Ka's msg re: Bugtraq delay/censorship

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

> Sorry to re-include the entire message, but it
> is germane.
Im glad you did, this is something that concerns all of us regardless of what
end of the sec-spectrum you choose to shine through.
> Ka, your concerns about Bugtraq delaying or
> otherwise holding vulnerability posts are
> well founded. 
indeed, if we look at standard dehumanizing tactics ( and the manufacture of
consent in tandem with seed AI), one can hastily deduce that that we, as a global
community, regardless our viewpoints or moral standards, must form some sort
of agreement-to-disagree model lest we be overtaken by a greater and all-enveloping
darkness.
> Since 9/11, all of the "major" security forums,
> such as Bugtraq, have been co-opted by one or
> more national governments. Also, notice how quickly
> commercial PGP support went "poof!" post 9/11? How
> about Zero-Knowledge's Freedom? No Grassy Knoll
> mysteries here, folks. It's right out in plain
> sight.
once again, you hit proverbial rail spike. Seeems to be the least TRULY talked
about subject online. I think all of us, regardless of our geographical or political
situation can smell the traces of tyranny ( ie ; 1938 germany just prior to
national socialist power was public) We are at the edge of a un-precidented
precipice. Caution is excercised by the correct path ( subtle i-ching-ism.I
add notes for fear "flyster" will accuse me of stealing concepts even after
a 13 page bibliography)
> For instance, when the SNMP/ASN.1 vulnerability went 
> down, people in U.S. security companies that recognized 
> the danger and talked about it were called by one or 
> more agencies and essentially told to STFU about 
> it immediately. And no, none of us found that "uber-sekret
> OUSPG web page" amd got our mitts on PROTOS before we 
> were supposed to know about it...really we didn't!
> *cough cough
and? ( my only criticism) so what? if you talk to these people you invite trouble.
In this world, in it's present incarnation, with its agents of ridiculous lawsuits
involving intellectual property and the egotistical mindset of the "end-user",
you only invite disaster when you inform behemoth corporate interests like semen-tech.
take a look at www.theyrule.net and say hi to sam nunn ( NSA, no, you don't
know me. I am newcomer. you can't scare a man who has nothing to lose. fuck
you and your subtle threats.anyways, back at the ranch...something should, and
will be done. we have freenet. we have ipv6. we have our mtv and elf injection
techniques for the aspiring counterculture artist. but something, regardless
of triviality should be pursued, at all costs, against those who would cause
opposition, do not be fooled by farcical rebellion memes like eminem, genesis
p-orridge, and globalist faggots. Hi scroll and key/skull and BONE. ya-hoo crew
92 sayz f u 2. coming soon tekneeq to make people listen via agent.www
> Of course, that only led to less open discussion, which
> in turn forced CERT to release the information earlier
> than they wanted to. The end result was the same but
> those with a clue knew the boundaries had just
> been radically redrawn. And that it was time to 
> get our arses well outside those newly constructed
> walls...again...
mmm hmmm..., anyways, thanks for presenting opportunity to scream from the roftops
about the splendor of decay.
> There is also a theory that once SecurityFocus
> co-opted Bugtraq, business considerations came first. 
> Read into that what you will. All I know is that 
> I liked the SecurityFocus gang much better when they 
> were that brash Ballista crew. Now it's all about the 
> money. Can you say "Symantec"? I thought you could. ;) 
> All the content we created was sold for $75 million. 
> I don't know about you, but my cut was zilch. We should
> get free copies of NAV for about...oh, the next thousand
> years will do.
The thinking, rational man, knows damn well that FEMA and TIPS are the culprit
here
> Full Disclosure is about the only place left for
> the unfiltered, unfettered truth to get out. Kudos 
> to Len. Brave dude.
not true, only in subversive doublespeak, ( ironic that the man to coin the
ideal of horrific globalist future should also create the begginings of an escape
from the horrors of biometric ID) will our message be propagated
> As for the recent spate of what some call "noise",
> blame iDefense's crass commercialism and "anything
> to generate press releases" pseudo-marketing
> campaign. What a crock. But I bet it looks good
> to the Capitol Hill crowd, eh? Gettin' that 
> "post 9/11 Cyberterror pork" aren't you? Yummy. 
> Sluurrrrp! You and @Steak..sorry, I meant @Snake
> ...errm...long, long way from Black Crawling 
> Systems, whatever you want to call 'em. And who
> was Brian Oblivion in real life, anyway? I've
> always wondered about that...
Bravo!, I am beginning to feel symbiotic sympathies for your plight.
> The "underground", regardless of how it is
> perceived or how it chooses to portray some 
> elements of itself, is alive and kicking - same 
> as it ever was even in the days of L0pht,
> root.org, and folks like Ice9.
10 Q sir!
> But I wonder if the time has come to begin 
> construction of Gibson's "Walled City" (see his 
> novel "Idoru") or Stephenson's "Metaverse" (from 
> his "Snow Crash") and totally unplug from
> the made-for-TV tragedy called "The Taming of 
> the 'Net"...just a thought...
>
> HC
>
> -----
> "Communication is only possible among equals."
>
>
> > -----BEGIN PGP SIGNED MESSAGE----- 
> > Hash: SHA1 
> >
> > Dear Dave, 
> >
> > please let me post this private question to the list, 
> > it's part of the current discussion and the necessity 
> > for open-disclosure. 
> >
> > At Montag, 19. August 2002 22:59 Dave Ahmad wrote: 
> > > > [Ka:]I'm appreciating this list very much, in fact after recognizing 

> > > > that for example bugtraq is withholding critical information 
> > > > often for weeks, I 
> > >
> > > [Dave:] Often for weeks? 
> > > I am very interested in knowing when this has occured. 
> > > Care to cite some occasions? 
> >
> > On the 15th of May Dustin Childers reported a DOS bug 
> > in Qpopper in bugtraq 
> > Date: 15 Mar 2002 01:51:10 -0000 
> > From: Dustin Childers <dustin () acm org> 
> > To: bugtraq () securityfocus com 
> > Subject: Bug in QPopper (All Versions?) 
> >
> > The following discussions among the qpopper developers 
> > centered mainly about the question which OS might 
> > be vulnerable. This discussion was mystified, because 
> > most members of the list did not have the actual exploit 
> > available (a CPU-hog after sending a very long string 
> > AND then disconnecting). Most of them just tested 
> > the long string while keeping the tcp-connection open 
> > and therefore erronously believed their systems 
> > to be 'not vulnerable'. 
> >
> > I send some postings immediatedly to bugtraq, trying 
> > to circumvent the problem -- rather ineffective and 
> > faulty, but nevertheless my postings have been withheld 
> > by the buqtraq editors. At that time questions regarding 
> > that DOS have been seen by me in buqtraq, but no relevant 
> > info made it into the list. Only Dustin Childers himself 
> > put information about the vulnerable OSs on his site, 
> > but buqtraq kept silent and thus fostered the illusion, 
> > that only rare and special OS might be vulnerable. 
> >
> > The Qpopper community (Clifton Royston) created a patch 
> > for that flaw within days 
> >
> > Date: Sun, 17 Mar 2002 14:18:12 -1000 
> > From: Clifton Royston <cliftonr () lava net> 
> > To: Michael Zimmermann <zim () vegaa de> 
> > Cc: Subscribers of Qpopper <qpopper () lists pensive org>, 
> > dustin () acm org 
> >
> > and even provided an rpm with the patched program (Kenneth Porter) 
> >
> > Mon, 18 Mar 2002 08:50:16 -0800 (PST) 
> > Subject: Re: Additional patch - should help 'bulletproofing' 
> > From: Kenneth Porter <shiva () well com> 
> > To: Subscribers of Qpopper <qpopper () lists pensive org> 
> >
> > But as the vendor Qualcomm lacked the manpower to address 
> > the problem directly (Qpopper had been given into the open source 
> > earlier, and Qualcomm had only one man for the product, I think), 
> > the whole community waited for the official release, which came 
> > on Fri, Apr 12, 2002 at 05:03:38PM -0700, 
> > Randall Gellens wrote: 
> > Qpopper 4.0.4 (final) is available at 
> > <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/>. 
> >
> > with the following change list: 
> >
> > Changes from 4.0.3 to 4.0.4: 
> > ---------------------------- 
> > 1. Fixed DOS attack seen on some systems. 
> > ... 
> >
> >
> > These 'some systems' included all linux distros, if I 
> > remember correctly -- all back releases up the the 
> > newest -- and some other NIXes plus M$-Windoze, Apple, 
> > and so on, practically every OS on which Qpopper runs 
> > except BSD (due to BSD's different hup-signal handling). 
> > And all newer qpopper versions. 
> >
> > With the xploit (a one-liner shell-script) I could bring 
> > an empty server to it's knees within 10 seconds 
> > (allthough the attacking IP would show up in the inetd-logs, 
> > because POP3 requires to establish a tcp-ip connection 
> > of course). 
> >
> > With a handfull of spare rooted servers and some hours 
> > I could have made a DOS-party on 15% of all POP-servers 
> > of the world (or how many Qpopper installations are there?). 
> >
> >
> > Please understand me correctly: I'm not against the withholding 
> > of that xploit until the new unofficial patch-version was 
> > available on the 18th of March. But the weeks afterwards 
> > were just 'politeness' towards Qualcomm. And in these weeks 
> > where the public was left unaware of the severity of the 
> > bug even a non-programmer could've figured out the xploit 
> > by himself (and in fact, that was done by simakin () dtd peterstar com 
> > and published on Fri, 22 Mar 2002 11:32:41 +0300 
> >
> > perl -e '{print 'A'x'2049'}' | nc my.pop3.host 110 
> >
> >
> > But we simply kept quiet in public. 
> > Not really suppressing the information totally, but playing 
> > it down with a smile and the phrase 'only on some systems' 
> > or not answering questions about it at all. 
> > A concert of silence from 18th of March to 12th of April. 
> > I bet my bugtraq postings have not been the only qpopper 
> > posts regarding that problem to be delayed and/or rejected 
> > during that weeks. 
> >
> >
> > Greetings 
> > Ka 
> > -----BEGIN PGP SIGNATURE----- 
> > Version: GnuPG v1.0.6 (GNU/Linux) 
> > Comment: For info see http://www.gnupg.org 
> >
> > iD8DBQE9YXVk72vu22ltWBERAusmAJ9yS8XtZRs4YR7Xk2A4AVbguxAeiwCcC7w0 
> > VfnQrbmq1aBoU9qeqzc3eYU= 
> > =HQjN 
> > -----END PGP SIGNATURE----- 
>
>
>
>
> Get your free encrypted email at https://www.hushmail.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


This message was sent from http://australia.edu
Check out the new international site at http://australia.edu/international