"This
is to clarify the issue that we at PakCERT found TWO .Net Passport vulnerabilities
and we were the first to discover them (only one vulnerability was discussed
in mailing lists) and took it to local press here in Pakistan. We even
notified Microsoft a long time back through email (secure@microsoft.com)
about the two vulnerabilities but received no response and later decided
to release an advisory WITHOUT technical information (as exploit method
was not public then). We arranged a press conference at 8th of May and
the invitation for the press conference were sent to the media on 5th
May.
The
guy Muhammad Faisal Rauf Danka came to know about this advisory and
released the vulnerability with exploit to claim credit for the vulnerability
which we discovered and made public even before him. The advisory and
press conference details were on local televisions and print media."
Here
we would like to add further that even though Muhammad Faisal Rauf Danka
claimed to be Vice President of PakCERT on several security mailing
lists but in fact, he was never associated with PakCERT in any manner.
Our
conversation with Robert Lemos, who first reported this vulnerability
in media
The invitation
file attached with the e-mail mentioned below is available here.
Subject:
Re: Microsoft Flaw discovered
Date: Sat, 10 May 2003 01:36:22 +0500
From: Qazi Ahmed <qa@pakcert.org>
To: Rob Lemos <robert.lemos@cnet.com>
CC: zd@spider.tm
BCC: pakcert@pakcert.org
Hello,
Thank you
for your response. Let me clarify the misunderstanding about the abovementioned
issue.
As
mentioned in my previous email, PakCERT discovered not one but TWO vulnerabilities,
emailed Microsoft secure@microsoft.com and later on their non-responsive
attitude notified the media in Pakistan on 5th May by fax and e-mails
and announced the release of these vulnerabilities and the details to
be exposed on 8th May.
Yesterday,
on 8th May, we organized a press conference at a local hotel and released
the vulnerabilities withhelding the technical information, which if
goes into wrong hands could cause grave consequences. We demonstrated
the vulnerability and exploit to a closed group from local media and
IT magazines and one of the attendent provided this information to Muhammad
Faisal Rauf Danka on the night of 7th and he unethically released the
exploit information on full-disclosure mailing list in haste to claim
the credit.
Note
that we already relased this information to the local media by fax on
5th May and notified Microsoft several times (even before we notified
the local press through fax and e-mails on 5th May) but we have yet
not recieved any response from Microsoft and even now, only one serious
vulnerability has been fixed by Microsoft but the other "SECURITY
QUESTION BYPASS" vulnerability still exists.
You
can confirm the fax information by our local media especially from the
editor of SPIDER, Miss Zunaira Durrani, the foremost authority and the
largest internet magazine in Pakistan. SPIDER is a publication of DAWN
GROUP OF NEWSPAPERS, the largest English language DAILY in Pakistan.
The
reason for the delay email to full-disclosure and bugtraq is that we
sent them e-mails AFTER the press conference on 8th May. I am attaching
the invitation we sent to the local media through fax and e-mail.
You can
always confirm this from any of our local media.
If you
have any more queries to clarify this whole situtation, please keep
in contact with us.
Hope to
hear from you soon.
Regards,
Qazi Ahmed
Rob Lemos
wrote:
Mr. Ahmed:I looked into these claims when another reader pointed out
that your site had posted an advisory. However, you seem to have posted
it several hours after the original advisory had been submitted to Full-Disclosure.If
you have other data on the matter that you would like to send me, please
do.-R
| robert lemos | senior staff writer | cnet news.com |<?xml:namespace
prefix = o ns = "urn:schemas-microsoft-com:office:office"
/>
| v: (415) 344-2975 | e: rob.lemos@cnet.com |
-----Original Message-----
From: Qazi Ahmed [mailto:qa@pakcert.org]
Sent: Thursday, May 08, 2003 11:43 PM
To: rob.lemos@cnet.com
Subject: Microsoft Flaw discovered
This is to clearify the issue that we at PakCERT found TWO .Net Passport
vulnerabilities and we were the first to discover them (only one vulnerability
was discussed in mailing lists) and took it to local press here in Pakistan.
We even notified Microsoft a long time back through email (secure@microsoft.com)
about the two vulnerabilities but recieved no response and later decided
to release an advisory WITHOUT technical information (as exploit method
was not public then). We arranged a press conference at 8th of May and
the invitation for the press conference were sent to the media on 5th
May.
The guy Muhammad Faisal Rauf Danka came to know about this advisory
and released the vulnerability with exploit to claim credit for the
vulnerability which we discovered and made public even before him. The
advisory and press conference details were on local televisions and
print media."
You can
find the PakCERT advisoty at
http://www.pakcert.org/advisory/PC-080503.html
Regards,
-QA
