telnetd oops

The recent telnetd vuln brings two things to mind.

First, as a QA guy myself, I imagine there’s some QA person at Sun saying “D’oh!”.

Second, it makes me think of the full-disclosure argument.

(Wait, doesn’t everything make you think of the full-disclosure argument? Moving on…)

For the sake of discussion, assume you’re against disclosing unpatched vulnerabilities under any circumstances. In this case, we have a fine example of how this might work. You have a perfect opportunity to keep things from yourself. Delete all the emails, blog posts, and news articles that might inform you about the problem. Ignore any IDS signatures and third-party patches. Ignore the fact that absolutely no exploit code is needed, and that any script kid, no matter how unskilled, can pull this hack off.

Don’t disable telnetd on your Solaris 10 machine. Wait for Sun to tell you there’s a patch.
That’s one extreme end of the disclosure debate spectrum. You can refuse to participate in the disclosure game on a personal level.

I can’t stop you.


Stefan Esser has revealed today in a SecurityFocus interview that he plans to start the Month of PHP Bugs in March. If you’re impatient you can skip straight to page 3, though I think Federico Biancuzzi’s interviews are always worth reading in their entirety.

The point? Don’t piss off the guy with the technical skills to find your bugs if he’s trying to help you. I understand it’s not always easy to deal with the egos. But hey, if no one else wants the free QA, I’ll take it.

Fyodor only gets 60 seconds warning?

Kevin Poulsen reports on the 27B Stroke 6 blog today that Fyodor’s (of nmap fame) website was shut down. Kevin followed up later with responses both from GoDaddy’s general counsel and Fyodor. Please take a look at Kevin’s writeups. He does an excellent job, as always.

Basically, Fyodor keeps a public archive of a bunch of mailing lists, including Full Disclosure. Someone by the address of posted a copy of a myspace password list to Full Disclosure. Fyodor’s archive contained a copy. And so does every other archive, and every single one of us who subscribes directly has a copy, too.

Depending on whose story you believe, Fyodor was given either 1 minute or 1 hour of notice before they turned him off. We don’t know how long it was between when myspace asked and GoDaddy acted. Fyodor never got the message ahead of time, and GoDaddy made no attempt to ask for removal of the single attachment out of thousands and thousands of archived emails. And the password list had been there for days.
I belong to a couple of private groups that request domain shutdowns frequently, based on phishing sites, botnet C&Cs, and sites hosting malware being used to infect new victims. These are what I would tend to call legitimate reasons to shut down a domain. How long do you think it usually takes the group to have a domain shut down? Even for the most responsive registrars, it frequently takes several hours. How do we get the 1 minute turnaround, GoDaddy? Where’s the form we fill out?
So, no brownie points for GoDaddy and how they handled this. We can see who they are willing to jump for.  How about myspace? I think Fyodor’s own response it about as good as it gets. Just change the passwords on the compromised list, and notify the account owners.
So I have a question: If you know someone whose password was stolen, have they received any kind of notification? I suppose if I were a bit more enterprising, I could just mail them all and ask myself, or maybe just try the names and password on myspace, and see how many still work. After all, I’ve got a copy of the list, there’s nothing that would prevent me.