Dan Kaminsky‎ > ‎


                 !~~~~~~~~~~~~~~~ Spools ~~~~~~~~~~~~~~~!

Reading through Dan's emails was both pain and pleasure. There are a lot of
them. And when we say a lot, we mean that we have 1.5gb of spools from the
period 2005-2009 before he used gmail again. After that we have all the gmail
messages since. So without further ado, here's the whole bunch!

From effugas@gmail.com  Sat Dec 31 02:53:33 2005
Return-Path: <
Received: from wproxy.gmail.com (wproxy.gmail.com [])
    by pmjm.net (8.12.9p2/8.12.9) with ESMTP id jBVArXYb031168
    for <
dan@doxpara.com>; Sat, 31 Dec 2005 02:53:33 -0800 (PST)
Received: by wproxy.gmail.com with SMTP id i31so1847699wra
        for <
dan@doxpara.com>; Sat, 31 Dec 2005 02:53:50 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
Received: by with SMTP id t11mr11686777wra;
        Sat, 31 Dec 2005 02:53:50 -0800 (PST)
Received: by with HTTP; Sat, 31 Dec 2005 02:53:50 -0800 (PST)
Message-ID: <
Date: Sat, 31 Dec 2005 02:53:50 -0800
From: Dan Kaminsky <
Subject: hiya
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.pmjm.net
X-Spam-Status: No, score=0.9 required=2.0 tests=AWL,HTML_40_50,HTML_MESSAGE,
X-IMAPbase: 1219969072 0000120134 Junk NonJunk $Label4 $Forwarded $MDNSent $Label5 $Label3 $Label1 $Label2
Status: RO
X-UID: 1

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

so yeah

Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

so yeah<br>

Kidding! Somehow we think a 2gb zine might be overdoing it a little bit.
The first shocking thing about Dan's mailbox is just how many people he knows.
He has hundreds of contacts in the security industry. Dozens upon dozens in
corporate programming, ISPs, government, military, education, media, and
anywhere else tech support can be found. After his DNS crap in 2008, he had
dozens of aspiring young researchers offer to blow him. Lots of people
basically emailed asking to be his friend.

At that time, he even had a number of prominent security researchers or
prominent internet bitches all but offer handjobs to get in on the scoop. They
wanted any piece of the action, even just enough to throw up a blog post saying
they've been collaborating with the great Dan Kaminsky. Everyone emailed to
congratulate him and offer their support.
Shame on them all.  Here's a little example:

Scott Applegate, CISSP, a Business Partner at US Army, requested to add
you as a connection on LinkedIn:


Worked with you about a year ago when we were looking at the RFID
capture device at IOActive.  Would like to keep in touch with you all
for potential future issues, ideas, etc.  Gratz on the DNS discovery and
very impressed with the way you handled the entire affair.

- Scott

Of all people, lcamtuf was almost the voice of sanity. He turned down Dan
and told him to stop hyping. Who would have thought it?

At one point Dan sent out an email to a bunch of his friends, asking for
public support. These include:

Jay Beale
Ben Laurie
Johnny Long
the dude behind myspace (like wtf...)
Paul Schmehl

Here's an example conversation coming from that:

From: Johnny Long <ihackstuff@gmail.com>
To: Dan Kaminsky <
Content-Type: multipart/alternative;
X-Mailer: iPhone Mail (5A345)
Mime-Version: 1.0 (iPhone Mail 5A345)
Subject: Fwd: Help
Date: Tue, 22 Jul 2008 10:15:15 -0400
References: <
Content-Length: 14269
Status: RO
X-UID: 114100

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Stupid reply to self!


Sent from my iPhone

Begin forwarded message:

> From: Johnny Long <ihackstuff@gmail.com>
> Date: July 22, 2008 10:13:03 AM EDT
> To: Johnny Long <
> Subject: Re: Help

> Also feel free to call to discuss 410-599-8672.
> Johnny
> Sent from my iPhone
> On Jul 22, 2008, at 9:29 AM, "Johnny Long" <
> wrote:
>> On 7/22/08, Johnny Long <
ihackstuff@gmail.com> wrote:
>>> Unless I'm missing something, I'm behind you, but what can I do? You
>>> want a sound bite from me, I'll be glad to give it to you as long as
>>> it doesn't make me sound like a raging idiot. =D
>> Belay that. You're my friend. I would gladly look like a raging idiot
>> (or even stake my career) defending my friends.
>> What's the next step?
>>> On 7/22/08, Dan Kaminsky <
dan@doxpara.com> wrote:
>>>> There are two paths -- pills, if you will.  One says:
>>>> "Unless there's a full vulnerability for me to look at, I don't
>>>> want to hear
>>>> about it, especially if you're saying the patch is extremely
>>>> important"
>>>> The other says:
>>>> "If it is possible to have some time to deploy an extremely
>>>> important patch,
>>>> without knowing the vulnerability, give me the time."
>>>> I went through an astonishing amount of pain in support of the
>>>> latter.  I
>>>> have gotten absolutely no support from the community for those
>>>> actions.  If
>>>> I've gotten beaten up this badly, I can guarantee the latter will
>>>> never
>>>> happen again.
>>>> If you think that's a good thing, OK.  If you, or your customers,
>>>> think
>>>> that's a bad thing, I need people on the record saying so --
>>>> saying that,
>>>> all things being equal, 30 days was better than 0.
>>>> Johnny Long wrote:
>>>>> hello my friend.
>>>>> what can i do to help you?
>>>>> johnny
>>>>> On 7/21/08, Dan Kaminsky <
dan@doxpara.com> wrote:
>>>>>> I may need some help surviving this whole DNS thing.  Would you
>>>>>> be able
>>>> to
>>>>>> support my approach?
>>> --
>>> Hackers For Charity Quickstats:
>>> Microprojects Completed: 3 Active: 4
>>> Registered Volunteers: 175
>>> Funds raised: $US 4,000(+); $L 22,000
>> --
>> Hackers For Charity Quickstats:
>> Microprojects Completed: 3 Active: 4
>> Registered Volunteers: 175
>> Funds raised: $US 4,000(+); $L 22,000

* How charitable of johnny. Looks out for his friends.
* How about this one? */

Sure I would be happy to help you.  I got you a few email address of the
companies you wanted.  Let me know if there=B9s anything else I can do:
Jessica   Alter   Bebo   Bizdev  
jessica@bebo.com   415 243-4821
  Kent   Lindstrom   Friendster
  Craig   Newmark   Craigslist      
  Jim   Bankoff   AOL   Former EVP Product   bankoff@aol.com
  Edwin     Aoki   AOL   Technology Fellow   aoki@aol.net
  Michael   Jones   AOL   VP   mjones@userplane.com
  Reid   Hoffman   LinkedIn   Founder   rhoffman@linkedin.com
  Ramu   Yalamanchi   HI5   CEO/Cofounder   ramu@hi5.com
  Akash   Garg   Hi5   CTO/Cofounder   akash@hi5.com

On 7/21/08 6:46 PM, "Dan Kaminsky" <dan@doxpara.com> wrote:

> Aber,
>     I'm in a bit of a bind.  A fellow security researcher leaked my DNS
> attack.  I am not convinced that I will ever be able to get people
> advance notice on a vulnerability again, if I do not have significant
> support for the 30-day approach I attempted to pioneer.
>     Is it possible that MySpace could support my approach here?  It will
> not likely happen again without a pretty serious burst of support soon.
> --Dan

//~~~~ Or:

From: "Billy Rios" <billy.rios@gmail.com>
To: "Dan Kaminsky" <
Subject: DNS bug Public
MIME-Version: 1.0
Content-Type: multipart/alternative;
Status: RO
X-UID: 114036

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

DAN!  Heard the DNS bug went public inadvertently :(  that sucks dude.

I'm still thankful (as I'm sure millions of others) that you put forth the
time and effort to coordinate the most massive security fix in history.
I'll buy you a beer (or two) in Vegas!


// Here's another noble comrade coming to Dan's rescue:

From: Jay Beale <jay.beale@gmail.com>
To: Dan Kaminsky <
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Mailer: iPhone Mail (5A347)
Mime-Version: 1.0 (iPhone Mail 5A347)
Subject: Discussion
Date: Mon, 28 Jul 2008 22:50:13 -0700
Status: RO
X-Status: A
X-Keywords: NonJunk       
X-UID: 116776

Dan, is it too late to get involved in that discussion? I'd really  
like to defend your honor because the community is just wrong!

Jay Beale

// And another:

On Jul 21, 2008, at 9:45 PM, Dan Kaminsky wrote:

> I need your help surviving this DNS thing.  Would you be able to
> support my approach?

What's your approach? Call me either in the office (617) 873-5282 or
on my cell (781) 325-3299.



* It's great to have friends, isn't it? You get the idea.
* Dan then made ilja into his translation bitch. It was hilarious. This is how it started: */

To: Dan Kaminsky <dan@doxpara.com>
From: Ilja <
Reply-to: Ilja <
Subject: Re: ZOMG
Message-ID: <
X-Priority: 3
X-Mailer: UebiMiau [PHPMailer version 1.70]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain;
X-Virus-Scanned: Xentra AntiVirus
Status: RO
X-Status: A
X-UID: 116250

you want the whole pdf translated ?

--------- Oorspronkelijk bericht --------
Van: Dan Kaminsky <
Naar: Ilja <
Onderwerp: ZOMG
Datum: 27/07/08 05:27


* If it was dutch and it mentioned Dan, ilja got stuck translating it.
* We kind of want to take advantage of this free Dutch->English translation
* service. ilja, since we're feeling nostalgic, can you gather the boys and dig
* up any old private netric logs, from when you guys actually did shit? If you go
* ahead and do this for us, it'll really be easier for everyone in the long run
* ;)
* Don't forget to translate any and all Dutch!
* Speaking of ilja... */

"Ilja van Sprundel \(N. Runs GMBH\)" <v-iljav@microsoft.com>
along with
ilja@suresec.org and ilja@netric.org of course

If you guys are looking for people to spam, you could always add this list:

From: "Damon P. Cortesi" <damon.cortesi@ioactive.com>
From: "Josh J. Pennell" <
From: "Joshua J. Pennell" <
From: "Justin N. Ferguson" <
From: "Nicole Tatrow (IOActive)" <
From: "Robert M. Zigweid" <
From: <
From: Anthony Rossano <
From: Chris Paget <
From: Dan Kaminsky <
From: Dan Kaminsky [Dan.Kaminsky@ioactive.com]
From: Dan Kaminsky [mailto:Dan.Kaminsky@ioactive.com]
From: Dan Schaffner <
From: Daniel Schaffner <
From: Eric Rachner <
From: Forrest Rae <
From: Jason Larsen <
From: Jason Waldhelm <
From: Jill Levine <
From: Josh Pennell <
From: Joshua Betts <
From: Joshua J. Pennell [mailto:joshua.pennell@ioactive.com]
From: Joshua Pennell <
From: Justin Ferguson <
From: Justin Ferguson <
From: Lauren Vogt <
From: Maren Morrison <
From: Megan Knox <
From: Natalie Ervin <
From: Rob Harvey <
From: Robert Zigweid <
From: Shannon James Smith <
From: Shannon Smith <
From: Shannon Smith <
From: Ted Ipsen <
From: Ted Ipsen <
From: Walter Pearce <


From: "=?GB2312?B?v7Xx/b/i?=" <dmpzguntmntk@microsoft.com>
From: "Anthony Fung (LCA)" <
From: "Brad Hill \(Information Security Partners\)" <
From: "Bri Rolston (SWI)" <
From: "Chris Paget \(IOACTIVE\)" <
From: "Dan Kaminsky (IOACTIVE)" <
From: "Helen Wang (MSR)" <
From: "Ilja van Sprundel (N. Runs GMBH)" <
From: "Ilja van Sprundel \(N. Runs GMBH\)" <
From: "John Biccum" <
From: "Kurt Swanson" <
From: "Kymberlee Price" <
From: "Stephen Toulouse" <
From: "Zot O'Connor" <
From: "Zot_O'Connor" <
From: "jajirn" <
From: Adam Shostack <
From: Bri Rolston <
From: Bronwen Matthews <
From: Dan Kaminsky (IOACTIVE) [mailto:v-dakami@microsoft.com]
From: Dave Tamasi &lt;dtamasi@microsoft.com&gt;<br>
From: Dave Tamasi <
From: Dave Tamasi [<a href=3D"
From: Dave Tamasi [<a href=3D"
From: Dave Tamasi [mailto:dtamasi@microsoft.com]
From: Dave Tamasi [mailto:dtamasi@microsoft.com]=20
From: Ian Hellen <
From: Jack Couch (Deepintel Solutions LLC) <
From: Josh Lackey <
From: Josh Lackey [mailto:Joshua.Lackey@microsoft.com]
From: Kathryn Gillespie <
From: Katie Moussouris <
From: Kay Hersrud <
From: Kymberlee Price <
From: Kymberlee Price [<a href=3D"
From: Kymberlee Price [mailto:Kymberlee.Price@microsoft.com]
From: Lili Cheng <
From: Lili Cheng [mailto:lilich@microsoft.com]=20
From: Mark Novak <
From: Peter Beck <
From: Robert Gu <
From: Rodney Buike <
From: Stephen Toulouse <
From: Thomas Hargrove <

/* Figuring out which ones are real/active is left as an exercise for the
* reader!
* Okay, the next thing you notice about Dan's spools is just the volume of mail
* he got in July 2008 especially. You start reading a day of his emails, you get
* tired, and then you just hold your finger on Page Down. Pull it off after a
* while and you're still not out of the day.
* The only work Dan did in July was reading and answering emails. Even just the
* quantity going out was massive. The other little thing he did....was sort of
* let everyone else do research for him. Basically dozens upon dozens of people
* emailed Dan with their theories, and if what they said was accurate, Dan said
* it was part of the research he had covered, but he appreciated their concern
* and congratulated them on their quick thinking ;p
* Did Dan hand out any credit at his talk that year? Because he sure should
* have...
* There was one thing he was almost honest about, and that's this: */

> >On Thu, Jul 24, 2008 at 09:26:27AM -0700, Dan Kaminsky wrote:
> >
> >>Halvar was like the tenth to figure it out.  I'm not impressed by all
> >>the complaining from people not smart enough to figure the bug out.

/* People *did* email Dan with the solution. I think the first was only a few
* days after he made a fuss. How many got shouts? I don't think he ever replied
* back with "You got it" */

// Here's him talking with Halvar

From: Halvar Flake <halvar@gmx.de>
User-Agent: Thunderbird (X11/20080502)
MIME-Version: 1.0
To: Dan Kaminsky <
Subject: Re: A small note
References: <
In-Reply-To: <
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Provags-ID: V01U2FsdGVkX18oRXbSi0zq0CHrQHTL7+EFDu3Q3TZXHK2uDx8
Content-Length: 2887
Status: RO
X-Status: A
X-UID: 113198

>Yes, this is a very tough position to be in.  I am obligated not to
defend myself.

Ahwell, such is life ;) -- and you'll survive. :)

>However, if you like, you are welcome to come to my talk and take the
> after, to tell the entire audience what you think, having heard the
full details.

Thanks for the offer, but I'll decline. If we agree, there's nothing to
discuss, and if we disagree,
a controversy in the open would be famewhoring by both of us :-P
You and I have better things to do with our time (I prefer to let the
nontechs deal with the
politricks of it all).

There's several reasons why I should avoid any panel discussion anyhow:
* My final final final exam is on 1st of August, so I will arrive in
Vegas looking like cannonfodder
from House of the Dead. I will have spent several weeks on math, so I
will be unable to speak
intelligibly, and walk in a shuffle. When I am tired, I tend to revert
german in mid-sentence, and I spill
coffee on my shirts, neither of which helps. People would mistake me for
a character from a game.
* I have to avoid plenum discussions like the plague nowadays. The
industry has
changed in a way that is quite incompatible with my views -- I'd just
offend people :-)
    * I remember the upset I caused to some members of the audience at
CSW a few years back when
    I recommended that the proper response to being owned by someone
through a chain
    of bouncers would be to own the bouncer chain, one by one, to get to
the source.
    * I tend to not take security too seriously. This tends to offend
audiences at such conferences,
    because they all want to feel important, and I think we are not
1/3rd as important as we'd like to think.

I am certain that you have a really cool and really original attack -- I
just think that if
OpenSSH and Bind _remote_compromises_ (which were pretty darn reliable,
too) didn't warrant "silent period after patches are out", then this
doesn't either. And if the argument is that this problem is easier to
exploit than the above
bugs: "%25%5C" was as easy as it gets, _and_ SSL certs don't help Joe
Sixpacks any
more if the server is compromised.
In all these cases, we didn't need 30 days of artificial suspense.

Also, we all remember the time when vuln info on the defensive side was held
in clubby little groups. The only result of that was that all serious
attackers compromised
some list members, and people that were neither serious attackers nor on
that list
got shafted ;).

But well. All this is politricks, and as such should be left with people
that have no
real work to do :-)

Good luck in the madness over the next few weeks.

I need to get back to my books :-/ (still heaps of work for the exam
tomorrow, and it's
boring shit on top of it :(

PS: What happened on the RE with IDA book ? It was definitely not what
it should've been.

// And later:

Hey Dan,

>Oh, I'll survive.  Who ever would have thought the vendors would be the
easy people to work with?

Haha. Yeh. It shows how the environment has changed -- I still remember
a few
southern german gentlemen reminding me to "quit fucking with the
israelis" when
I did work on Checkpoint a few years back.

>Well, you know, you did sort of start it.  (...)
>Well, man, why'd you have to go in and shit on me publicly then?  I'm
out there trying to get people safe
> and you're like, meh, big whoop...and then, now that you've entered
the discussion, you're like "well
> I don't really want to get involved".  You got involved -- to the
point people are reporting on it.  You're
>respected, I mean, you're respected by *me*.  It's a fairly big deal
for you to enter the discussion and say this doesn't matter.

See my comment above on my reason for avoiding panels: I open my mouth,
speak my mind,
and people get pissed off. Apparently this happens to my blog posts, too :-/

Like, I didn't think saying that "the sky isn't falling" and "we've
survived worse before, with less vendor coordination"
counted as shitting on you publicly. It wasn't _meant_ that way, and I
hope it's not being
construed as such.

Most of all, I was not trying to denigrate your findings. I value
originality in thought above
everything, and finding a protocol attack that has been hiding in "plain
view" is something you
can be very proud of. It is a sign of significant originality, which is
both rare and valuable.

I am a bit dismayed at how my blog post (which I think was quite
reasonable) was spun by
reporters ("...DNS flaw called overblown...").  I also wrote that
it is quite conceivable that my calm in these circumstances is misguided
('russian roulette').
So I don't see this as shitting on you in public. It's a disagreement on
wether the yellow or the
red alert light is flashing. If you see this differently, please make a
on how I can clarify my posts.

I guess to summarize: I think my blog posts were measured & balanced. I
might be wrong
(sose damn germans are not exactly known for seir sense of diplomacy ;),
so if these posts can
be read in a more negative light I'll try to fix it.

Regarding coming to the stage at Blackhat: I won't, for several
(serious) reasons:
* I am deeply opposed to a culture of "there is controversy between X
and Y at Blackhat, let's go see it".
There is no controversy, there is a technical, and perhabs
philosophical, discussion, between two
resonable adults. That is not a spectator sport. I don't want to have a
principal role in
"Ric Flair vs. Shawn Michaels". I very much disliked how the
Matasano/Joanna thing was artificially
whipped up last year, principally to generate press hits for both
parties. I will have no part in
something like this.
* I am also deeply opposed of having this discussion happen at a for-pay
event with reporters present,
who will then put a very different spin on it. This just serves to make
CMP and the media rich,
while running counter to the original culture of discussion in our
community (e.g. mailing lists).

>Syngress published me when I was nothing but an intern at Cisco.   They
needed this book finished,
>and as a personal favor, I made that happen -- watched over the guys
who knew IDA Pro (I know
>nothing of it!), poked them every 24 hours, got it written. My name
wasn't supposed to be on
>the cover.  I don't even know what happened with the bio.  This all
mortified me even before I knew
>of the quality issues.

Ouch. That's the way things go :-/

Good luck with * !


// Things heating up between prominent whitehats Halvar Flake and Dan Kaminsky!

>Mostly a mention that -- heh, lets reserve judgement until we see the
talk -- that'd be fine.

I will write sth longer if you don't mind, and run it by you beforehand.
I am a bit annoyed
by the fact that what used to be a nice discussion on a mailing list is
now easily hyped by
the press into "A says X but B says Y ! Fight !", so I will have a short
comment on it.

>OK, you win, completely.  I could not agree with you more.  I do look
forward to your opinion after the talk, but running something for the
press is the very >definition of counterproductive.  It's just not what
our community needs.


>Bleagh.  Yeah.

I agree on the Bleagh. The exam went horrible, to the point that I asked
the examiners about 2/3rds through
wether it makes sense to continue. I still passed, but holy fuck.

>> Good luck with * !
> Thanks!
>> Cheers,
>> Halvar

On July 22nd, to Christopher Davis, chris@defintel.com:

Dan Kaminsky wrote:
> I could use help getting people on the record supporting me.  I have
> about 48 hours until the security community eats me alive for thinking
> the bug was lame, because you know, they still don't get it.
> Halvar and I were going back and forth on email.  You have to remember
> he's a kid, an insanely bright kid, but just a kid whose first post on
> the subject was that everyone should just assume their gateway is owned=

> and use SSL.  I simply feel sorry for Halvar, at worst.
> Ptacek is another story.  Think for a moment what it means that somebod=
> who is not Ptacek was able to leak anything.
> --Dan
> Christopher Davis wrote:
>> OK this sucks. I used think halvar was cool. Now I think he is a DICK.=

/* So some guy emails you to kiss ass and diss Halvar, and you respond asking
* for his help, and then diss Halvar yourself?
* After this Dan dissed Halvar to anybody who brought him up. Dan has this
* trend of dissing people more talented than him, including Halvar, Sotirov, and
* Dino. He is most cozy with people just as untalented as himself. Don't need to
* name names there, the crowd is obvious.
* By the way, here's a nice list of whitehat emails for you to spam. Hard to
* miss, with Dragos emailing them all so often: */

From: Dragos Ruiu <dr@kyx.net>
To: Dragos Ruiu <
dr@dursec.com>, rgula@tenablesecurity.com,
roesch@sourcefire.com, fygrave@o0o.nu, rfp@wiretrip.net,
aleph1@securityfocus.com, jason.dorie@blackboxgames.com,
        Fyodor <
fyodor@insecure.org>, spikeman@spikeman.net,
        Lance Spitzner <
lance@spitzner.net>, phillip.ibis@blackboxgames.com,
priest@sfu.ca, hdm@digitaloffense.net,
        Nicolas FISCHBACH <
nico@securite.org>, kaneda@securite.org,
andy@dragonfly.demon.co.uk, ktwo@ktwo.ca, ajarman@timeindustrial.com,
zindelak@telus.net, jeff@snort.org, smkoen@hotmail.com,
newspixie@hotmail.com, Will Whittaker <mock@obscurity.org>,
tiffkary@hotmail.com, kmx@egatobas.org, hectorh@pobox.com,
emxlists@tstf.net, vanja@vanja.com, dje@bht.com, dugsong@monkey.org,
lyndon@orthanc.ca, mts@off.off.to, paudley@blackcat.ca,
robert_david_graham@yahoo.com, Peter Wong <peter_wong@pmc-sierra.com>,
dfreelove@rogers.com, jay@intelguardians.com, phil@ccc-ltd.com,
jed@pickel.net, gshipley@neohapsis.com, deraison@cvs.nessus.org,
        Theo de Raadt <
deraadt@cvs.openbsd.org>, dittrich@u.washington.edu,
ben_greenbaum@securityfocus.com, nbortnak@moro.us,
        Chris Kuethe <
chris.kuethe@gmail.com>, bob.beck@ualberta.ca,
natasha@snort.org, arr@watson.org, jfrank@b-ap.com, kkuehl@cisco.com,
bmc@shmoo.com, talisker@networkintrusion.co.uk, halvar@gmx.de,
richard@idealrealms.com, jennifer@granick.com,
alfredhuger@winterhope.com, Solar Designer <solar@openwall.com>,
ivan.arce@corest.com, rkl@blackops.org, cmg@uab.edu,
jedhaile@gmail.com, frank@ccc.de, dave@mu.org, jwilkins@bitland.net,
kf@gnosys.biz, Jordan Ritter <jpr5@darkridge.com>,
matthew_conover@symantec.com, thegnome@nmrc.org, ofir@sys-security.com,
provos@umich.edu, silvio@big.net.au, mike_schiffman@hotmail.com,
niness@devilness.org, of@securityfocus.com, alan@silent5.com,
mark@stateful.net, weingart@tepid.org, kyxspam@loder.us,
Todd.Miller@courtesan.com, hlein@progressive-comp.com,
neel_mehta@iss.com, shaun@securereality.com.au,
        "Felix 'FX' Lindner" <
fx@recurity-labs.com>, thegrugq@gmail.com,
jose@monkey.org, dan@doxpara.com, caddis@ruxcon.org.au,
mudge@uidzero.org, Gerardo Richarte <gera@corest.com>,
mike@datanerds.net, mike@digitalguardian.net,
        Robert Lemos <
mail@robertlemos.com>, Ejovi Nuwere <ejovi@ejovi.net>,
watcher@vigilans.net, tobyhush@hushmail.com, arrigo@alchemistowl.org,
oudot@rstack.org, f.raynal@miscmag.com,
        Philippe Biondi <
phil@secdev.org>, Cedric Blancher <sid@rstack.org>,
gary@proventsure.com, kostya@immunitysec.com,
        ol at uncon <
ol@uncon.org>, itojun@itojun.org, rakan@well.com,
ETOH@jp.ibm.com, joewee@monkey.org, n.brulez@free.fr, djm@intrusec.com,
george.kurtz@foundstone.com, paulwatson@paulwatson.org,
danny@arbor.net, keith@netwerked.net, craig.balding@gecapital.com,
dave@immunitysec.com, dmaynor@gmail.com, rforno@infowarrior.org,
kevin@labmistress.com, Ryan Mcbride <mcbride@openbsd.org>,
        Josh <
josh.pennell@ioactive.com>, jcouzens@6o4.ca,
athomas@deltacable.com, RSalgado@att.net,
        Christopher Owen <
chris.owen@consault.com>, yukai@eeye.com,
Joel_Carter@bcit.ca, Joost.Houwen@accenturebizservicesbc.com,
ws@dec.net, schneier@counterpane.com, mark@4mtu.net,
arno@ed-diamond.com, anton@chuvakin.org, takahashi.akiko@scs.co.jp,
gaus@cisco.com, job@itsx.com, bmccarty@apu.edu, eric_byres@bcit.ca,
c.uchida@ie.sumitomocorp.co.jp, kjc@iijlab.net, djm@cambia.com,
adam@philtered.net, kasahara.ken@scs.co.jp,
        Dino Dai Zovi <
ddz@theta44.org>, dmckay@gmail.com, ebalas@iu.edu,
thorsten.holz@mmweg.rwth-aachen.de, alexbling@gmail.com,
barnaby.jack@gmail.com, cesar@appsecinc.com, gael@melix.net,
spoonm@gmail.com, mschiffm@cisco.com, fernando@gont.com.ar,
npouvesle@tenablesecurity.com, zoe.g@cansecwest.com,
jkouns@infosecmba.net, jericho@attrition.org, mail@mtrueman.com,
        rob <
rob@robmann.org>, yuzu@yuzuko.net, justine.aitel@immunitysec.com,
javier@corest.com, sinan.eren@immunitysec.com, nicolas@immunitysec.com,
mwatchinski@sourcefire.com, sunshine@pacsec.jp,
saito@byakuya-net.co.jp, chwieser@ee.oulu.fi, lcars@gentoo.org,
vh@thc.org, ilja@netric.org, hiroshi_shinotsuka@symantec.com,
cjordan@endeavorsystems.net, Sowhat <isowhat@gmail.com>,
mdornseif@mac.com, josh.ryder@ualberta.ca, glovet@fortinet.com,
marc_bevand@rapid7.com, zoe.g@eusecwest.com, scomeau@eusecwest.com,
mock@eusecwest.com, martin.herfurt@trifinite.org, marcel@holtmann.org,
tim.hurman@pentest.co.uk, deleskie@gmail.com, yuz@p0c.net,
raffy@raffy.ch, andy.davis@irmplc.com,
frederic.raynal@security-labs.org, shreeraj@net-square.com,
aquynh@gmail.com, Carlos Sarraute <carlos@coresecurity.com>,
jburroni@coresecurity.com, michael.boman@gmail.com,
        Andrea Barisani <
andrea@inversepath.com>, andrewcu@microsoft.com,
cat@reptiles.org, Chris Ulliott <chris@ulliott.com>,
nikoteen@zetetique.info, ofir.arkin@insightix.com, bnagy@eeye.com,
jim.deleskie@vsnlinternational.com, nick.murison@foundstone.com,
        Josh Ryder <
josh.ryder@gmail.com>, crispin@crispincowan.com,
steve@buyukada.co.uk, dbugman@dbugman.com, sascha@rommelfangen.de,
        fred <
fred@thinkingsecure.com>, dendler@tippingpoint.com,
davidendler@hotmail.com, mreavey@microsoft.com, terri_forslof@3com.com,
        Alexander Sotirov <
alex@sotirov.net>, alex@isecpartners.com,
scott@isecpartners.com, thalheim@informatik.hu-berlin.de,
aempirei@the-mathclub.net, loic.duflot@sgdn.pm.gouv.fr,
hscholz@raisdorf.net, hdm@metasploit.com, Dragos Ruiu <dr@kyx.net>,
adam.laurie@thebunker.net, dcox@breakingpointsystems.com,
tqbf@matasano.com, joanna@invisiblethings.com, change@dmzs.com,
doug@hcsw.org, erik@specialopssecurity.com, marnone@fcw.com,
hfortier@recon.cx, elisa@jasinska.de, raoul.chiesa@mediaservice.net,
d.sacher@gmail.com, niels.bakker@ams-ix.net,
        Jhayne <
bloodkrystal@hotmail.com>, riojh@mac.com,
        Sarah Blankinship <
        Marc Schoenefeld <
marc.schoenefeld@gmx.org>, mconover@gmail.com,
starbug@berlin.ccc.de, sandipchaudhari@gmail.com,
        Ariel Waissbein <
arnaud.ebalard@eads.net, guedou@hongo.wide.ad.jp,
johns@informatik.uni-hamburg.de, chenym@gmail.com,
ychen@foundstone.com, yuriko@pacsec.jp, jesssa@pacsec.jp,
hilary@pacsec.jp, helen@pacsec.jp, sono@pacsec.jp,
        Ryo Hirosawa <
ryo@pacsec.jp>, nrb@pacsec.jp, aboladeg@microsoft.com,
adamo@microsoft.com, jwill@microsoft.com, takumio@microsoft.com,
        Youji Okuten <
youjio@microsoft.com>, ishikawa.mitsuharu@scs.co.jp,
kanbe.tsuyoshi@scs.co.jp, iwai@lac.co.jp,
katsuya.furukawa@microsoft.com, trombik@gentoo.gr.jp,
rwood@coverity.com, alex.lucas@microsoft.com,
        Mark Dowd <
mark.dowd@gmail.com>, azanatta@spiritcommunications.ca,
        Dean Turner <
        Oliver Friedrichs <
oliver_friedrichs@symantec.com>, taviso@google.com,
        Steve Manzuik <
smanzuik@juniper.net>, cjaue@atic.ca,
mountainbarn@gmail.com, vrc_founder@hotmail.com, baiyilang@sina.com,
calvin.wong@intel.com, lmiras@gmail.com, dave@cansecwest.com,
richard.chadderton@hsbc.ca, "A. R." <r00t@northernfortress.net>,
ggalford@microsoft.com, njam@sandia.gov, christian.wieser@oulu.fi,
dtrammell@dustintrammell.com, druid@caughq.org,
dtrammell@tippingpoint.com, Jim.Deleskie@vsnlinternational.com,
matteo.meucci@owasp.org, matteo.meucci@gmail.com,
        David Watson <
david@honeynet.org.uk>, markruss@microsoft.com,
        Saumil Shah <
saumil@net-square.com>, sweetlie@etri.re.kr,
richardg@esentire.com, eldons@esentire.com, tvidas@nucia.unomaha.edu,
danbia@infis.units.it, msutton@spidynamics.com,
roelof.temmingh@gmail.com, V Anil Kumar <anil@cmmacs.ernet.in>,
tvidas@gmail.com, michael.geide@us-cert.gov, troglocan@gmail.com,
joshua.lackey@microsoft.com, Aaron Portnoy <aportnoy@tippingpoint.com>,
heavywizardry@gmail.com, nathan.green@ge.com,
        El Nahual <
nahual@0hday.org>, Danny McPherson <danny@tcb.net>,
aavivi@juniper.net, Gadi Evron <ge@linuxbox.org>,
jim_hoagland@symantec.com, mdfranz@gmail.com, pavel_haintz@shaw.ca,
felix@fefe.de, julia@devcon.net, jeedi@ccc.de, david@scanit.net,
job@riscure.com, renaudb@radware.com, carrier@digitalevidence.org,
frank@leviathansecurity.com, infosecdr@hoagland.org,
        William Knowles <
wk@c4i.org>, franck.veysset@orange-ftgroup.com,
nicolas.vivant@free.fr, jwalker@tgmp6.hbs.edu, lcamtuf@dione.ids.pl,
        Peter Evans <
peter@ixp.jp>, robert_mcmillan@idg.com,
mike@leviathansecurity.com, Michael Eddington <meddington@gmail.com>,
hiroshi.kawaguchi@lac.co.jp, mh@baseline-security.de,
haradats@nttdata.co.jp, itojun.hagino@gmail.com, arice@websense.com,
nruff@security-labs.org, fruss@coresecurity.com,
diegobt@coresecurity.com, nicolas.waisman@immunityinc.com,
Colin_Delaney@mcafee.com, stephen@blackroses.com, fabienne@fabienne.us,
        rich cannings <
rcannings@gmail.com>, nohl@virginia.edu, jmcd@pobox.com,
rhensing@microsoft.com, Oded Horovitz <odedh@vmware.com>,
        Thierry Zoller <
Thierry.Zoller@nruns.com>, sergio.alvarez@nruns.com,
        SunBing <
        Sebastien Tricaud <
stricaud@inl.fr>, p.chifflier@inl.fr,
        Dan <
dhubbard@websense.com>, schenette@websense.com,
olleB@toolcrypt.org, Charles Miller <cmiller@securityevaluators.com>,
        Adam Stein <
astein@musecurity.com>, dan@jwsecure.com,
my.self@erichacker.com, andres.riancho@gmail.com, slarson@strozllc.com,
        Cappella <
cappella@mail.com>, jf <jf@ownco.net>, rmarty@splunk.com,
        Hernan Ochoa <
        Harri Hursti <
hursti@hursti.net>, dpalacio@purdue.edu,
daniel@immunityinc.com, Aaron_Portnoy@3com.com,
arizvisa@tippingpoint.com, Hendrik Scholz <hs@123.org>,
        Julien Vanegue <
        Jose Orlicki <
        Thomas Lim <

/* God damn that's a lot of names we recognize. That's the center of the
* whitehat world. In the undergrond we stay on top of these guys by stealing
* spools of people like Dan Kaminsky. We follow more exclusive mailing lists too,
* but all of them are pretty worthless anyways. Kids, know your history: read
* ~el8 and h0no to see whitehats exposed via their spools.
* I bet lots of those are owned.
* :-D
* There's this little thing too, it's funny when whitehats try to tier */

From: Ivan Arce <ivan.arce@coresecurity.com>
Organization: CORE Security Technologies
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Aviram Jenik <
CC: "Steven M. Christey" <
coley@linus.mitre.org>, Gadi Evron <ge@linuxbox.org>,
        "Steven M. Christey" <
        Noam Rathaus <
noamr@beyondsecurity.com>, Michael Lynn <mtlynn@mac.com>,
        Matthew Murphy <
mattmurphy@kc.rr.com>, Halvar Flake <halvar@gmx.de>,
        Matthew Franz <
        John Cartwright <
johnc@grok.org.uk>, Fyodor <fyodor@insecure.org>,
mudge@uidzero.org, Dan Kaminsky <dan@doxpara.com>,
raven@oneeyedcrow.net, Ilfak Guilfanov <ig@datarescue.be>,
        Paul Vixie <
vixie@vix.com>, Joe Stewart <jstewart@lurhq.com>,
        David Litchfield <
        Ivan Arce <
Subject: Re: SRG: Vulnerability reporting service
References: <
43E41C15.8060007@linuxbox.org> <Pine.GSO.4.51.0602060157350.16000@cairo.mitre.org> <200602061728.34156.aviram@beyondsecurity.com>
In-Reply-To: <
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.pmjm.net
X-Spam-Status: No, score=-0.0 required=2.0 tests=SPF_HELO_PASS,SPF_PASS
    autolearn=failed version=3.0.4
Content-Length: 7460
Status: O
X-UID: 869

Hi all,

Gadi, thanks for kick-starting this and for framing the discussion.

Although many of us know each other and are aware of what the others do,
as a general rule I think I'd be good if we all introduce ourselves so
we know who we are and how or why we ended up bound by Gadi's email.

Ok, so I'll start by introducing myself :)

I'm CTO of Core security Technologies and I've been working in the
infosec field since the early 90s. I've been personally involved in the
 discovery and reporting process of every bug that Core discovered
and/or reported since around 1994. So far, I have not actively
participated in any of the various incarnations of the never ending
'disclosure debate' that has been ranging since the spread of RTM worm
(or possibly even before). Nonetheless I am intimately familiar with
both the public and private details of the research and disclosure process.

Lately I've noticed that there is a marked trend towards controlling
and/or regulating the mechanics of the security research process and one
of its sub-processes, the disclosure process. This trend, actively
pursued by a set of interested players, mainly big commercial software
and security vendors, has reached a point were a specific (and I'd
venture to say not unbiased) view of things is presented as the only
legitimate way of conducting security research. Meanwhile the
individuals and organzations that do the actual research and generate
the raw material that is often subject to these raging debates said very
little about the topic.

In my view, this was to be expected, as security
researchers/practitioners are generally more focused on getting their
hands dirty and *getting things done* rather than *talking about*
how/when or why to do them. Nonetheless several individual researchers
or research organization have presented their views on the topic but
generally in a scattered and very fragmented manner that did not reflect
the existence of a cohesive collective mindset with an alternative
approach to the security research practice. However, I believe (actually
I *know*) that a collective mindset does exist and that in  fact it is
one of the very specific things that fostered the development of the
infosec community and particularly infosec industry for at least 15
years. Security researchers have not yet expressed their opinion and
presented their views in an organized manner and I believe it is time
for them (us?) to do it. It is a necessary step if we want to continue
fostering the evolution and maturity of the discipline rather than
allowing it to fall into a renewed cycle of obscurantism.

Ok, but aside from the security research community diatribe and most
importantly: As far as I know the end-user community has not (directly)
expressed their opinion and has not provided guidance on how things
should be done or what is the expected/desired outcome for the future
evolution of security research and disclosure process. After all the
end-user community is the one stakeholder with the most at risk, it is
end-user organzations and individuals (not vendors nor researchers) that
are affected by security bugs and ultimately reponsible for fixing them
and so far they hear just one loud voice that allegedly explains how
things should be done in the field.

I submit that if there is only one choice, that's the one users will
adopt not because it is the right one but because it is the only one
available. My intend is to foster the emergence of at least one more
voice that can articulate and synthesize into understandable and
plausibly adoptable end-user options the various forms of security
research and disclosure processes that both fostered and fed from the
infosec industry during the last 15 years.

I've expressed many of these thoughts to Aviram and a few others [1]
during the past months and, gladly, I found out that (give or take a few
things) we were all having similar thoughts and the intention to do
something about it.

I guess that explains how I ended up in the TO: header of Gadi's
original email.


[1] Besides internal discussion at Core, I talked about this topic with
Tom Ptacek (
tqbf@matasano.com) and Nate Lawson (nate@root.org). I think
both of them would be interested in joining the list.

.... etc etc


// And just because every set of leaked mails needs one from Theo..

From deraadt@cvs.openbsd.org  Sun Feb 24 15:58:30 2008
Return-Path: <
X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on pmjm.com
X-Spam-Status: No, score=-1.2 required=2.0 tests=AWL,BAYES_00,
        DNS_FROM_RFC_ABUSE autolearn=no version=3.1.5
Received: from cvs.openbsd.org (cvs.openbsd.org [])
        by pmjm.com (8.13.8/8.13.8) with ESMTP id m1ONwUBE016201
        for <
dan@doxpara.com>; Sun, 24 Feb 2008 15:58:30 -0800 (PST)
Received: from cvs.openbsd.org (localhost [])
        by cvs.openbsd.org (8.14.1/8.12.1) with ESMTP id m1ONx6gk031802
        for <
dan@doxpara.com>; Sun, 24 Feb 2008 16:59:06 -0700 (MST)
Message-Id: <
To: Dan Kaminsky <
Subject: Re: DNS Client
In-reply-to: Your message of "Sun, 24 Feb 2008 14:48:35 PST."
Date: Sun, 24 Feb 2008 16:59:06 -0700
From: Theo de Raadt <
Status: RO
X-Status: A
X-UID: 106100

>     Gimme a call tomorrow (Monday) evening, if you get a chance.
> +1-408-933-8195.  Got a heads up for ya.

I'm swamped making a release.

No matter what happens, if this is anything about ID's it will hurt us
less than it hurts the people who still believe in ID++, which is most
of the vendors.


* mudge (mudge@uidzero.org) [060120 20:04]:
> Actually, this advisory is missing some important information. 
> bugtraq engaged in this prior to the "buy out". Security Focus 
> engaged in this practice as well where there were some advisories 
> that would go out only to the Security Focus paid private list and 
> not be forwarded to the public list to which they were posted.

Excuse me, but wtf are you talking about? No offense mudge, (well, no
more than you just offended us), but maybe you should get back on the

We never have delayed any message to Bugtraq so as to give our paying
customers any advance notice. While there could have been situations where
something may have gone out first to customers of our alerting service
(e.g. an analyst find about the vuln through a medium other than bugtraq
before it hits bugtraq), it was never a result of a moderator delaying
a message for competitive advantage.

I find your comments particularly galling given that you were one of
the few people we allowed to post to Bugtraq without going through

Maybe we should discuss some of the vulns @stake discovered that were
never made public. Hmm?

Elias Levy

//~~~~ Look at the state of secdev!

From: Mike Schiffman <mschiffm@cisco.com>
Subject: Re: DNS deluge for x.p.ctrc.cc
Date: Wed, 1 Mar 2006 12:52:18 -0800
X-Mailer: Apple Mail (2.746.2)
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.pmjm.net
X-Spam-Status: No, score=0.4 required=2.0 tests=DNS_FROM_RFC_ABUSE,
        SPF_HELO_PASS,SPF_PASS autolearn=no version=3.0.4
Content-Length: 3118
Status: RO
X-UID: 1541

Hey dude, I'm finally working on endgame for my paper... I'm 
collating all of the DNS IPs, BIND version numbers, BIND 
vulnerabilities and CVSS scores. I'm translating into LAT/LONG using 
ipgeo. What software did you use to plot your stuff on those pretty 

Mike Schiffman, CISSP
Audentis fortuna iuvat
Cisco Systems, Inc Critical Infrastructure Assurance Group

//~~~ Dan and Mike trade pictures ;p

From: Mike Schiffman <mschiffm@cisco.com>
Subject: DNS!
Date: Thu, 20 Apr 2006 11:26:52 -0700
X-Mailer: Apple Mail (2.746.3)
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.pmjm.net
X-Spam-Status: No, score=0.4 required=2.0 tests=AWL,DNS_FROM_RFC_ABUSE,
        SPF_HELO_PASS,SPF_PASS autolearn=no version=3.0.4
Status: RO
X-UID: 2845

hey dude... check out the slowest paper ever written that's still not 
done yet, and let's build a partiview mpeg of the globe! That's the 
one thing I lack.
http://www.packetfactory.net/papers/DNS-2006 and 
www.packetfactory.net/papers/DNS-2006/CIAG-ONLY/. Call me! 

Mike Schiffman, CISSP
Audentis fortuna iuvat
Cisco Systems, Inc Critical Infrastructure Assurance Group

//~~~~~~ lol

From: Mike Schiffman <mschiffm@cisco.com>
Subject: hey
Date: Tue, 2 May 2006 15:48:58 -0700
To: Dan Kaminsky <
X-Mailer: Apple Mail (2.749.3)
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.pmjm.net
X-Spam-Status: No, score=0.4 required=2.0 tests=AWL,DNS_FROM_RFC_ABUSE,
        SPF_HELO_PASS,SPF_PASS autolearn=no version=3.0.4
Status: RO
X-Status: A
X-UID: 3130

You still out there? Am I bugging you with my constant badgering for 
assistance in wrapping this paper up? :)

//~~~~~ I only hope you had better people to go to back in the day...

From: Fyodor <fyodor@insecure.org>
To: Dan Kaminsky <
Subject: Re: yo
Message-ID: <
References: <
20080804043740.GC3447@syn.lnxnet.net> <48968878.1000604@doxpara.com>
20080804050415.GA10530@syn.lnxnet.net> <48969021.9080007@doxpara.com
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <
User-Agent: Mutt/1.5.9i
X-UID: 122512
Status: RO
X-Keywords: $Label4                                                 
Content-Length: 2477

Hi Dan.  On your blog I noticed that you wrote:

> Now, there?s Robert E. Lee and Jack Louis with their TCP Denial of
> Service attacks. Now, it?s a bit silly to assume Jack Louis doesn?t
> know the history of TCP attacks, as it?s silly to assume I don?t know
> the history of DNS attacks. (You?d be amazed how many people thought
> I?d just reinvented the birthday attack.) Jack?s written more crazy
> TCP code than you have, for all values of you including me and
> possibly Fyodor. Do their attacks work, mostly as they?re saying?
> Almost certainly. There?s dozens of weird corner cases in TCP where
> resources and timers are allocated. It?s entirely feasible that at
> least some of them have nasty effects on the system above and beyond
> three way handshake flood.

How well do you know these fellows?  I had been inclined to give them
the benefit of the doubt too, but I'm not impressed that the few parts
where they have divulged details have been so sketchy.  For example, I
just found their SEC-T slides on Sockstress and noted a number of
glaring technical problems:

If you click "next in thread" you can see Robert's response, which
skipped over all the technical problems in their slides and resorted
to answers like "those slides don't actually describe any of the
vulnerabilities that we're alarmed about" and "we see no compelling
reason to appease the internet security research community as a whole
with full disclosure details."  Sounds like a cop-out to me.

Also, their claim that there are no known workarounds or fixes is
questionable.  Even CERT-FI examined their research and reported that
"based on our evaluation, the vulnerability can be mitigated by source
address level filtering."  In other words, we can deal with it the
same way we deal with all the other non-spoofed DoS attacks on a daily

Mark my words: I expect that for their presentation on the 17th, they
will claim it is still too dangerous to give out details and spread
more FUD instead.  Even though they still have a tell-all talk

I do agree with you that they probably did find some DoS attacks you
can perpetuate when you have hundreds or thousands of open TCP
connections.  In my experience, you don't have to try very hard to
cause major DoS incidents that way.

Anyway, I'll stop ranting now :).  I hope all is well with you and
that you're having a great time in Japan!


From lance@spitzner.net  Sat Sep 13 11:59:15 2008
Return-Path: <
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on pmjm.com
X-Spam-Status: No, score=-1.0 required=2.0
        RDNS_DYNAMIC autolearn=no version=3.2.5
Received: from
www.honeytech.com (69-64-87-215.dedicated.abac.net
        by pmjm.com (8.14.2/8.14.2) with ESMTP id m8DIxFSs072264
        for <
dan@doxpara.com>; Sat, 13 Sep 2008 11:59:15 -0700 (PDT)
Received: from [] (unknown [])
www.honeytech.com (Postfix) with ESMTP id 220011340123
        for <
dan@doxpara.com>; Sat, 13 Sep 2008 13:58:43 -0500 (CDT)
Message-Id: <
From: Lance Spitzner <
To: Dan Kaminsky <
In-Reply-To: <
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v926)
Subject: Re: Ping
Date: Sat, 13 Sep 2008 13:59:42 -0500
References: <
X-Mailer: Apple Mail (2.926)
Status: RO
X-Keywords: $Label4        
X-UID: 121071

On Sep 13, 2008, at 13:55, Dan Kaminsky wrote:

> Ah, I'd love to make it out.  I hate to ask, but do these guys have 
> much
> budget?  I'd have to take a week off of a consulting gig to do this
> talk, and that'd be pretty rough :(

Hey Dan!  Normally they don't pay speakers.  However, for keynotes 
(and you) I am sure they would make an exception. Howard Schmidt is 
presenting, I'm sure he is not free :)
They do not pay me but that is because I am very good friends with 
them, I have known them for years and we help each other out in other 
ways.  What other information can I provide for you?  What other 
questions do you have?  Where would you like to go from here?  If you 
like I can do intros with the head guy Ahmad Kamali and you guys can 
take it from there.  Ahmad is the friendliest Emirati (and friendliest 
Arab) I have met in my five years of travelling to the middle-east.

Let me know what you would like to do next, thanks!


From ping@blackhat.com  Mon Sep  8 13:30:17 2008
Return-Path: <
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on pmjm.com
X-Spam-Status: No, score=-0.8 required=2.0 tests=AWL,BAYES_00,
        DNS_FROM_OPENWHOIS autolearn=no version=3.2.5
Received: from colossus.blackhat.com (colossus.blackhat.com
        by pmjm.com (8.14.2/8.14.2) with ESMTP id m88KUGiQ002397
        for <
dan@doxpara.com>; Mon, 8 Sep 2008 13:30:16 -0700 (PDT)
Cc: Jeff Moss <
Message-Id: <
From: Ping Look <
To: Dan Kaminsky <
In-Reply-To: <
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v919.2)
Subject: Re: Japan
Date: Mon, 8 Sep 2008 13:32:01 -0700
References: <
X-Mailer: Apple Mail (2.919.2)
Content-Length: 2553
Status: RO
X-Status: A
X-UID: 120768


I know you just spoke with Jeff and this is what we can do at the 
I will get you paid $3K from US 08
$2K from JP 08

So you'll get at least two separate payments in 2008.

And if you speak at DC and EU and USA 09, we'll increase appropriately 
to make up the shortfall (up to $6K).

Are you still on Boylston in #204?

I'll send you another note for Travel...

Thx so much... your karma thanks you.

On Sep 8, 2008, at 12:44 PM, Dan Kaminsky wrote:

> OK, here's the deal.
> You notice how I always do BH USA, but don't do too many other cons
> every year that are during weekdays?
> That's because there's no subsidization.  I do a weekday con, it 
> means I
> have to forgo consulting revenue for that day.  That's the deal I 
> have,
> and it's why I *can* choose to go to any con I select.  It's out of 
> my hide.
> Black Hat this year was about a month of no work.  I'd do it again 
> in a
> heartbeat :)  But that's what it was.
> So.  You want me at Black Hat Japan -- I'll do it, whether or not you
> have budget to handle my standard honorarium, which for international
> travel with three work days lost is $12,000.  I'll do it even if you
> don't have budget to handle my out-of-pocket lost revenue, which is
> $8K.  That's not an offer I'd extend to anyone else, but you've been
> good to me for a decade, and you clearly want me in Japan.  So I'll
> attend, on whatever terms you can afford.
> --Dan

// What a fucking whitehat whore. It's not over:

From Brian@sector.ca  Mon Sep  8 16:35:17 2008
Return-Path: <
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on pmjm.com
X-Spam-Status: No, score=-3.6 required=2.0
        autolearn=ham version=3.2.5
Received: from mail.sector.ca (mail.cms.ca [])
        by pmjm.com (8.14.2/8.14.2) with ESMTP id m88NZH9Z010196
        for <
dan@doxpara.com>; Mon, 8 Sep 2008 16:35:17 -0700 (PDT)
Received: from BBLaptop ([]) by mail.sector.ca over TLS
secured cha
nnel with Microsoft SMTPSVC(6.0.3790.3959);
         Mon, 8 Sep 2008 19:35:44 -0400
Reply-To: <
From: "Brian Bourne" <
To: "'Dan Kaminsky'" <
References: <
In-Reply-To: <
Subject: RE: stand by
Date: Mon, 8 Sep 2008 19:35:42 -0400
Organization: Black Arts Illuminated Inc.
Message-ID: <
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AckR8x22X3Xx2dTQReuuubGuTm0oOAAGGdWA

Content-Language: en-us
X-OriginalArrivalTime: 08 Sep 2008 23:35:44.0271 (UTC)
Content-Length: 1080
Status: RO
X-UID: 120783

We just don't have $10k, but I'd still like to have you... we can fly
you in
and out same day if you like... can you do $5k?


-----Original Message-----
From: Dan Kaminsky [mailto:dan@doxpara.com]
Sent: Monday, September 08, 2008 4:40 PM
Subject: Re: stand by


    Alright.  I can make it out, but it'll cost $10K -- this isn't me
being a pain in the ass, it's that I literally have to walk away from a
consulting engagement for a few days and, unlike some people, that comes
out of my own pocket.  (Black Hat USA cost me about a month of
consulting revenue.)

    Let me know?


Brian Bourne wrote:
> Dan,
> Can you call me when you have a second.  416-460-7317.  Here's the
> version - you're a very entertaining speaker - if you want to come,
> than make other speakers compete with you, we'll give you a lunch
> Let me know ASAP.
> /bb
> -----Original Message-----
> From: Dan Kaminsky [mailto:dan@doxpara.com]
> Sent: Wednesday, September 03, 2008 6:11 PM
> To: Brian Bourne
> Subject: stand by

// Best buddies forever
arachne: Aww, you sound exhausted, hon...when was the last time you slept?

Here is another range you should not scan

This client has not asked for your "services"=20

Please cease your "tests"

R Grant Leonard=20
Technical Security Specialist
AT&T | Managed Security Services
Threat Management | MIDS | DDoS | Internet Protect | Analysis
rgleonard@att.com <mailto:rgleonard@ems.att.com>  | O 919-474-1147 | C =


This is another of our clients and you do not have the permission of the =
client to perform this kind of scanning.

You have triggered over 22,000 events for us in this range alone as well =
as caused a few other minor aggravations.

While you may believe you are a researcher and doing good, performing =
your unauthorized testing on live production platforms is a reportable =

I am going to kindly suggest you seek permission from various targets =
before you continue your "research".

Please note I am under contractual obligations to report your =
activities, we have recorded your "scans" on over 26 devices globally =
and none of our clients have given you permission to perform these =


R Grant Leonard=20
Technical Security Specialist
AT&T | Managed Security Services
Threat Management | MIDS | DDoS | Internet Protect | Analysis
rgleonard@att.com <mailto:rgleonard@ems.att.com>  | O 919-474-1147 | C =

/* Three big cheers for R Grant Leonard! Stick it to the bitch. Let it be
* known that this guy is a cool dude and deserves some favours!
* Dan actually pissed off a lot of people with his scanning. What a fucking
* kiddie. Even someone from the Canadian government told him to take a hike.
* How bad do you have to be to piss off the Canadians? Christ.
* After Dan made a big stink about DNS in 2008 he and everyone else wanted
* to ride the wave of coverage, so they did a lot of scanning. I think there
* were four of them including Dan and Dragos Ruiu scanning heavily from
* some network Vixie let them on. Vixie got a lot of complaints and begged
* them to stop but they kind of ignored him at first. After a while Vixie
* realized that not only were all four scanning hard, but they were often
* duplicating the same ranges. Then they were pretty much unwilling to
* work together and share data, even on Vixie's insistence. Basically they
* used and abused Vixie like a cheap Thai hooker.

July 14 2008
Now if Matasano weren't so busy and would get around to finishing the
report, we could be that much closer to letting them publish. But it's
never quite as much of a hurry when it's waiting on yourself, is it?
We're well past 30 days now. ;)


No problem, Dan.  I will cease and desist immediately.
^ Paul Scheml on Dan asking him to censor FD


i told woot both of my slides but i said that the protections on slide two
were known to be inadequate and said that you had been able to break in.  i
suspect that this will be true when you get around to it, but i had to drive
home the "this isn't an alternative to udp port randomization, which you all
still have to do."  so if anyone asks, say yes, you're able to write my cache.

Vixie, Jul 28