LAS VEGAS — Two noted security professionals were targeted this week
by hackers who broke into their web pages, stole personal data and
posted it online on the eve of the Black Hat security conference.
Security researcher Dan Kaminsky and former hacker Kevin Mitnick were
targeted because of their high profiles, and because the intruders
consider the two notables to be posers who hype themselves and do
little to increase security, according to a note the hackers posted in
a file left on Kaminsky’s site.
The files taken from Kaminsky’s server included private e-mails
between Kaminisky and other security researchers, highly personal chat
logs, and a list of files he has purportedly downloaded that pertain
to dating and other topics.
The hacks also targeted other security professionals, and were
apparently timed to coincide with the Black Hat and DefCon security
conference in Las Vegas this week, where Kaminsky is unveiling new
research on digital certificates and hash collisions.
The hackers criticized Mitnick and Kaminsky for using insecure
blogging and hosting services to publish their sites, that allowed the
hackers to gain easy access to their data.
http://www.wired.com/threatlevel/2009/07/kaminsky-hacked/
http://www.leetupload.com/zf05.txt
From: Scott Weeks <surfer@mauigateway.com>
Subject: Re: Fwd: Dan Kaminsky
To: "andrew.wallace" <andrew.wallace@rocketmail.com>
Date: Wednesday, July 29, 2009, 10:10 PM
--- andrew.wallace@rocketmail.com
wrote:
http://www.leetupload.com/zf05.txt
------------------------------------------
This one is off line:
Site Temporarily Unavailable
We apologize for the inconvenience. Please contact the
webmaster/ tech support immediately to have them rectify
this.
error id: "bad_httpd_conf"
scott
Dan Kaminsky mirrors:
http://r00tsecurity.org/files/zf05.txt
http://antilimit.net/zf05.txt
Much thanks,
Andrew
Randy Bush wrote:
LAS VEGAS — Two noted security professionals were targeted this week
by hackers who broke into their web pages, stole personal data and
posted it online on the eve of the Black Hat security conference.
boooooring.
randy
Two noted security professionals, and Kevin Mitnick, whom no one gives a
damn about, were targeted...
FTFY
Andrew D Kirch
LAS VEGAS — Two noted security professionals were targeted this week
by hackers who broke into their web pages, stole personal data and
posted it online on the eve of the Black Hat security conference.
boooooring.
Two noted security professionals, and Kevin Mitnick, whom no one gives a
damn about, were targeted...
Ettore Bugatti, maker of the finest cars of his day, was once asked why
his cars had less than perfect brakes. He replied something like, "Any
fool can make a car stop. It takes a genius to make a car go."
so i am not particularly impressed by news of children making a car
stop.
randy
*yawn*. kiddies whack low-value sites, death of Internet predicted. Film at 11.
What Mitnick and Kaminsky realize, and most NANOGers hopefully do
too, is that security comes with costs, and a cost-benefit analysis is in
order. Mitnick came out and *said* that he knew the site was insecure, but
since no sensitive data was on there, it didn't matter. Presumably the
site's monthly cost, convenience, user-interface, and so on, outweigh the
effort of occasionally having to recover after some idiot whizzes all over
the site.
Now, if they had managed to whack a site that Mitnick and Kaminsky *cared*
about, it would be a different story...
at the risk of adding to the metadiscussion. what does any of this have to do with nanog?
(sorry I'm kinda irritable about character slander being spammed out unnecessarily to unrelated public lists lately 
)
At the risk of adding to the metadiscussion, I've never seen anyone die
from having a car that accelerated too slowly. Unfortunately I think
encouraging Randy to drive cars with bad brakes would be against the
NANOG charter. 
Remembering those ancient days, it always seemed to me that was Mitnick's
usual series of excuses (as in: he was a scapegoat, nobody was physically
hurt, their cleanup cost estimates were inflated, et cetera ad nauseum).
This just seems like more of the same.
I'm not a big fan of throw them in prison and throw away the key, but the
fact that his prison sentences (plural) and restitution were so lenient is
certainly a factor in the difficulty of convincing LE to take investigation
and prosecution seriously.
Security consultants that don't practice secure computing on their own
sites aren't much more than flacks for hire.
http://antilimit.net/zf05.txt
Anyway, most of the reading was pretty boring and badly formatted, but it
still put a bit of a knot in my intestines....
Are we paying enough attention to securing our systems?
What does this have to do with Nanog, the guy found a critical
security bug on DNS last year.
There is no slander here, I put his name in the subject header so to
draw attention to the relevance of posting it to Nanog.
I copy & pasted a news article caption, which also doesn't slander Dan
Kaminsky but reports on the actions of other people true to the facts.
Any further slander allegations, please point them at Wired's legal team.
Andrew
I don't see a video attached or an audio recording. Thus no slander.
Libel on the other hand is a different matter.
William Allen Simpson <william.allen.simpson@gmail.com> writes:
Are we paying enough attention to securing our systems?
almost certainly not. skimming RFC 2196 again just now i find three things.
1. it's out of date and needs a refresh -- yo barb!
2. i'm not doing about half of what it recommends
3. my users complain bitterly about the other half
in terms of cost:benefit, it's more and more the case that outsourcing looks
cheaper than doing the job correctly in-house. not because outsourcing *is*
more secure but because it gives the user somebody to sue rather than fire,
where a lawsuit could recover some losses and firing someone usually won't.
digital security is getting a lot of investor attention right now. i wonder
if this will ever consolidate or if pandora's box is just broken for all time.
You have those backwards. Slander is transitory (i.e. spoken)
defamation, libel is written/recorded/etc non-transitory defamation.
This seems like a group that could benefit from knowing those two words.
Read my post one more time... The standards you described are what I described. No video, no audio = no speech = no slander. The article was written, hence libel.
Hi,
Read my post one more time and think though: Only "zf0" are legally in the shit.
The guy "Dragos Ruiu" has absolutely no case against me.
Copy & paste doesn't count as defamation, speak to Wired's legal team
if you have an issue.
Cheers,
Andrew
andrew.wallace wrote:
at the risk of adding to the metadiscussion. what does any of this have to
do with nanog?
(sorry I'm kinda irritable about character slander being spammed out
unnecessarily to unrelated public lists lately 
)
What does this have to do with Nanog, the guy found a critical
security bug on DNS last year.
He didn't find it. He only publicized it. the guy who wrote djbdns fount it years ago. Powerdns was patched for the flaw a year and a half before Kaminsky published his article.
http://blog.netherlabs.nl/articles/2008/07/09/some-thoughts-on-the-recent-dns-vulnerability
"However - the parties involved aren't to be lauded for their current fix. Far from it. It has been known since 1999 that all nameserver implementations were vulnerable for issues like the one we are facing now. In 1999, Dan J. Bernstein <http://cr.yp.to/djb.html> released his nameserver (djbdns <http://cr.yp.to/djbdns.html>\), which already contained the countermeasures being rushed into service now. Let me repeat this. Wise people already saw this one coming 9 years ago, and had a fix in place."
--Curtis
> What does this have to do with Nanog, the guy found a critical
> security bug on DNS last year.
>
He didn't find it. He only publicized it. the guy who wrote djbdns
fount it years ago. Powerdns was patched for the flaw a year and a half
before Kaminsky published his article.
Yeah, and Robert Morris Sr wrote about a mostly-theoretical issue with TCP
sequence numbers back in 1985. Then a decade later, some dude named Mitnick
whacked the workstation of this whitehat Shimomura, and the industry
collectively went "Oh ****, it isn't just theoretical" and Steve Bellovin got
to write RFC1948.
(Mitnick was the first *well known* attack using it that I know of - anybody
got a citation for an earlier usage, either well-known or 0-day?)
"Wise people already saw this one coming 9 years ago, and had a fix in place."
Yes, but a wise man without a PR agent doesn't do the *rest* of the community
much good. A Morris or Bernstein may *see* the problem a decade before, but
it may take a Mitnick or Kaminsky to make the *rest* of us able to see it...
Same thing to get the industry to scramble to get rid of MD5 in SSL-certs, known for a long time, when it was shown to be practical it didn't take that long to get rid of.
People want proof, not theory.
Curtis Maurand <cmaurand@xyonet.com> writes:
What does this have to do with Nanog, the guy found a critical
security bug on DNS last year.
He didn't find it. He only publicized it. the guy who wrote djbdns fount
it years ago.
first blood on both the DNS TXID attack, and on what we now call the
Kashpureff attack, goes to chris schuba who published in 1993:
http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/schuba-DNS-msthesis.pdf
i didn't pay any special heed to it since there was no way to get enough
bites at the apple due to negative caching. when i saw djb's announcement
(i think in 1999 or 2000, so, seven years after schuba's paper came out) i
said, geez, that's a lot of code complexity and kernel overhead for a
problem that can occur at most once per DNS TTL. and sure enough when we
did finally put source port randomization into BIND it crashed a bunch of
kernels and firewalls and NATs, and is still paying painful dividends for
large ISP's who are now forced to implement it.
why forced? what was it about kaminsky's announcement that changed this
from a once-per-TTL problem that didn't deserve this complex/costly solution
into a once-per-packet problem that made the world sit up and care? if you
don't know the answer off the top of your head, then maybe do some reading
or ask somebody privately, rather than continuing to announce in public that
bernstein's problem statement was the same as kaminsky's problem statement.
and, always give credit to chris schuba, who got there first.
Powerdns was patched for the flaw a year and a half before
Kaminsky published his article.
nevertheless bert was told about the problem and was given a lengthy window
in which to test or improve his solutions for it. and i think openbsd may
have had source port randomization first, since they do it in their kernel
when you try to bind(2) to port 0. most kernels are still very predictable
when they're assigning a UDP port to an outbound socket.