"This is to clarify the issue
that we at PakCERT found TWO .Net Passport vulnerabilities and
we were the first to discover them (only one vulnerability was
discussed in mailing lists) and took it to local press here in
Pakistan. We even notified Microsoft a long time back through
email (secure@microsoft.com) about the two vulnerabilities but
received no response and later decided to release an advisory
WITHOUT technical information (as exploit method was not public
then). We arranged a press conference at 8th of May and the invitation
for the press conference were sent to the media on 5th May.
The guy Muhammad
Faisal Rauf Danka came to know about this advisory and released
the vulnerability with exploit to claim credit for the vulnerability
which we discovered and made public even before him. The advisory
and press conference details were on local televisions and print
media."
Here we would like
to add further that even though Muhammad Faisal Rauf Danka claimed
to be Vice President of PakCERT on several security mailing lists
but in fact, he was never associated with PakCERT in any manner.
Our conversation with Robert
Lemos, who first reported this vulnerability in media
The invitation file attached with
the e-mail mentioned below is available here.
Subject: Re: Microsoft Flaw discovered
Date: Sat, 10 May 2003 01:36:22 +0500
From: Qazi Ahmed <qa@pakcert.org>
To: Rob Lemos <robert.lemos@cnet.com>
CC: zd@spider.tm
BCC: pakcert@pakcert.org
Hello,
Thank you for your response. Let
me clarify the misunderstanding about the abovementioned issue.
As mentioned in
my previous email, PakCERT discovered not one but TWO vulnerabilities,
emailed Microsoft secure@microsoft.com and later on their non-responsive
attitude notified the media in Pakistan on 5th May by fax and
e-mails and announced the release of these vulnerabilities and
the details to be exposed on 8th May.
Yesterday, on 8th
May, we organized a press conference at a local hotel and released
the vulnerabilities withhelding the technical information, which
if goes into wrong hands could cause grave consequences. We demonstrated
the vulnerability and exploit to a closed group from local media
and IT magazines and one of the attendent provided this information
to Muhammad Faisal Rauf Danka on the night of 7th and he unethically
released the exploit information on full-disclosure mailing list
in haste to claim the credit.
Note that we already
relased this information to the local media by fax on 5th May
and notified Microsoft several times (even before we notified
the local press through fax and e-mails on 5th May) but we have
yet not recieved any response from Microsoft and even now, only
one serious vulnerability has been fixed by Microsoft but the
other "SECURITY QUESTION BYPASS" vulnerability still
exists.
You can confirm
the fax information by our local media especially from the editor
of SPIDER, Miss Zunaira Durrani, the foremost authority and the
largest internet magazine in Pakistan. SPIDER is a publication
of DAWN GROUP OF NEWSPAPERS, the largest English language DAILY
in Pakistan.
The reason for
the delay email to full-disclosure and bugtraq is that we sent
them e-mails AFTER the press conference on 8th May. I am attaching
the invitation we sent to the local media through fax and e-mail.
You can always confirm this from
any of our local media.
If you have any more queries to
clarify this whole situtation, please keep in contact with us.
Hope to hear from you soon.
Regards,
Qazi Ahmed
Rob Lemos wrote:
Mr. Ahmed:I looked
into these claims when another reader pointed out that your site
had posted an advisory. However, you seem to have posted it several
hours after the original advisory had been submitted to Full-Disclosure.If
you have other data on the matter that you would like to send
me, please do.-R
| robert lemos | senior staff writer | cnet news.com |<?xml:namespace
prefix = o ns = "urn:schemas-microsoft-com:office:office"
/>
| v: (415) 344-2975 | e: rob.lemos@cnet.com |
-----Original
Message-----
From: Qazi Ahmed [mailto:qa@pakcert.org]
Sent: Thursday, May 08, 2003 11:43 PM
To: rob.lemos@cnet.com
Subject: Microsoft Flaw discovered
This is to clearify the issue that we at PakCERT found TWO .Net
Passport vulnerabilities and we were the first to discover them
(only one vulnerability was discussed in mailing lists) and took
it to local press here in Pakistan. We even notified Microsoft
a long time back through email (secure@microsoft.com) about the
two vulnerabilities but recieved no response and later decided
to release an advisory WITHOUT technical information (as exploit
method was not public then). We arranged a press conference at
8th of May and the invitation for the press conference were sent
to the media on 5th May.
The guy Muhammad
Faisal Rauf Danka came to know about this advisory and released
the vulnerability with exploit to claim credit for the vulnerability
which we discovered and made public even before him. The advisory
and press conference details were on local televisions and print
media."
You can find the PakCERT advisoty
at
http://www.pakcert.org/advisory/PC-080503.html
Regards,
-QA
