Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)
From: Ureleet <ureleet () gmail com>
Date: Tue, 15 Jul 2008 22:34:02 -0400

most of what u wrote i actually agree with, let me just say a few
things where you need to adjust.

On Tue, Jul 15, 2008 at 3:48 PM, n3td3v <xploitable () gmail com> wrote:
Does he go to jail if he breaks the secrecy, or is this his own little
crusade of half-disclosure?

no, but i am sure he has some kind of contract with all the vendors
involved so that he can't disclose it.


Cnet News called him "The man who changed internet security", so does
this mean the end of full-disclosure and a new trend of half
disclosure?

This has got to be a bad precedence he is setting if cnet news are
right and everyone is going to start half-disclosures, and only the
rich can afford to buy a ticket to the security conference.

Information should be free to all not a small circle of people, who
could be rogue employees or eavesdropping could of happened we don't
know, the info could already be in the hands of the bad guys,

this sounds like ur jealous


And how much does it take to appear like a responsible security
researcher on the surface while doing evils or doing cash for info
behind the scenes?

ppl have to make money somehow, not everything is free u know.


It is dangerous that the info is out there, but not out there if you
know what I mean, you just don't know who has the info anymore, what
they're doing with it and who hasn't.

At least with FULL disclosure you know everyones got the info and not
an elite circle of friends and co-workers, of which some might be
rogue or tempted to swap cash for info over a beer in a bar, or at the
corporations cafe.

The sad truth of the matter is, this exploit and how it works will be
gossip all over a corporation floor on an open plan cube layout, even
though its not on the mailing lists, a lot of people will know about
it, and it just takes one person to be tempted to sell the info or
become rogue and start exploiting with it on a spear-target basis of
little enemies the rogue may have, that wouldn't be picked up by the
internet security vendors honeypots and sensors.

Security info should not be gossip over an office floor for a month,
over phone calls, email, IM and at the corporation cafe and after work
at the bar, because you don't know who is shoulder surfing you, or you
don't know there won't be a rogue employee, cash for info deal or even
a hacker managing to intercept the gossip electronically.

We should not be making security info into gossip and rumor mill, just
to make a security conference more popular.

You think this is giving vendors a gap to patch, but infact its a gap
for money deals to be done, gossip / exploit info to spread to unknown
employees or rogues and other craziness.

we know what u are saying here, but u repeat yourself like 4x.  and i
still dont understand why u r bitching.


By the time the day before the talk comes, its gonna be a mess, more
and more behind the scenes people will know and god knows what money
deals done and possible rogue exploitation, and it won't be clear to
everyone who actually knows and who doesn't know and even hard for Dan
Kaminsky to keep track and remember, who knows and who doesn't and
whether the info has been mis handled by one or two bad apples.

No, while I see what you were thinking, a gap in disclosure to allow
vendors to patch seems like a good saftey mechanism on paper, the
truth is practically it isn't.

seems to be working so far.


The human species is a social, curious and inquisitive animal, there
is no way this kind of thing is being kept secret with a select few,
and I for one don't trust that everything is being kept hush hush.

because u arent in the inside of the circle?

Yes
its being kept publically hush hush on a mailing list level, but lots
of things can still be public and known without getting onto a mailing
list and the internet, and this is where I see Dan Kaminsky's ideology
on disclosure tactic as flawed in reality and unworkable, and it
creates a feeling of uncertainty and tension on the security industry,
and under world.

what, betwen u and dan?


I'm sure the intelligence service intercepted Dan Kaminsky chatter a
long time ago and have the exploit code and may be using it for covert
operations, or even just normal employees mishandling the information
or even some of the trusted ppl exploiting ppl with the code on a low
level or selling info for cash in small time deals.

get ur head out of mi6's ass.


This isn't a world I want to live in where the government and
employees on certain corporate floors know all about it but the rest
of us don't.

too late.  theyve been doing it 4 years.  ur too late.


So, Dan Kaminsky the man who changed internet security flaw disclosure
by setting a new standard in disclosure, or Dan Kaminsky who is
setting a new standard in a whole bunch of unknowns when researchers
tell a select few people and its hard to keep track of who knows and
who has or hasn't managed to keep it secret. And mailing list secret
doesn't mean its secret, it just means its not on the published on the
internet!

what mailing list is it on?


A month, is a month too long! I'm sure all DNS servers are now
patched,

uh, no.

this is all for sure to make blackhat security conference and
Dan Kaminsky more popular,

and whats wrong with that?  its the biggest conference of the year.

with his security theater that he is
currently doing, but in reality we are all left feeling insecure for a
whole damn month. Feeling insecure can be worse than actually having
your servers insecure, its just a feeling of insecurity people don't
want to have to suffer for a whole damn month, and I for one am sick
of it.

sounds like u have slow self estemm

Security theater, security conference ticket sale agendas and
researchers looking for celebrity status while the actual security is
taken second shelf.

Who knows who has the exploit info, but we sure don't and i'm not even
sure Dan Kaminsky knows who knows anymore. Yes he knows who he told,
but does he know who they told or who may have intercepted the info?
I'm sure its not just the government who knows how to eavesdrop, there
could be terrorists, criminals or be in the hands of anybody. And I
for one am sick of it if this is the way things are going to be
happening around here from now on in the security scene, I just hope
Cnet news are hell of wrong that people are going to start copying
this Dan Kaminsky jerk and that he has set a new standard in
information disclosure, because I think there are too many unknowns in
his tactical half disclosure based around a security conference talk
date and a ticket sales agenda.

i wouldnt consider cnet a news organization.  its like a group of
professional bloggers.  always has been.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]