Slashdot Mirror

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several lonely Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this exposé, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux booth babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of tools or websites created

You have to give the vendor at least a chance to get the bug fixed.

No, you don't. For all we know, some black-hat hacker may have already found this vulnerability and be actively exploiting it. Now that he's given a heads-up to everyone, people can use the workaround he suggested - access Yahoo mail through the webmail interface rather than the proprietary binary.

I accept that it would be nice if he'd informed the vendor first & given them a week to get a patch out, but researchers are not obliged to do that. (E.g. see RFP policy, for one example of a well-reasoned disclosure policy).

Mike Perry did a great public service by making this tool and making it available.

WTF? No he didn't. Pointing out the vulnerability is a a public service, yes. Giving a talk where he outlines the problem? Also a public service. Distributing the means for anyone to make use of this vulnerability (ESPECIALLY when so many major vendors aren't prepared for it yet) is not a public service anymore. It's just arming script kiddies. Ralph Nader was able to do plenty of good without going around ramming into Chevy Corvairs to somehow "drive home" the need for a fix.

Security through obscurity is not security.

Full disclosure is a good thing. Unfortunately, the commercial focus of the Internet allows people to forget.

Not fully disclosing the nature of the vulnerability only minimizes one's ability to completely assess the circumstance.

Using irrelevant and inapplicable metaphors does not further your point.

Although RFP's policy [1] does not particularly address vulnerability assessment methodology, it is what I often like to reference when this comes up.

[1] http://www.wiretrip.net/rfp/policy.html

Nuff said.

Full public disclosure of security bugs is generally considered the best way to get rapid fixes, and was the entire reason that places like BugTraq were founded.

Bzzt, thank you for playing. Full public *responsible* disclosure is considered the best way to get rapid fixes.

Rainforest Puppy's RFPolicy v2.0 details the community policy of responsible disclosure. Full immediate disclosure is just as bad for security as no disclosure at all, and mainly the sign of an immature e-peen hunting hacker wannabe.

"...exposing flaws like this does nobody any good."

Well, that's one side of the full disclosure debate. The other side, of course, is that some vendors once had even worse reputations for fixing security vulnerabilities than they currently do. Full disclosure evolved in part as a means of holding their feet to the fire. As far as I can tell, the jury is still out on exactly how effective full disclosure is. It's certain that vulnerabilities that are being actively exploited can still remain unpatched for an obscene length of time.

I think full disclosure can be done in what I regard as a responsible manner. You might want to have a look at Rain Forest Puppy's policy at http://www.wiretrip.net/rfp/policy.html as a starting point. To me, acting in a professional manner means exercising some judgment. You can't demand the impossible, but neither you can allow a vendor to stonewall indefinitely. Much will depend upon severity, whether you know the vulnerability is currently being exploited, whether you have a sense that the issue is being actively worked, etc.

Personally, I draw the line at publicly releasing exploits. I can see how some people might do it, if they've been dealing with some of the very obvious stonewalling tactics that I've encountered. As in, "OK, after three months you still claim it's not an issue? I just released malware 1.0. I'm sure it won't cause you any PR or support problems. Have a nice day." To me, that's at best allowing frustration to overcome professionalism (defined as acting in the best interests of your profession). At worst, professionalism was never a factor, and it's done for notoriety or some other steaming pile of stupid.

But responsible full disclosure most definitely does have its place. If you've never had a problem with Oracle, congratulations. But other people have. And I know of a plethora of problems with other vendors.

The compromise that makes the most sense to me is RFPolicy. Put simply, this provides a 5-day contact period, and requires the vendor to keep the reporter notified of the status of the fix. Time to actual disclosure is then based on how cooperative the vendor is being. This (in theory) ensures a fix in a reasonable time frame, from the point of view of the reporter, while suggesting that the disclosure of the vulnerability should be held back as appropriate in order to do a proper fix, and giving good timelines should the vendor not be responsive or cooperative.

I've worked and done research in the security field for a while now, and I've definetly noticed a trend in the underground when it comes to exploits. More and more, exploits are being kept private, with exploits and vulnerability information not being publicised for a variety of reasons, some of which this article touches on.
 
I've had almost no issues reporting vulnerabilities. It's considered good practice to follow a guideline for reporting, such as: http://www.wiretrip.net/rfp/policy.html

RFPolicy is a solid policy for allowing a vendor to be notified in a timely manner (5 days), let them work with the reporter to get a plan of action together (such as a quick way to notify customers and let them get the fix rolled out) and help the vendor reproduce the bug/verify the fix, before notification of the general populace.

If, at any point, the vendor suddenly decides to play not-nice, the RFPolicy is quite clear -- go ahead and post it to bugtraq or whatever you like. It also states that the vendor should acknowledge the original disclosure. That is, if I found a vulnerability in slashcode, but delayed publication because I was trying to get it fixed in good faith, the Slashcode developers would acknowledge my efforts in their advisory -- even if someone else comes along and posts an advisory after I report it to the team, but before the team has posted an announcement.

Nowhere in the RFPolicy v2.0 does it say anything along the lines of, "Hey, you should silently slip-stream fixes without ever notifying anyone ever " -- which is what this article is about Microsoft doing.

The shit that gets modded up. I swear, we need a "-1 WRONG" tag we can apply to posts. Some kind of clue stick for the mods that don't bother to look up RFPolicy would also be good.

in the security community for quite some time.

This makes an interesting read

http://wiretrip.net/rfp/policy.html

Well thought document, written with input from big names in the computer security scene.

For the most part, credible security researchers follow some variant of this document. Given that:

"1. You should be able to fix this in two days"

No, the document says you need to communicate with the researcher within five days. Microsoft has managed to get responses back to people within twenty four hours -- you can at least talk to people within five times that.

"2. The more notorious I am, the more business I will get"

Frankly, there are absolutely awful security advisories. (That "Monad can be used to write worms" garbage is probably the single most embarassing announcement in the history of our industry, though Secunia's DHS advisory that somehow implied a vuln in LibTiff was remote-critical was pretty bad too). If it's this bad when people talk, imagine how bad it can be from people who don't even try to have a public presence.

That being said -- burning vendors is good for nobody, and I have no particular sympathy for those who ignore the rules and just try to embarass people. But lets be honest -- both parties in the equation can embarass themselves, and the system that's evolved has managed to create the otherwise non-existent cost pressure to solve the problem.

How much money did Oracle make from calling themselves "Unbreakable"? Implies there was a rather significant market desire for what security researchers independently establish.

"3. I should always get credit for vulnerabilities I find"

If you release something you know is bad, and do it anyway because you figure the cost of releasing the product is less than the cost of fixing it -- well, the auto industry has a long and colorful history of doing that, and look at the legislative recall framework that evolved out of that.

Why hasn't similar legislation hit the tech world? Because the community of experts who would normally be calling for it has been otherwise co-opted. Good job, keep it up.

At some point, credit can be for forcing a fault to get fixed, not just for finding the fault. I've been in the large corporate environment -- hell, I've found remote roots in deployed products directly because of Oracle 8's broken TNS listener -- that *someone* in your organization found something is never, ever as compelling a reason to address the fault as someone *outside* the company finding something. Credit is more than just finding the flaw, it's finding it without sufficient internal documentation to know where to look. And the threat -- to be very explicit -- is if someone outside your organization, with no source code, can find the problem, so can a malicious attacker.

Security researchers represent hackers who behave as the malicious might but instead work with a vendor. There are inevitably tweaks necessary to the process -- but the process itself is critical, lest we experience its legislative opposite.

--Dan Kaminsky

RFP has a fairly respected document on public disclosure methods. The idea is basically that public disclosure happens only when there is no vendor response or when vendor response irresponsibly wanes. I agree that immediate public disclosure is not the right approach to take.

http://www.wiretrip.net/rfp/policy.html
-Paul

So independent researchers uncovering security flaws are now to be held up to a higher burden of proof than the corporate authors of those flaws?

I am holding them both to the same standard. Whichever group did not follow such a reasonable procedure is to blame. I don't know which is to blame, so I blame neither.

Ultimately, you have to believe one or the other.

A more ridiculous statement I've not seen all week. Congratulations!

it's odd to heap skepticism verging on contempt upon the former

I am not verging on contempt for the originator -- unless it is shown he really didn't notify Apple properly, at which point I will have plenty of contempt -- but I do have contempt for those who expect me to believe the originator, sans evidence. Similarly, I will have contempt for Apple if it is shown they were properly notified.

What is odd, to any reasonable person, is to not have skepticism for the claim. There's no evidence whatsoever backing it up: how can I *not* be skeptical of it?

What I am referring to is the RFPolicy which does encourage full disclosure, however: "Provided you cooperate with the researcher and keep them 'in the loop', they should provide you with whatever time necessary to resolve the ISSUE." This is what I am referring to: if the issue is disclosed without being resolved, then someone has dropped the ball. Yes, if Apple doesn't "do anything about it," it could be disclosed, but that just means the process has broken down.

Rain.Forrest.Puppy was a great source of inspiration for me.
His hacks on NT ODBC and RDS made him a hero by the script kiddies
His views on hacking and the current scene are well worth the read.

Rain.Forrest.Puppy was a great source of inspiration for me.
His hacks on NT ODBC and RDS made him a hero by the script kiddies
His views on hacking and the current scene are well worth the read.

Rain.Forrest.Puppy was a great source of inspiration for me.
His hacks on NT ODBC and RDS made him a hero by the script kiddies
His views on hacking and the current scene are well worth the read.

Rain.Forrest.Puppy was a great source of inspiration for me.
His hacks on NT ODBC and RDS made him a hero by the script kiddies
His views on hacking and the current scene are well worth the read.

After Apple reneged on the Nov. 3rd release date I gave them 2-3 weeks. After the 2-3 weeks were up, I asked for the status and they said "December". Meanwhile, users are left exposed and independent rediscovery seemed fairly likely.

B. The MAINTAINER has 5 work days respond. Note that all times of work days are relative to the ORIGINATOR, not the MAINTAINER. Suggestion to the MAINTAINER: sooner is better than later--just because you have 5 days does not mean you need to take them all. The ORIGINATOR is technically free to do whatever they want to do after 5 work days--however, they should be fair and wait if the MAINTAINER shows adequate initiative to fix the ISSUE.

Q. I'm a software maintainer, and I can't possibly fix the problem in 5 days....
A. You don't have to. If you (re)read the above, you have 5 days to establish communication. Provided you cooperate with the researcher and keep them 'in the loop', they should provide you with whatever time necessary to resolve the ISSUE (within fair reason).

Q. I'm a software maintainer, and I want more than 5 days!
A. Well, considering that, in general, you don't have *anything* technically, this document hopes to provide you with at least 5. Be on your best behavior, cooperate with the ORIGINATOR, and you should get more. :)

I have written and -selftested proof-of-concept exploit code.

This part bothers me, but I am not clear on whether you tested this on your university's live system. If so, you have committed a crime.

If this is the case, I would recommend you turn yourself in, find the university computing services staff member who is responsible for the system, and talk to them in person. Tell them you have found a security problem, and that you have altered data on their system. Specify what data you have changed (i.e. your grades, or whatever).

You are in the role of damage control, if you have made unauthorized access to a system you do not have the authorization to modify. You may have broken the law. If this is the case, cooperate in an attempt to get no charges laid, and get the problem fixed.

If you have not attacked the university's systems, find a technical contact with the software manufactorer, and inform them you believe there are security problems with ___. Do not mention any exploit code in early conversations.

If the company does not response to you informing them of security flaws, follow the full disclosure policy as outlined by RainForestPuppy's RFPolicy.
Strongly avoid releasing exploit code while there is no fix. That should be a last ditch attempt at forcing them to admit there is a problem. Also give them lots of time to get their fix out, once they do acknowledge there is a problem and want to fix it.

The ethical thing to do is to take resonability for your own actions, then to help serve the public good by reducing the security risk to all those vulrenable system by attempting to get a security fix released.

I have written and -selftested proof-of-concept exploit code.

This part bothers me, but I am not clear on whether you tested this on your university's live system. If so, you have committed a crime.

If this is the case, I would recommend you turn yourself in, find the university computing services staff member who is responsible for the system, and talk to them in person. Tell them you have found a security problem, and that you have altered data on their system. Specify what data you have changed (i.e. your grades, or whatever).

You are in the role of damage control, if you have made unauthorized access to a system you do not have the authorization to modify. You may have broken the law. If this is the case, cooperate in an attempt to get no charges laid, and get the problem fixed.

If you have not attacked the university's systems, find a technical contact with the software manufactorer, and inform them you believe there are security problems with ___. Do not mention any exploit code in early conversations.

If the company does not response to you informing them of security flaws, follow the full disclosure policy as outlined by RainForestPuppy's RFPolicy.
Strongly avoid releasing exploit code while there is no fix. That should be a last ditch attempt at forcing them to admit there is a problem. Also give them lots of time to get their fix out, once they do acknowledge there is a problem and want to fix it.

The ethical thing to do is to take resonability for your own actions, then to help serve the public good by reducing the security risk to all those vulrenable system by attempting to get a security fix released.

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several lonely Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this expos, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux booth babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of tools

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several lonely Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this expos, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux booth babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of tools o

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several lonely Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this expos, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux booth babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of too

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several lonely Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this expos, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux booth babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of too

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several loney Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this expos, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux both babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of tools

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor, without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several loney Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this expos, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux both babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of tools

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor, without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several loney Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this expos, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux both babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of tools

It has come to my attention that on May 12, 2003, Slashdot ran a story in which it solicited questions for one Fyodor, (in)famous author of Open Source hacker tool nmap. I am rarely roused to action anymore, but I could not let what I saw pass. Millions of innocent security hobbyists and computer enthusiasts are being duped by Slashdot into using tools and websites created by Fyodor, without knowing all of the facts:

Fyodor is not a heroic "white hat" security expert, but a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!

Please read on and review some of the facts so that you may come to your own conclusions about Fyodor and nmap.

Beginning innocuously enough with this post by one electricmonk, supposedly a "Linux booth babe," several loney Slashdot geeks were trolled into replying, both on Slashdot itself and privately by email. One of the individuals who replied privately by email was none other than the subject of this expos, Fyodor, cruising for some hot geek-loving ass. Little did Fyodor know that electricmonk was none other than SumDeusExMachina, AKA SDEM, long-time trolling stalwart. Fyodor had let his hormones get the better of his common sense as he began an attempt to seduce electricmonk.

Not wanting to carry his charade on any further (and understandably so, with an over-excited Fyodor on his tail), SDEM explained politely and truthfully to Fyodor about the non-existant Linux both babe who was really just a bored young man enrolled in college for the Summer. Fyodor's latest hantise femelle destroyed, he vowed revenge on SDEM no matter the cost. The word wanker echoed in his head as he decided not even the law would stop him in his unholy vengeance. In just over a week, Fyodor had owned SDEM's box and began posting about it in trolltalk.

Luckily, on one unbelievably hot, humid Kansas City day back in August of 2002, Dame Fortune guided my hand to save a copy of trolltalk complete with Fyodor gloating at his criminal victory over SDEM. Scroll down a bit and look for posts by fv and decide for yourself. We even have a statement from one of the two parties involved and a nice summary of events by a very dependable third party who witnessed the entire fiasco. And back in the present, we have several individuals raising questions about Fyodor's morality and legal status.

I now ask you, gentle sirs and madams, would you use a tool written by a known criminal, especially a known criminal who specifically attacks underage boys? Fyodor's endorsement by Slashdot is obviously a betrayal of simple journalistic integrity and ethics, with both the Slashdot staff and Fyodor standing to experience a significant financial windfall from their collaboration. I urge you to reconsider not only your patronage of Slashdot, but also any viewing or use of tools

Nikto...demonstrate[s] the growing importance of wireless networks.

Last I checked, Nikto had nothing to do with wireless networks. It's a web server scanner based off Whisker.

"The security brief will be made available to X-Force Threat Analysis Service customers one business day after the initial vendor notification. X-Force will revise security briefs if additional information emerges during development of the advisory."

Let's not forget the way things *used* to be. A few years back, the rule was that a small cadre of elite people knew about the vulnerability before the rest of the world. This caused lots of problems, which was one of the reasons for rfp to push for responsible full disclosure in the first place.

The ISS policy represents a regression back to the old way of doing things, except now the cadre of people "in the know" are the ones who can afford to pay ISS for advanced vulnerability information. Presumably the rest of the world has to suffer and get hacked. Support companies and organizations who TRULY practice responsible full disclosure -- don't support companies trying to make a quick buck off this kind of extortion.

ISS has been complained about and complained about from both sides of the Full Disclosure issue. Full disclosure to Bugtraq is great, but when ISS or certain others release without vendor notification/vendor acknowledgment, it's just dangerous and rude.

I'm personally glad that they aren't held up as the norm in the community. Most people seem to follow some variation of Rain Forest Puppys RFPolicy concerning vendor contact and reasonable time tables for releasing to the community when faced with unresponsive/uncaring vendors.

Good for X-Force, good for the community for browbeating X-Force.

This provision renders dubious the actual security benefits gained from open examination of the source code, and I'll explain why:

If the corporation is on the top of its game and follows up on each and every report, sending an acknowledgement whether or not they actually decide to fix the flaw, we'll have a situation not unlike GPG or other open source projects. Anyone who agrees to a set of restrictions can examine the code and point out flaws in addition to offering fixes.

On the other hand, if they fail to acknowledge some of the issues being submitted to them, then the situation may actually be worse than not having the source code available at all. People with less-than-pure interests can find the flaws in the program much more easily, however those who actually want to help the community (perhaps making a name for themselves as well in the process) can neither disclose the vulnerability nor offer a patch.

No doubt this policy has been introduced as an attempt to encourage bugfinders to use more community-friendly methods of disclosure. My only problem with it as a potential customer would be that it fails to take into account the possibility that the company could be less than perfect with dealing with bug reports... and thirty days of operating a product of this nature with a known flaw is bad enough. Isn't RFP's policy fair?

"Chapter 17 is a treat. Covers how attackers avoid IDS systems through the use of SSL, and URL encoding (such as Unicode, 2-byte, 3-Byte, and double encoding.) Also covers how to set up an IDS on SSL via reverse proxies."

Ummm... here is a free version of that information. Very thorough, and it is by RFP the writer of whisker.

They should check out what RFP has to say over at wire trip. He is pretty savvy when it comes to software security.

Don't want to nitpick, in fact, I don't even know if Fyodor released a policy for disclosure, but an often mentioned document is rain forest puppies' full disclosure policy

over 100 million users of AIM and you say, AOL won't be there during a holiday? What if someone started exploiting that (or a different hole) over the holidays?
Furrfu!

See also the Full Disclosure Policy (RFPolicy) v2.0 which is followed by many bugtraq users. Note that 5 work days would mean that the report would have been made around 2001-12-20, at least in my locale.

A windowsy (humourous) look at the issue of disclosure can be seen here.

Agreed. Read Rain Forrest Puppies policy on the matter.

George Guninski regularly finds and releases exploits for many different services/os's. Whenever I see his name on Bugtraq, I know it's gonna be a crazy day. According to Rain Forest Puppy's policy, the waiting time is just a _suggestion_, not a law. I'd personally wait, and release the exploit announcement along with a vendor supplied patch (thus being RFP compliant), but that's just me.

- grunby

What is the purpose of the delay? To minimize the damage done by the vulnerability. Immediate disclosure means everyone's vulnerable until the news spreads, and even then, the only option is to disable the vulnerable program until a satisfactory fix is found (which is costly enough that many people will not disable it). Waiting until a fix is found still leaves people vulnerable while the news spreads, and subsequently while they evaluate the fix (a non-trivial task for critical systems), but it usually results in less overall harm. A logical next step is to inform, in confidence, the users most at risk prior to public disclosure. That, if we give them the benefit of the doubt, is all the ISC intends to do.

There are two problems with this strategy: It offends some people because it is inegalitarian and secretive; and the chance of a leak or independent discovery go up as the number of people in the know increases and time passes. If you hold an extreme version of the first position, you should argue that not even the program maintainers should get advance notice. This is a legitimate stance, but is by no means consensus among security researchers. Otherwise, you must admit that it's a trade-off, not a black-and-white issue.

Consider: Imagine you found a hole in a program you were using. Obviously, you would fix it locally before announcing it. Would you also get a review of your analysis from a trusted expert before disclosing? What if your friend were using it--would you tell him first? What if an organization you admire were at risk? It's a delicate balance.

I'm not defending Vixie's specific policy, I just want to point out it is not prima facie unreasonable.

2) the world runs off of money. since nobody seems to be interested in doing the work for free, someone will have to be hired and paid to maintain this mailng list.

3) it is common practice to keep vulnerabilities "secret" for a time in order to give the vendor a headstart in fixing the problem (e.g. RFPolicy). this list facilitates that, and presumably will shorten the time between discovery of a security bug in bind and release to the public.

4) write your own OpenBind if you don't like ISC / Paul Vixie. quit yer bitchin.

whisker

As you can read in the final report from rfp, available here, this .dll is only needed for interaction with Visual InterDev 1.0.

----------
'We have no choice in what we are. Yet what are we,
but the sum of our choices.' --Rob Grant
----------

Here's an advisory with a perl exploit from rain forest puppy: http://www.wiretrip.net/rfp/p/doc .asp?id=45&iface=2

right here. A good write up by rain forest puppy.

Jason

'nuff said?

Same thought occurred to me. Anything close to a mention of this is the cryptic message on Rain Forest Puppy's web page.