| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: MichaelBoord at yahoo.co.uk (Michael Boord) Subject: Explanations about the NASA security issues and confused people Am i the only one getting annoyed a lil bit by this Lorenzo Hernandez Garcia-Hierro?? Everyone in favor of +kb raise your hand? On Sat, 25 Oct 2003 17:28:35 +0200, qobaiashi <qobaiashi@....net> wrote: > Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez > Garcia-Hierro: >> Hi all, >> Some people is a little confused with the NASA related security >> issues and my advisory, >> so i'm explaining the confusing things: >> >> 1.- Every time NASA staff was knowing what i was doing , i sent >> messages to administrators before doing anything. >> >> 2.- John R. Ray of the NASA Competency Center ( Information >> Technologies Security ) contacted me for solve the issues. >> >> 3.- The report was completely closed to public access when the >> systems were vulnerable >> >> 4.- I provided an accesscode to see the advisory for the NASA staff. > > leet > >> 5.- I was everytime testing the vulnerabilities and when i found that >> the most important were patched i make public with some restrictions >> the advisory. >> >> 6.- Of course , i wrote a disclaimer that can be found in the main >> web site and http://advisories.nsrg-security.com/disclaimer.txt >> >> 7.- A mail log that has all the exchanged mail between NASA staff and >> me ( and action log too with dates and details ) is available at: >> http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt >> So ,please , be careful saying that i made it public without >> contacting before the NASA staff. > > pretty cool, man! > >> 8.- In the report there is no private information about NASA nor >> working exploits against important security holes like sql >> injections. > > multo importante! > >> 9.- ScreenShots are modified for remove private url addresses ( like >> www.nasa.gov portal admin access ) > > 0day screenshots? > >> 10.- Some people was saying that i wanted fame doing it , definately >> not , i made it for demostrate that web security is a real problem >> and a thing that must be included in security policies of the >> enterprises. > > now i see it's not about fame. naming "NASA" +10 times is just to > sound...erm > trustworthy. > >> The next generation of hackers will can make damage against servers >> with the only help of a web navigator, the web browser will be a >> really dangerous hacking tool, and it is not the future , it is now , >> just see last advisories about phpnuke , etc >> > > yeah that's realy interesting! > i've just started writing my new 0day browser with neat phpnuke sploiting > capability!! > >> 11.- The communication between NASA staff and me was completely clear >> except that i didn't received response after i sent a message >> confirmand that the report was finished an they had the access code >> to see it. >> >> CONCLUSIONS >> >> It was a completely clear job between NASA staff and me , they were >> really fast patching ( one day ) and really fast replying my first >> email. >> >> The important thing is that NASA staff knows now wich risk has web >> applications security and how to solve web application securiuty >> issues. > > saint lorenzo! > and thanks for letting all of us know what you've done! > >> Everything in this life has a final mean , in this case : web >> security must be treated as other security issues , if not , you are >> in risk > > clear thing! > >> How much times i must rewrite this mail ? > > we'll see.. > >> Best regards and thanks to all members of Ful-Disclosure, > -- Michael Boord http://www.xboxombouw.tk 06-29221787
Powered by blists - more mailing lists