tag:blogger.com,1999:blog-14114712.post3960678494499539798..comments2024-03-03T02:04:07.138-08:00Comments on ADD / XOR / ROL: halvar.flakehttp://www.blogger.com/profile/12486016980670992738noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-14114712.post-83430986256605402512008-07-24T07:09:00.000-07:002008-07-24T07:09:00.000-07:00If you stole his thunder then that is probably goo...If you stole his thunder then that is probably good ;). Personally, the biggest problem I have with this whole DNS vulnerability is the lack of full-disclosure once the patch was released. There is the excuse that we need time for critical infrastructure to patch, but I think that is more of an excuse. They want a show with media etc. Seeing this with political figures, software vendors is bad enough, but I didn't expect to see it from prominent security researchers.Michael Dundashttps://www.blogger.com/profile/14053750507205026016noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-37838372709003461352008-07-23T12:10:00.000-07:002008-07-23T12:10:00.000-07:00Congratulations from Spain. You write well and exp...Congratulations from Spain. You write well and explain things better. Directly. Simply.Sebastián Puighttps://www.blogger.com/profile/15155767140174320471noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-37935652633470261972008-07-23T07:00:00.000-07:002008-07-23T07:00:00.000-07:00I think I have something, thanks to you. You can f...I think I have something, thanks to you. You can find it <A HREF="http://sid.rstack.org/blog/index.php/287-dns-encore-peut-etre-une-solution" REL="nofollow">on my blob</A> (fr only, but you read fr ;).<BR/><BR/>Basicaly, it's what Thomas Ptacek <BR/>explained, but instead of sending an Additional record at the end with the spoofed answer, I pass an Authority RR pointing domain NS to an arbitrary server.<BR/><BR/>Seems to work.Unknownhttps://www.blogger.com/profile/05777637928479743710noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-1167428432694190232008-07-22T15:34:00.000-07:002008-07-22T15:34:00.000-07:00I agree with heise regarding the cert publication....I agree with heise regarding the cert publication.<BR/>I think that instant full disclosure is always a better way, it puts pressure on the right people, so the window of vulnerability is much smaller.<BR/>Freedom of Information.kernelhttps://www.blogger.com/profile/10468537179950379910noreply@blogger.com