| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Oct 2007 22:06:47 -0400 From: "Dude VanWinkle" <dudevanwinkle@...il.com> To: "worried security" <worriedsecurity@...glemail.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: If internet goes down out of hours, we're screwed I didn't read that book you sent in response to an offhanded remark, but I am impressed you learned about paragraphs! Now, lets focus on capital letters. -JP<who doesn't want to strain netdev with punctuation just yet, not to mention logic and brevity> On 10/9/07, worried security <worriedsecurity@...glemail.com> wrote: > On 10/9/07, Steven Adair <steven@...urityzone.org> wrote: > > I think you guys are both mixing up CERT (cert.org) and US-CERT > > ( us-cert.gov) -- both of which have very different functions. As > > mentioned though, you probably wouldn't want to call either if your > > Internet goes down. > > > > Steven > > > > They both suck though, and its not clear cut who is responsible for what. > The US-CERT vulnerability and incident report proceedure sends e-mail to > both US-CERT and CERT. > > > Also it was the US-CERT bulletin alert e-mail which had cert@...t.org in it, > so those folks who are ment to be running an emergency response team better > get their shit together, > > People want to know where to tell the government about something, and the > government should be approachable. lots of folks are scared to contact the > government directly about shit, incase it draws attention to them and they > end up getting into trouble for something completely different. > > I also believe the spying and undercover work that goes on on irc channels > for example is stupid, and befriending folks to get information on the > latest security news is wrong. If there were known government folks on the > irc channels and they were open about who they were, the government would > gather far more intelligence about hacks than being undercover. > > Trust me, the government think they need to be undercover to get the best > intelligence, but the way I see it, the government would be suprised how > many folks come forward in a friendly way if they said, yes i work for cert > or the dhs, i'm a cyber security contact if anyone wants to talk to me about > anything. the government need to get this whole situation sorted out with > tricking and entrapping folks on irc and other places. > > while i know in some investigation work undercover is the way to go, there > is also a need for the government to be more open with the security > community when lurking around the underground communities. > > the government should have a "cyber security contact" in the major public > underground irc channels, not the whole big undercover operation the > government currently run. > > plus, i don't believe their keyword data mining uncovers everything the > government should know, conversations on the internet by the bad guys are > often crafted in a certain way, because they know they are being monitored, > now if the government had open points of contact for the underground to talk > to, who were friendly approachable people, then the government would do far > better in public relations with the computer security community than they do > at present. > > i'm sick of the government as it currently stands, i'm sick of the > government and their intelligence services thinking the only way to find out > about things is to be undercover and have sophisticated intelligence > collecting software. > > trust me, if the government were just open with everyone everyone would be > the winner. > > there are people that are happy to give vulnerabilities, zero-day and > intelligence to the government, and you want to know why? because not > everyone likes everyone, so its within the hackers agenda to give zero-day > to the government which belong to their enemies, to cancel out the enemies > own agenda. > > back in the day when i first began the whole hacking thing, i would backstab > my friends by telling yahoo security team what they were upto and give them > zero-day software, to get patched, this is so, their zero-day were patched > out, but my stuff wasn't. so there are always reasons why the security > community would approach the government if their was a friendly approachable > representaitive in all the major public communties. > > what i want the government to get away from is the impression people have of > them and thats "big bad government with dark security services posing as > normal people in communities", and not just online communities, i mean in > real life as well, they have folks in towns and cities as well, doing > devious undercover general surveillance, but if the government were just > open with folks, things would be a lot easier. > > while full-disclosure is close to being a point of contact to disclose > things, there would be a lot more unearthed if their were human points of > contacts in the major public communities, because a mailing list isn't > always the way people want to contact the government and an online e-mail > form on a website isn't always suitable for the hacker either, hackers want > human interaction with the government over irc, and other forms of real time > communication. > > stop the whole devious government thing, and get open points of contacts > within communities. hackers don't want to use online e-mail forms and > hackers want assurances that they won't become suspects themselves for being > informants to a human cyber security point of contact on mediums such as > internet relay chat. > > so yeah, government, stop the whole hiding away in control centers and > designing sophisticated software, if you actually get humans into > communities to talk with the security communities over current affairs, you > would gather the right kind of intelligence about people and hacks, which is > quality information, that doesn't need intelligence analysts to rub their > heads for hours wondering, "is this a credible threat or is this guy just > joking around". > > the dhs and cert have got the whole public relations thing with the > underground at present all wrong, you need folks like me with a fresh > approach to everything, instead of ramping up a "war on terror" which cannot > be won. all wars begin and end in dialog, so take that into the cyber > security arena and get some friendly nicknames around the internet > communities which are known by the good and bad guys... and you will rake in > the rewards. > > at the moment there is no cyber terrorist threat out there, but that doesn't > mean there always won't be, so its better to get into the underground > security communities in the early on years, so in 5 to 10 or 15 years time > when cyber terrorism is a real threat then you'll know who everyone is in > the major public security communities and you'll have people within those > communities who are approaching you on a daily basis to update you on whats > going on in the security community. > > money isn't needed. while in real life, with drug scene informants, they > want money to inform the government about folks, this isn't the case online, > because its not as dangerous for a member of the public to be devious and > collect intelligence on folks. what i'm suggestiing is i know many folks who > would give free intelligence for no money, just to cancel out their rivals, > and just to generally be helpful because they are bored, than to demand a > certain sum of money for a certain level of importance of intelligence tip > off. > > what i'm suggesting is these open points of contact i want setup would only > be there for folks to volenteer information on a free basis, and anyone > starting to blackmail those point of contacts for cash would simply be > ignored. whats needed is open human points of contact who are approachable > on the basis of certain individuals coming forward to give free > intelligence, not to be a way for that individual to cash in, on the social > circles he is involved in or the zero-day software he has acquired. > > to get back to the beginning, the whole contacting cert and dhs is currently > wrong in relation to the cyber security community, your website sucks, and > its not a friendly and approachable looking site for everyday hackers, > script kids and security professionals to use. the whole dhs/us-cert > badge/logo/graphics etc scare people away. if your site was less big bad > serious government looking, then maybe folks would send you a lot more > voluntary intelligence, but like i've already said, e-mail forms don't > attract the underground, get known nicknames into communities, its the only > way forward if you really want to get ontop of the whole cyber security > scene, now in the early years before real threats start to gather as the > whole cyber terrorism threat is being ramped up for future years. > > stop the whole we're the big bad serious dhs and cert and get your big > government sovereignty logos etc taken off sites which are supposed to be > designed for the underground contacting you. at the moment your the big > scary dhs and cert, it doesn't need to be that way. become friendly and > approachable, become open and honest in underground communities and quit > undercover work and devious befriending for general surveillance and > intelligence gathering. whats wrong, you can have both undercover folks and > have known cyber security contacts in underground communities, whats there > to lose? absolutely nothing. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists