lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: daniel_clemens at autism.birmingham-infragard.org (daniel uriah clemens) Subject: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo, If you truly '_cared_' about the security posture they took then why are you talking about it on a public mailing list? Sounds like you are trying to validate your self worth through telling us all how great it makes you feel when you find out a large government funded organization has lax security posture. Are you hoping the media will say something like 'computer whiz kid finds holes at super secure .gov site'... ? What is your motivation for telling the entire world you had problems getting them to fix their stuff ? Truly being concerned about the security of this type of organization sometimes involves you not validating your own actions by waiting for the response you get back from them. -Dan On Fri, 24 Oct 2003, Jon Hart wrote: > On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote: > > Hello friends, > > I'm happy and sad in the same time. > > The NASA websites are patched but they didn't contacted me after i sent the > > access instructions to advisories, so, > > i have now the advisory open and a complete action-mail/advisory log for > > probe and provide the communication > > between NASA staff and me. > > <snip> > > Lorenzo, > > I can understand your frustration with not getting full and unwavering > cooperation from NASA. However, I'm not sure I blame them when you use > language like this: > > You have exactly 3 days to patch the systems , full info about the > vulnerabilities in the report. > > Keep in mind this is NOT a kidnapping or a hostage situation, this is > you doing a favor for them by alerting them of potential security issues > on sites in the nasa.gov domain. Using demanding language like this > simply strikes me as a threat. Threatening companies or even worse, > threatening large and powerful governmental bodies, will get you nowhere > fast except into a pile of trouble. > > Also, recognize that what you are doing is not (necessarily) discovering > new vulnerabilities, but rather finding specific cases of old > vulnerabilities on NASA's sites. This is called a penetration test or > vulnerability test in some circles, and computer crime in others. One > you get paid for, the other you end up doing time for. > > Of course, this is just my opinion. I certainly would've approached > this entire situation differently. Had I decided to disclose this > information to NASA, I certainly would've been considerably more > professional and thorough about it, and I almost certainly wouldn't have > made this information public until I had the full cooperation of > concerned parties. But, all this might just be because I like to be > able to walk down the street without being tailed by men in black > trenchcoats and I like to be able to sleep at night without worrying > about hearing the wumpa-wumpa of government/military helicopters over my > house at 2am. > > Good luck, > > -jon > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -Daniel Uriah Clemens Esse quam videra (to be, rather than to appear) -Moments of Sorrow are Moments of Sobriety http://www.birmingham-infragard.org | 2053284200 fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
Powered by blists - more mailing lists