full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Media backlash begins

Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid

From: <Valdis.Kletnieks_at_nospam>
Date: Tue Aug 05 2008 - 17:08:30 GMT
To: n3td3v <xploitable@gmail.com>


On Tue, 05 Aug 2008 13:58:55 BST, n3td3v said:
> Why did he phone up and get the AT&T servers patched AFTER the
> incident and not BEFORE he released the exploit code to the world?
> Because he is a lamer who didn't think out of the box and didn't think
> about all eventualities BEFORE hand, therefore HD Moore on this
> occasion was a fucking lamer.

Or - maybe he's more clued than you think, and he did an actual risk analysis. Remember - security is *tradeoffs*.

He figures out what the costs would be to move his nameservice to some other site (remembering to include in *all* the incidental costs, such as paying the registrar fee, the dollars/hour it costs for the person on his payroll doing the paperwork, the opportunity cost of what he could *otherw8se* have been doing if he wasn't busy moving the DNS around). He figures out what the costs are if the ATT servers do get poisoned (not *that* much, because he's not doing a hell of a lot of e-commerce), and how long it will take him to get ATT to fix it if it breaks.

Then he adds in the *FREE* publicity of getting quoted in all the trade journals (and remember, there's very little publicity that's bad publicity). Consider if he *had* spent his time moving his DNS instead of writing Metasploit rules - *nothing* would have happened, he'd have gotten *zero* mentions. Instead, he gets *two* mentions - one for releasing the Metasploit stuff, and a second for getting caught when ATT gets pwned.

Add it all up, and he's probably *ahead* if he *doesn't* move his DNS SOA to elsewhere.

> The above paragraph is a flawed statement that I believe is bullshit,

Unfortunately for all clued whitehats out there, it's not bullshit.

Unless you have something so blatantly obvious that they can get their tiny little brains wrapped around it, they're not going to listen.

You say: "Insufficient bounds checking on the frobniz value allows an off-by-one exploit that may lead to unauthorized code execution"

Clued professional: "Wow, that would suck." <gets on phone to vendor for patches>

Unclued professional: "Yeah, whatever" <goes back to whatever they were busy screwing up before you called".

That doesn't scale - there's 140 million .coms, and there aren't 140 million clued professionals out there. Do the math.

On the other hand, if what you say is: "*THWACK*" <sound of large salmon slapping unclued professional upside the head> "This is a wake-up call. If this was an actual emergency, this pop-up would be busy emptying your bank account."

that *might* get their attention. Maybe.

> but one that security researchers use every day to loop hole and law
> and release exploit code and/or hack things.

It's amazing how you've managed to make it to "jaded" without first figuring out how this industry actually works...



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/