and wrongness in what HD
> > > Moore has done.
> > >
> > > Perhaps Nate McFeters can start following Robert Vamosi's lead in not
> > > mentioning HD Moore, I)ruid and the Metasploit frame work. Its too
> > > late though because Nate McFeters has been promoting HD Moore and
> > > I)ruid's name and the Metasploit frame work all week, so perhaps the
> > > ZDnet Zero-Day blog is a lost cause already of unrepairable damage of
> > > promoting the name of the bad guys who released the exploit code to
> > > the wild in the first place, of which im told by Valdis Kletnieks
> > > isn't a criminal offense, but in the eyes of n3td3v and the rest of
> > > the industry bloody well is the wrong precedence to set in info sec in
> > > promoting responsible disclosure or any kind of ethical standard.
> > >
> > > Hell people like HD Moore are supposed to be role models for a lot of
> > > people, scratch that, HD Moore is no role model for anything anymore.
> > > :( What have you become HD Moore and who is it you're trying to
> > > impress? Not anyone important, maybe a lot of cyber criminal circles,
> > > but certainly not the people you should be keeping on side on the
> > > mailing list scene or the wider security community and industry.
> > >
> > > You're not a hax0r anymore who can just do what he wants and f***
> > > around releasing exploit code anymore, you're looked up to by a lot of
> > > the young generation HDM, so think about that the next time you go
> > > freestyle on going behind the industry's back to bring yourself five
> > > minutes of fame, we all know you can program... you don't need to keep
> > > proving yourself with these ridiculous irresponsible exploit code
> > > disclosures anymore.
> > >
> > > I have one question to ask you HD Moore, What the hell are you playing
> > > at???
> > >
> > > All the best,
> > >
> > > n3td3v
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/