Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Dan Kaminsky Disclosure Methodology + Super Critical vulnerability disclosure in Windows
From: "eugaaa () gmail com" <eugaaa () gmail com>
Date: Sat, 26 Jul 2008 00:02:16 -0500

Instead of criticizing someone for releasing an exploit (which is a bit like
criticizing a cow for making milk) direct your attention to the fact that
and industry of professional security researchers sat indian style (albeit
with respectable posture) eagerly awaiting the release of this exploit when
they had an advisory almost a month in advance. Sat like this, in the face
of overwhelming, and nearly embarrassing, media-whoring. An advisory was
released to foreshadow the release of a later exploit release. Nothing says
discreet like a banner advertising a bomb. This entire saga has been
revealing.

Ice Breaker:

On Fri, Jul 25, 2008 at 3:38 PM, n3td3v <xploitable () gmail com> wrote:

On Fri, Jul 25, 2008 at 7:37 PM, Fredrick Diggle <fdiggle () gmail com>
wrote:
8. PROFIT!!!!


The security conference (Black hat) will make the most money, out of
ticket sales.

On the matter of the blog entry leak, I always thought that was a
pretend accidental leak and not a real accidental leak. I mean we're
not talking about newbies here, these guys are highly intelligent
folks focused on information security issues, not the type of folks
who genuinely press send on a blog entry by mistake and not know that
the blog data gets cached around the internet within seconds of the
post going live. We shouldn't get into the conspiracy bullshit because
it distracts us from more important stuff, but I was always under the
assumption, that the information leak was done on purpose, and made to
look like an accidental leak.

My focus is away from bashing Dan Kaminsky now about the over hype,
and now focused on HD Moore and his partner I)ruid and the legality of
their exploit code disclosure and their gloating that is now happening
as we speak.

Attacks are starting to be reported on unpatched DNS via Nanog mailing
list and SANS internet storm center blog, and im not completely
convinced that HD Moore and I)ruid should be walking away from this
and not being criticized.

Infact, im calling for big names in the industry to criticize HD Moore
on the mailing lists, and /or in the media.

What I have noticed in is no big names have come out in support of
what HD Moore has done, so thats a good thing.

I praise Cnet News's Robert Vamosi for not writing a single mention of
HD Moore or Metasploit in his recent blog write up of the exploit code
in the wild coverage http://news.cnet.com/8301-1009_3-9998406-83.html,
because to me the whole thing feels criminal, even though it might not
be, there is still a sense of criminality and wrongness in what HD
Moore has done.

Perhaps Nate McFeters can start following Robert Vamosi's lead in not
mentioning HD Moore, I)ruid and the Metasploit frame work. Its too
late though because Nate McFeters has been promoting HD Moore and
I)ruid's name and the Metasploit frame work all week, so perhaps the
ZDnet Zero-Day blog is a lost cause already of unrepairable damage of
promoting the name of the bad guys who released the exploit code to
the wild in the first place, of which im told by Valdis Kletnieks
isn't a criminal offense, but in the eyes of n3td3v and the rest of
the industry bloody well is the wrong precedence to set in info sec in
promoting responsible disclosure or any kind of ethical standard.

Hell people like HD Moore are supposed to be role models for a lot of
people, scratch that, HD Moore is no role model for anything anymore.
:( What have you become HD Moore and who is it you're trying to
impress? Not anyone important, maybe a lot of cyber criminal circles,
but certainly not the people you should be keeping on side on the
mailing list scene or the wider security community and industry.

You're not a hax0r anymore who can just do what he wants and f***
around releasing exploit code anymore, you're looked up to by a lot of
the young generation HDM, so think about that the next time you go
freestyle on going behind the industry's back to bring yourself five
minutes of fame, we all know you can program... you don't need to keep
proving yourself with these ridiculous irresponsible exploit code
disclosures anymore.

I have one question to ask you HD Moore, What the hell are you playing
at???

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault