Full Disclosure mailing list archives
Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)
From: n3td3v <xploitable () gmail com>
Date: Tue, 15 Jul 2008 20:48:02 +0100
On Tue, Jul 15, 2008 at 3:28 PM, Rob <spamproof () nospammail net> wrote:
Dan is sworn to secrecy until his talk, so we have to wait till then. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Does he go to jail if he breaks the secrecy, or is this his own little crusade of half-disclosure? Cnet News called him "The man who changed internet security", so does this mean the end of full-disclosure and a new trend of half disclosure? This has got to be a bad precedence he is setting if cnet news are right and everyone is going to start half-disclosures, and only the rich can afford to buy a ticket to the security conference. Information should be free to all not a small circle of people, who could be rogue employees or eavesdropping could of happened we don't know, the info could already be in the hands of the bad guys, And how much does it take to appear like a responsible security researcher on the surface while doing evils or doing cash for info behind the scenes? It is dangerous that the info is out there, but not out there if you know what I mean, you just don't know who has the info anymore, what they're doing with it and who hasn't. At least with FULL disclosure you know everyones got the info and not an elite circle of friends and co-workers, of which some might be rogue or tempted to swap cash for info over a beer in a bar, or at the corporations cafe. The sad truth of the matter is, this exploit and how it works will be gossip all over a corporation floor on an open plan cube layout, even though its not on the mailing lists, a lot of people will know about it, and it just takes one person to be tempted to sell the info or become rogue and start exploiting with it on a spear-target basis of little enemies the rogue may have, that wouldn't be picked up by the internet security vendors honeypots and sensors. Security info should not be gossip over an office floor for a month, over phone calls, email, IM and at the corporation cafe and after work at the bar, because you don't know who is shoulder surfing you, or you don't know there won't be a rogue employee, cash for info deal or even a hacker managing to intercept the gossip electronically. We should not be making security info into gossip and rumor mill, just to make a security conference more popular. You think this is giving vendors a gap to patch, but infact its a gap for money deals to be done, gossip / exploit info to spread to unknown employees or rogues and other craziness. By the time the day before the talk comes, its gonna be a mess, more and more behind the scenes people will know and god knows what money deals done and possible rogue exploitation, and it won't be clear to everyone who actually knows and who doesn't know and even hard for Dan Kaminsky to keep track and remember, who knows and who doesn't and whether the info has been mis handled by one or two bad apples. No, while I see what you were thinking, a gap in disclosure to allow vendors to patch seems like a good saftey mechanism on paper, the truth is practically it isn't. The human species is a social, curious and inquisitive animal, there is no way this kind of thing is being kept secret with a select few, and I for one don't trust that everything is being kept hush hush. Yes its being kept publically hush hush on a mailing list level, but lots of things can still be public and known without getting onto a mailing list and the internet, and this is where I see Dan Kaminsky's ideology on disclosure tactic as flawed in reality and unworkable, and it creates a feeling of uncertainty and tension on the security industry, and under world. I'm sure the intelligence service intercepted Dan Kaminsky chatter a long time ago and have the exploit code and may be using it for covert operations, or even just normal employees mishandling the information or even some of the trusted ppl exploiting ppl with the code on a low level or selling info for cash in small time deals. This isn't a world I want to live in where the government and employees on certain corporate floors know all about it but the rest of us don't. So, Dan Kaminsky the man who changed internet security flaw disclosure by setting a new standard in disclosure, or Dan Kaminsky who is setting a new standard in a whole bunch of unknowns when researchers tell a select few people and its hard to keep track of who knows and who has or hasn't managed to keep it secret. And mailing list secret doesn't mean its secret, it just means its not on the published on the internet! A month, is a month too long! I'm sure all DNS servers are now patched, this is all for sure to make blackhat security conference and Dan Kaminsky more popular, with his security theater that he is currently doing, but in reality we are all left feeling insecure for a whole damn month. Feeling insecure can be worse than actually having your servers insecure, its just a feeling of insecurity people don't want to have to suffer for a whole damn month, and I for one am sick of it. Security theater, security conference ticket sale agendas and researchers looking for celebrity status while the actual security is taken second shelf. Who knows who has the exploit info, but we sure don't and i'm not even sure Dan Kaminsky knows who knows anymore. Yes he knows who he told, but does he know who they told or who may have intercepted the info? I'm sure its not just the government who knows how to eavesdrop, there could be terrorists, criminals or be in the hands of anybody. And I for one am sick of it if this is the way things are going to be happening around here from now on in the security scene, I just hope Cnet news are hell of wrong that people are going to start copying this Dan Kaminsky jerk and that he has set a new standard in information disclosure, because I think there are too many unknowns in his tactical half disclosure based around a security conference talk date and a ticket sales agenda. All the best, n3td3v http://n3td3v.googlepages.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion), (continued)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Valdis . Kletnieks (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Robert Holgstad (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Nick FitzGerald (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Rob (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Ureleet (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) n3td3v (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mike Owen (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Ureleet (Jul 15)