New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
For the paranoid amongst .io domain owners
https://www.theregister.co.uk/2017/07/10/io_hijacking_in_transition_cockup/
Their nameserver domain names expired and were snapped up by a white-hat security guy. Briefly, all .io DNS requests could've pointed to a server of his choice.
Comments
I wouldn't consider him all white hat. He's been known to do some fairly shady things.
Zebra hat perhaps. This is potentially so high profile though, that it's probably wise to look like the good guy in this case instead of getting in trouble.
Anything you're thinking of in particular?
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/index.html
The way he inappropriately handled this, especially with digitalocean from what I've read. Make no mistake he's a nice guy and intelligent but he has done shady things in past. I won't get in details in public to avoid drama and defame.
I handled the DO situation in the moment and made the judgement calls, and have no complaints or concerns about his integrity. I'd have liked him to do it differently but I responded and handled the situation with the options in my control, and he understood. We're cool
He's not wrong, if you don't provide proof of concept some people don't listen. So he does, because he actually cares about security.
Had a quick skim over it, and nothing jumps out at me as being "not whitehat". Unless you're referring to the "didn't notify upfront" thing, which is 1) not at all uncommon in internet-wide pentesting for a variety of legitimate reasons, and 2) not indicative of having non-whitehat goals in and of itself.
It's important to remember that upfront disclosure is a privilege, not a right - this counts doubly so for coordinated disclosure. Any security researcher may at any time choose not to do so for a variety of reasons - and unless there's malice behind those reasons, that can a completely valid decision. The primary responsibility of a security researcher is to users, not to vendors.
Maybe send a PM and I'll elaborate?
Feel free to PM me