Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Re: Speculation
From: "Thomas Ptacek" <tqbf () matasano com>
Date: Sat, 19 Jul 2008 21:27:00 -0500
I am drunk off my ass at the moment, as today is block party today,
and my ultraliberal neighbor Linda fed me 6 consecutive shots of
tequila. My guests at the party are not drunk, but cannot be
attributed. Find attached their verbatim response to this mail.

---

Here's the problem. I thought about this alot. The people responsible
for the problem should not be singly responsible for making sure the
fix is the appropriate fix. Because, I mean, we gave them our trust.
THEY FAILED. Why should we trust them solely in a non-open approach to
determine the appropriate solution.

By the way, they didn't talk to everyone. There are many production
DNS deployments today that cannot be patched, because the vendor is
not issuing a patch.

--- VP, Internet Security, Global Banking Organization

On 7/19/08, Paul Vixie <vixie () isc org> wrote:

Those of us outside the research community who have to advise management

 > cannot tell our executives "trust Dan."  We have to be able to weigh
 > costs vs benefits, implementation details, and the like.  I'm glad people
 > here and elsewhere have tried to figure this out, since it gives details
 > to guide my recommendations.


would you have preferred that the attack vector be completely published on
 day 1, rather than a cert advisory with details to follow a month later at
 defcon, so that your recommendations could be completely informed?  note
 that in that case it would also go in the wild before you could patch.  is
 that what you want the next discoverer to do for you?

 note, it's not just "trust dan."  dan looped in a powerful group of dns
 folks, each of whom was heard to speak the words "oh, shit!" and we have
 been making the rounds, lending our names to this.


 --

This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.


_______________________________________________
 Dailydave mailing list
 Dailydave () lists immunitysec com
 http://lists.immunitysec.com/mailman/listinfo/dailydave




-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]