lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <oprewakzo7r3pw7s@smtp.mail.yahoo.com>
From: MichaelBoord at yahoo.co.uk (Michael Boord)
Subject: Explanations about the NASA security issues and confused people

Am i the only one getting annoyed a lil bit
by this Lorenzo Hernandez Garcia-Hierro??

Everyone in favor of +kb raise your hand?





On Sat, 25 Oct 2003 17:28:35 +0200, qobaiashi <qobaiashi@....net> wrote:

> Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez 
> Garcia-Hierro:
>> Hi all,
>> Some people is a little confused with the NASA related security
>> issues and my advisory,
>> so i'm explaining the confusing things:
>>
>> 1.- Every time NASA staff was knowing what i was doing , i sent
>> messages to administrators before doing anything.
>>
>> 2.- John R. Ray of the NASA Competency Center ( Information
>> Technologies Security ) contacted me for solve the issues.
>>
>> 3.- The report was completely closed to public access when the
>> systems were vulnerable
>>
>> 4.- I provided an accesscode to see the advisory for the NASA staff.
>
> leet
>
>> 5.- I was everytime testing the vulnerabilities and when i found that
>> the most important were patched i make public with some restrictions
>> the advisory.
>>
>> 6.- Of course , i wrote a disclaimer that can be found in the main
>> web site and http://advisories.nsrg-security.com/disclaimer.txt
>>
>> 7.- A mail log that has all the exchanged mail between NASA staff and
>> me ( and action log too with dates and details ) is available at:
>>      http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt
>>      So ,please , be careful saying that i made it public without
>> contacting before the NASA staff.
>
> pretty cool, man!
>
>> 8.- In the report there is no private information about NASA nor
>> working exploits against important security holes like sql
>> injections.
>
> multo importante!
>
>> 9.- ScreenShots are modified for remove private url addresses ( like
>> www.nasa.gov portal admin access )
>
> 0day screenshots?
>
>> 10.- Some people was saying that i wanted fame doing it , definately
>> not , i made it for demostrate that web security is a real problem
>> and a thing that must be included in security policies of the
>> enterprises.
>
> now i see it's not about fame. naming "NASA" +10 times is just to 
> sound...erm
> trustworthy.
>
>> The next generation of hackers will can make damage against servers
>> with the only help of a web navigator, the web browser will be a
>> really dangerous hacking tool, and it is not the future , it is now ,
>> just see last advisories about phpnuke , etc
>>
>
> yeah that's realy interesting!
> i've just started writing my new 0day browser with neat phpnuke sploiting
> capability!!
>
>> 11.- The communication between NASA staff and me was completely clear
>> except that i didn't received response after i sent a message
>> confirmand that the report was finished an they had the access code
>> to see it.
>>
>> CONCLUSIONS
>>
>> It was a completely clear job between NASA staff and me , they were
>> really fast patching ( one day ) and really fast replying my first
>> email.
>>
>> The important thing is that NASA staff knows now wich risk has web
>> applications security and how to solve web application securiuty
>> issues.
>
> saint lorenzo!
> and thanks for letting all of us know what you've done!
>
>> Everything in this life has a final mean , in this case : web
>> security must be treated as other security issues , if not , you are
>> in risk
>
> clear thing!
>
>> How much times i must rewrite this mail ?
>
> we'll see..
>
>> Best regards and thanks to all members of Ful-Disclosure,
>



-- 
Michael Boord

http://www.xboxombouw.tk 06-29221787


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ