Re: Media backlash begins against HD Moore and I)ruid

[Valdis.Kletnieks () vt edu]

On Tue, 05 Aug 2008 13:58:55 BST, n3td3v said:
> Why did he phone up and get the AT&T servers patched AFTER the
> incident and not BEFORE he released the exploit code to the world?
> Because he is a lamer who didn't think out of the box and didn't think
> about all eventualities BEFORE hand, therefore HD Moore on this
> occasion was a fucking lamer.

Or - maybe he's more clued than you think, and he did an actual risk analysis.
Remember - security is *tradeoffs*.

He figures out what the costs would be to move his nameservice to some other
site (remembering to include in *all* the incidental costs, such as paying the
registrar fee, the dollars/hour it costs for the person on his payroll doing
the paperwork, the opportunity cost of what he could *otherw8se* have been
doing if he wasn't busy moving the DNS around).  He figures out what the costs
are if the ATT servers do get poisoned (not *that* much, because he's not doing
a hell of a lot of e-commerce), and how long it will take him to get ATT to fix
it if it breaks.

Then he adds in the *FREE* publicity of getting quoted in all the trade
journals (and remember, there's very little publicity that's bad publicity).
Consider if he *had* spent his time moving his DNS instead of writing
Metasploit rules - *nothing* would have happened, he'd have gotten *zero*
mentions. Instead, he gets *two* mentions - one for releasing the Metasploit
stuff, and a second for getting caught when ATT gets pwned.

Add it all up, and he's probably *ahead* if he *doesn't* move his DNS SOA to
elsewhere.

> The above paragraph is a flawed statement that I believe is bullshit,

Unfortunately for all clued whitehats out there, it's not bullshit.

Unless you have something so blatantly obvious that they can get their
tiny little brains wrapped around it, they're not going to listen.

You say: "Insufficient bounds checking on the frobniz value allows an
off-by-one exploit that may lead to unauthorized code execution"

Clued professional: "Wow, that would suck." <gets on phone to vendor for patches>

Unclued professional: "Yeah, whatever" <goes back to whatever they were busy
screwing up before you called".

That doesn't scale - there's 140 million .coms, and there aren't 140 million
clued professionals out there.  Do the math.

On the other hand, if what you say is: "*THWACK*" <sound of large salmon
slapping unclued professional upside the head> "This is a wake-up call.  If
this was an actual emergency, this pop-up would be busy emptying your bank
account."

that *might* get their attention. Maybe.

> but one that security researchers use every day to loop hole and law
> and release exploit code and/or hack things.

It's amazing how you've managed to make it to "jaded" without first figuring
out how this industry actually works...

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/