lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: daniel_clemens at autism.birmingham-infragard.org (daniel uriah clemens)
Subject: NASA WebSites Multiple Vulnerabilities ADVISORY
 opened to public access ( NASA websites Patched )

Lorenzo,
If you truly '_cared_' about the security posture they took then why are
you talking about it on a public mailing list?

Sounds like you are trying to validate your self worth through telling us
all how great it makes you feel when you find out a large government
funded organization has lax security posture.

Are you hoping the media will say something like 'computer whiz kid finds
holes at super secure .gov site'...

?

What is your motivation for telling the entire world you had problems
getting them to fix their stuff ?

Truly being concerned about the security of this type of  organization
sometimes
involves you not validating your own actions by waiting for the response
you get back from them.

-Dan

On Fri, 24 Oct 2003, Jon Hart wrote:

> On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:
> > Hello friends,
> > I'm happy and sad in the same time.
> > The NASA websites are patched but they didn't contacted me after i sent the
> > access instructions to advisories, so,
> > i have now the advisory open and a complete action-mail/advisory log for
> > probe and provide the communication
> > between NASA staff and me.
>
> <snip>
>
> Lorenzo,
>
> I can understand your frustration with not getting full and unwavering
> cooperation from NASA.  However, I'm not sure I blame them when you use
> language like this:
>
> 	You have exactly 3 days to patch the systems , full info about the
> 	vulnerabilities in the report.
>
> Keep in mind this is NOT a kidnapping or a hostage situation, this is
> you doing a favor for them by alerting them of potential security issues
> on sites in the nasa.gov domain.  Using demanding language like this
> simply strikes me as a threat.  Threatening companies or even worse,
> threatening large and powerful governmental bodies, will get you nowhere
> fast except into a pile of trouble.
>
> Also, recognize that what you are doing is not (necessarily) discovering
> new vulnerabilities, but rather finding specific cases of old
> vulnerabilities on NASA's sites.  This is called a penetration test or
> vulnerability test in some circles, and computer crime in others.  One
> you get paid for, the other you end up doing time for.
>
> Of course, this is just my opinion.  I certainly would've approached
> this entire situation differently.  Had I decided to disclose this
> information to NASA, I certainly would've been considerably more
> professional and thorough about it, and I almost certainly wouldn't have
> made this information public until I had the full cooperation of
> concerned parties.  But, all this might just be because I like to be
> able to walk down the street without being tailed by men in black
> trenchcoats and I like to be able to sleep at night without worrying
> about hearing the wumpa-wumpa of government/military helicopters over my
> house at 2am.
>
> Good luck,
>
> -jon
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

-Daniel Uriah Clemens

Esse quam videra
     (to be, rather than to appear)
	             -Moments of Sorrow are Moments of Sobriety
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD



Powered by blists - more mailing lists