lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 09 Oct 2007 22:44:20 -0400
From: <full-disclosure@...hmail.com>
To: <worriedsecurity@...glemail.com>,<dudevanwinkle@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: If internet goes down out of hours,
	we're screwed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You missed an apostrophe here:

http://lists.grok.org.uk/pipermail/full-disclosure/2007-
October/066452.html


On Tue, 09 Oct 2007 22:06:47 -0400 Dude VanWinkle
<dudevanwinkle@...il.com> wrote:
>I didn't read that book you sent in response to an offhanded
>remark,
>but I am impressed you learned about paragraphs!
>
>Now, lets focus on capital letters.
>
>-JP<who doesn't want to strain netdev with punctuation just yet,
>not
>to mention logic and brevity>
>
>On 10/9/07, worried security <worriedsecurity@...glemail.com>
>wrote:
>> On 10/9/07, Steven Adair <steven@...urityzone.org> wrote:
>> > I think you guys are both mixing up CERT (cert.org) and US-
>CERT
>> > ( us-cert.gov) -- both of which have very different functions.
> As
>> > mentioned though, you probably wouldn't want to call either if
>your
>> > Internet goes down.
>> >
>> > Steven
>> >
>> > They both suck though, and its not clear cut who is
>responsible for what.
>> The US-CERT vulnerability and incident report proceedure sends e-
>mail to
>> both US-CERT and CERT.
>>
>>
>> Also it was the US-CERT bulletin alert e-mail which had
>cert@...t.org in it,
>> so those folks who are ment to be running an emergency response
>team better
>> get their shit together,
>>
>> People want to know where to tell the government about
>something, and the
>> government should be approachable. lots of folks are scared to
>contact the
>> government directly about shit, incase it draws attention to
>them and they
>> end up getting into trouble for something completely different.
>>
>> I also believe the spying and undercover work that goes on on
>irc channels
>> for example is stupid, and befriending folks to get information
>on the
>> latest security news is wrong. If there were known government
>folks on the
>> irc channels and they were open about who they were, the
>government would
>> gather far more intelligence about hacks than being undercover.
>>
>> Trust me, the government think they need to be undercover to get
>the best
>> intelligence, but the way I see it, the government would be
>suprised how
>> many folks come forward in a friendly way if they said, yes i
>work for cert
>> or the dhs, i'm a cyber security contact if anyone wants to talk
>to me about
>> anything. the government need to get this whole situation sorted
>out with
>> tricking and entrapping folks on irc and other places.
>>
>> while i know in some investigation work undercover is the way to
>go, there
>> is also a need for the government to be more open with the
>security
>> community when lurking around the underground communities.
>>
>> the government should have a "cyber security contact" in the
>major public
>> underground irc channels, not the whole big undercover operation
>the
>> government currently run.
>>
>> plus, i don't believe their keyword data mining uncovers
>everything the
>> government should know, conversations on the internet by the bad
>guys are
>> often crafted in a certain way, because they know they are being
>monitored,
>> now if the government had open points of contact for the
>underground to talk
>> to, who were friendly approachable people, then the government
>would do far
>> better in public relations with the computer security community
>than they do
>> at present.
>>
>> i'm sick of the government as it currently stands, i'm sick of
>the
>> government and their intelligence services thinking the only way
>to find out
>> about things is to be undercover and have sophisticated
>intelligence
>> collecting software.
>>
>> trust me, if the government were just open with everyone
>everyone would be
>> the winner.
>>
>> there are people that are happy to give vulnerabilities, zero-
>day and
>> intelligence to the government, and you want to know why?
>because not
>> everyone likes everyone, so its within the hackers agenda to
>give zero-day
>> to the government which belong to their enemies, to cancel out
>the enemies
>> own agenda.
>>
>> back in the day when i first began the whole hacking thing, i
>would backstab
>> my friends by telling yahoo security team what they were upto
>and give them
>> zero-day software, to get patched, this is so, their zero-day
>were patched
>> out, but my stuff wasn't. so there are always reasons why the
>security
>> community would approach the government if their was a friendly
>approachable
>> representaitive in all the major public communties.
>>
>> what i want the government to get away from is the impression
>people have of
>> them and thats "big bad government with dark security services
>posing as
>> normal people in communities", and not just online communities,
>i mean in
>> real life as well, they have folks in towns and cities as well,
>doing
>> devious undercover general surveillance, but if the government
>were just
>> open with folks, things would be a lot easier.
>>
>> while full-disclosure is close to being a point of contact to
>disclose
>> things, there would be a lot more unearthed if their were human
>points of
>> contacts in the major public communities, because a mailing list
>isn't
>> always the way people want to contact the government and an
>online e-mail
>> form on a website isn't always suitable for the hacker either,
>hackers want
>> human interaction with the government over irc, and other forms
>of real time
>> communication.
>>
>> stop the whole devious government thing, and get open points of
>contacts
>> within communities. hackers don't want to use online e-mail
>forms and
>> hackers want assurances that they won't become suspects
>themselves for being
>> informants to a human cyber security point of contact on mediums
>such as
>> internet relay chat.
>>
>> so yeah, government, stop the whole hiding away in control
>centers and
>> designing sophisticated software, if you actually get humans
>into
>> communities to talk with the security communities over current
>affairs, you
>> would gather the right kind of intelligence about people and
>hacks, which is
>> quality information, that doesn't need intelligence analysts to
>rub their
>> heads for hours wondering, "is this a credible threat or is this
>guy just
>> joking around".
>>
>> the dhs and cert have got the whole public relations thing with
>the
>> underground at present all wrong, you need folks like me with a
>fresh
>> approach to everything, instead of ramping up a "war on terror"
>which cannot
>> be won. all wars begin and end in dialog, so take that into the
>cyber
>> security arena and get some friendly nicknames around the
>internet
>> communities which are known by the good and bad guys... and you
>will rake in
>> the rewards.
>>
>> at the moment there is no cyber terrorist threat out there, but
>that doesn't
>> mean there always won't be, so its better to get into the
>underground
>> security communities in the early on years, so in 5 to 10 or 15
>years time
>> when cyber terrorism is a real threat then you'll know who
>everyone is in
>> the major public security communities and you'll have people
>within those
>> communities who are approaching you on a daily basis to update
>you on whats
>> going on in the security community.
>>
>> money isn't needed. while in real life, with drug scene
>informants, they
>> want money to inform the government about folks, this isn't the
>case online,
>> because its not as dangerous for a member of the public to be
>devious and
>> collect intelligence on folks. what i'm suggestiing is i know
>many folks who
>> would give free intelligence for no money, just to cancel out
>their rivals,
>> and just to generally be helpful because they are bored, than to
>demand a
>> certain sum of money for a certain level of importance of
>intelligence tip
>> off.
>>
>> what i'm suggesting is these open points of contact i want setup
>would only
>> be there for folks to volenteer information on a free basis, and
>anyone
>> starting to blackmail those point of contacts for cash would
>simply be
>> ignored. whats needed is open human points of contact who are
>approachable
>> on the basis of certain individuals coming forward to give free
>> intelligence, not to be a way for that individual to cash in, on
>the social
>> circles he is involved in or the zero-day software he has
>acquired.
>>
>> to get back to the beginning, the whole contacting cert and dhs
>is currently
>> wrong in relation to the cyber security community, your website
>sucks, and
>> its not a friendly and approachable looking site for everyday
>hackers,
>> script kids and security professionals to use. the whole dhs/us-
>cert
>> badge/logo/graphics etc scare people away. if your site was less
>big bad
>> serious government looking, then maybe folks would send you a
>lot more
>> voluntary intelligence, but like i've already said, e-mail forms
>don't
>> attract the underground, get known nicknames into communities,
>its the only
>> way forward if you really want to get ontop of the whole cyber
>security
>> scene, now in the early years before real threats start to
>gather as the
>> whole cyber terrorism threat is being ramped up for future
>years.
>>
>> stop the whole we're the big bad serious dhs and cert and get
>your big
>> government sovereignty logos etc taken off sites which are
>supposed to be
>> designed for the underground contacting you. at the moment your
>the big
>> scary dhs and cert, it doesn't need to be that way. become
>friendly and
>> approachable, become open and honest in underground communities
>and quit
>> undercover work and devious befriending for general surveillance
>and
>> intelligence gathering. whats wrong, you can have both
>undercover folks and
>> have known cyber security contacts in underground communities,
>whats there
>> to lose? absolutely nothing.
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcMPIQACgkQ+dWaEhErNvSf5AQAgHRx0lmy2bLh+THBeM5Rp0cvONsu
g95omqBUWGVsFcUFecEuPEASnkfhxyNqohs0MwEsCwk+lmSeaK4FKHqqz6N9s6UExdtH
7kJKnsdxt1f4ATbL05Ldl46jMPxH7/zJjA+L7ftsUOiMFZ938iCIZw2ORtLTVwXJQ5Ra
7cuio6w=
=DALP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ