Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: You shady bastards.
From: "Joey Mengele" <joey.mengele () hushmail com>
Date: Wed, 06 Jun 2007 11:24:21 -0400

This is clearly a forged electronic mail trolling attempt and 
attempt at assassinating the character of HD. The real HD Moore 
(famous inventor of the Millerpreter and Skapesploit) would not be 
so naive/ignorant in a matter like this.

Grow up list, don't feed the trolls.

J

On Wed, 06 Jun 2007 09:47:12 -0400 H D Moore 
<fdlist () digitaloffense net> wrote:
Hello,

Some friends and I were putting together a contact list for the 
folks 
attending the Defcon conference this year in Las Vegas. My friend 
sent 
out an email, with a large CC list, asking people to respond if 
they 
planned on attending. The email was addressed to quite a few 
people, with 
one of them being David Maynor. Unfortunately, his old SecureWorks 

address was used, not his current address with ErrattaSec. 

Since one of the messages sent to the group contained a URL to our 
phone 
numbers and names, I got paranoid and decided to determine whether 

SecureWorks was still reading email addressed to David Maynor. I 
sent an 
email to David's old SecureWorks address, with a subject line 
promising 
0-day, and a link to a non-public URL on the metasploit.com web 
server 
(via SSL). Twelve hours later, someone from a Comcast cable modem 
in 
Atlanta tried to access the link, and this someone was (confirmed) 
not 
David. SecureWorks is based in Atlanta. All times are CDT.

I sent the following message last night at 7:02pm.

---
From: H D Moore <hdm[at]metasploit.com>
To: David Maynor <dmaynor[at]secureworks.com>
Subject: Zero-day I promised
Date: Tue, 5 Jun 2007 19:02:11 -0500
User-Agent: KMail/1.9.3
MIME-Version: 1.0
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200706051902.11544.hdm[at]metasploit.com>
Status: RO
X-Status: RSC

https://metasploit.com/maynor.tar.gz
---

Approximately 12 hours later, the following request shows up in my 
Apache 
log file. It looks like someone at SecureWorks is reading email 
addressed 
to David and tried to access the link I sent:

71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz 
HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; 
en) 
AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"

This address resolves to:
c-71-59-27-152.hsd1.ga.comcast.net

The whois information is just the standard Comcast block 
boilerplate.

---

Is this illegal? I could see reading email addressed to him being 
within 
the bounds of the law, but it seems like trying to download the 
"0day" 
link crosses the line.

Illegal or not, this is still pretty damned shady.

Bastards.

-HD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
Click here for free information on consolidating your debt.
http://tagline.hushmail.com/fc/CAaCXv1QPxZtJrSWfizeiMOCW4rzwcnw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]