[Owasp-leaders] Zone transfer

Jeff Williams jeff.williams at owasp.org
Mon Apr 12 01:27:59 EDT 2010


I greatly appreciate the interest and concern in OWASP's security and
reputation. I'd like to take this opportunity to once again recognize
Larry's excellent support of the OWASP network and application
infrastructure over the years. Few of you will probably ever meet him, but
he has helped virtually all of us and we work under the blanket of his
protection every day!

Rest assured that Larry has been on top of the DNS situation for quite a
while and we just haven't been able to find another provider that is a
better fit for OWASP. This is a great case study in why vulnerabilities
aren't risks (as we have now hopefully made clear in the new T10 being
released very soon). You always have to consider the business context of any
vulnerability you discover. In this case, nobody has articulated a serious
risk to OWASP.

However, we are absolutely committed to making our infrastructure secure -
both for protection and as an example to others. We always welcome
constructive information about the security of our OWASP infrastructure. 

Thanks Larry - great job as usual.


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Christian
Sent: Friday, April 09, 2010 11:19 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Zone transfer


I have to agree considering the a majority of the A records could be
recovered with a "site:owasp.org -site:www.owasp.org" Google Search
Query or http://code.google.com/p/tit/

I believe the root cause of the hype is that AXFR is successful which
in my experience almost always fails and DNS is hosted with by (the
misleading titled) "secure.net".

On Fri, Apr 9, 2010 at 10:57 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Question: why is this a problem? Isn't the information listed by Christian
supposed to be on the public domain?

Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list