lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031024211449.GA9515@spoofed.org>
From: warchild at spoofed.org (Jon Hart)
Subject: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )

On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:
> Hello friends,
> I'm happy and sad in the same time.
> The NASA websites are patched but they didn't contacted me after i sent the
> access instructions to advisories, so,
> i have now the advisory open and a complete action-mail/advisory log for
> probe and provide the communication
> between NASA staff and me.

<snip>

Lorenzo,

I can understand your frustration with not getting full and unwavering
cooperation from NASA.  However, I'm not sure I blame them when you use
language like this:

	You have exactly 3 days to patch the systems , full info about the
	vulnerabilities in the report.

Keep in mind this is NOT a kidnapping or a hostage situation, this is
you doing a favor for them by alerting them of potential security issues
on sites in the nasa.gov domain.  Using demanding language like this
simply strikes me as a threat.  Threatening companies or even worse,
threatening large and powerful governmental bodies, will get you nowhere
fast except into a pile of trouble.

Also, recognize that what you are doing is not (necessarily) discovering
new vulnerabilities, but rather finding specific cases of old
vulnerabilities on NASA's sites.  This is called a penetration test or
vulnerability test in some circles, and computer crime in others.  One
you get paid for, the other you end up doing time for.

Of course, this is just my opinion.  I certainly would've approached
this entire situation differently.  Had I decided to disclose this
information to NASA, I certainly would've been considerably more
professional and thorough about it, and I almost certainly wouldn't have
made this information public until I had the full cooperation of
concerned parties.  But, all this might just be because I like to be
able to walk down the street without being tailed by men in black
trenchcoats and I like to be able to sleep at night without worrying
about hearing the wumpa-wumpa of government/military helicopters over my
house at 2am. 

Good luck,

-jon



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ