Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Dailydave] Moot choices, a sort of DD media party
From: Rodney Thayer (rodneycanola-jones.com)
Date: Fri Jul 01 2005 - 10:31:47 CDT
Ok, here's a twist. I'm researching The Great IDN Disclosure.
This is yet another tempest in a teapot you've probably never heard of.
My fellow Shmoo, Eric, found some cases where you could construct a
domain name that visually looked like one site (say, www.paypal.com)
when in fact it was some crazy mutated unicode domain name from dotdashistan
What do you do when you find an exploit in a protocol spec? Do you
disclose it to the standards body? Do you tell the vendor? Do you simply
announce it? If you tell the vendor, is it ok for the vendor to choose
to ignore you because they've faithfully implemented the standard and it's
Not Their Problem?
I guess my current allegedly interesting observation about disclosuers is -
if you notify a vendor, and they ignore you or go into denial, then well they've
just told you it's not an exploit and you can publish it whereever you damn
well please. (not that I've ever had Cisco or Microsoft deny I've found bugs,
oh, no, that'd never happen...)
And if you think it's off topic, remember that the more trouble we make with
primitive research tools, the more money we get to spend on copies of Canvas to
do real security testing.
Aleksander P. Czarnowski wrote:
> Actually a bit related - but instead of operating on binary level we
> have a source code analysis approach presented here:
> The whole disclosure debate is similar to the one regarding exploit
> publication etc. and I don't get really get it. The only explanation I
> can see it that fact that 99,99 of people who flood such debates with
> emails are not capable of doing real research or programming but they
> still want to be part of game.
> Just 2 cents
> Aleksander Czarnowski
> AVET INS
>>From: Dave Aitel [mailto:daveimmunitysec.com]
>>Sent: 1 lipca 2005 16:37
>>Subject: [Dailydave] Moot choices, a sort of DD media party
>>Reverse engineering patches making disclosure a moot choice?
>>Robert Lemos, SecurityFocus 2005-07-01
>>When Microsoft released limited information on a critical
>>vulnerability in Internet Explorer last month, reverse
>>engineer Halvar Flake decided to dig deeper....
> My fav line:
> "Many people seem to pour time into the disclosure debate that should be
> spent elsewhere," [Halvar Flake] said. "It's fruitless and boring and
> has been for a few years."
> Dailydave mailing list
> Dailydave mailing list
Dailydave mailing list