[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031024211449.GA9515@spoofed.org>
From: warchild at spoofed.org (Jon Hart)
Subject: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:
> Hello friends,
> I'm happy and sad in the same time.
> The NASA websites are patched but they didn't contacted me after i sent the
> access instructions to advisories, so,
> i have now the advisory open and a complete action-mail/advisory log for
> probe and provide the communication
> between NASA staff and me.
<snip>
Lorenzo,
I can understand your frustration with not getting full and unwavering
cooperation from NASA. However, I'm not sure I blame them when you use
language like this:
You have exactly 3 days to patch the systems , full info about the
vulnerabilities in the report.
Keep in mind this is NOT a kidnapping or a hostage situation, this is
you doing a favor for them by alerting them of potential security issues
on sites in the nasa.gov domain. Using demanding language like this
simply strikes me as a threat. Threatening companies or even worse,
threatening large and powerful governmental bodies, will get you nowhere
fast except into a pile of trouble.
Also, recognize that what you are doing is not (necessarily) discovering
new vulnerabilities, but rather finding specific cases of old
vulnerabilities on NASA's sites. This is called a penetration test or
vulnerability test in some circles, and computer crime in others. One
you get paid for, the other you end up doing time for.
Of course, this is just my opinion. I certainly would've approached
this entire situation differently. Had I decided to disclose this
information to NASA, I certainly would've been considerably more
professional and thorough about it, and I almost certainly wouldn't have
made this information public until I had the full cooperation of
concerned parties. But, all this might just be because I like to be
able to walk down the street without being tailed by men in black
trenchcoats and I like to be able to sleep at night without worrying
about hearing the wumpa-wumpa of government/military helicopters over my
house at 2am.
Good luck,
-jon
Powered by blists - more mailing lists