full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Media backlash begins

Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid

From: n3td3v <xploitable_at_nospam>
Date: Tue Aug 05 2008 - 12:58:55 GMT
To: full-disclosure@lists.grok.org.uk


On Mon, Aug 4, 2008 at 4:44 AM, <Valdis.Kletnieks@vt.edu> wrote:
> On Sun, 03 Aug 2008 22:36:09 BST, n3td3v said:
>
>> He has no excuse for what happened, he is a global international
>> hacker leading the release of the exploit code, its his entire
>> responsibility to make sure his company is secure, even if the servers
>> that were vulnerable were owned by AT&T.
>
> And how, *exactly*, is he supposed to fix servers that aren't under his
> administrative control?
>
> Tell you what - the next time that the company that you get Internet access
> from has an issue, why don't you go ahead and fix it for them, and let us
> know how that all works out, 'kay?
>

In security you're ment to think out of the box and think about ALL eventualities BEFORE something happens..

Why did he phone up and get the AT&T servers patched AFTER the incident and not BEFORE he released the exploit code to the world? Because he is a lamer who didn't think out of the box and didn't think about all eventualities BEFORE hand, therefore HD Moore on this occasion was a fucking lamer.

Its funny how he managed to get the AT&T servers fixed NOT under his administrative control pretty damn quick AFTER the incident. Which makes us the security community believe he could have foreseen the obvious and get the AT&T servers fixed BEFORE the incident happened just as quick as AFTER it if he was as good at security as he makes out to be.

Or are you gonna come out with the usual bull shit like, if HD Moore had phoned up BEFORE the incident, they wouldn't have listened to him or patched anything, so in fact the release of the exploit code is justified and the hack is justified because it leaned on AT&T to patch their infrastructure.

The above paragraph is a flawed statement that I believe is bullshit, but one that security researchers use every day to loop hole and law and release exploit code and/or hack things.

Even IBM are starting to wake up that releasing exploit code to make world safer is fundamentally flawed bull shit to loop hole the law to supply the bad guys with tools and/or code and to make a name for themselves, while NOT making the security situation any more stable out there on your web application and network security in the reality of things.

HD Moore shouldn't have released the exploit code, thats the bottom line of things and whoever hacked his crap web site via AT&T shouldn't have done it, but who can HD Moore blame but himself? I suppose its all AT&T's fault that HD Moore's website got hacked, and not his... i've heard it all now. Its incredible the amount of bull shit you come out with Valdis to support your super hero HD Moore, and the release of exploit code to the wild as making web application and network security safer for everyone in the long term.

I'm just glad a big player like IBM is waking up to the fundamental flaw in the excuse that security researchers give for supplying the bad guys with code, to get a name for themselves and that it doesn't make the world safer in reality.

All the best,

n3td3v



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/