lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000701c39a75$64fa9220$050010ac@Estila>
From: lorenzohgh at nsrg-security.com (Lorenzo Hernandez Garcia-Hierro)
Subject: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )

Hi Jon,
hahahaha , a good one the joke about helicopters.
i'm not a english speaker , so , sometimes i make mistakes,
ididn't know how to treat with NASA staff and i wrote the pharse that you
said.
it was a mistake , i know , everytime i wanted to help them , it is my
responsability.
but you are wrong saying that the vulnerabilities were old , yes , some of
the security holes are related with known security issues but there are
specific vulnerabilities , look at the report.

but NASA staff hada very good communication with me except they didn't
contacted me after i sent to them the final message providing an eclusive
access code ( for private access ) to the advisory.
i checked again most important security holes and they patched them so i
made the report public.
do you understand ?

ok , thanks a lot of your time suggestions,
and tell me what's the meaning of wumpa-wumpa xD i don't know that
expression.
best regards !
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->\x74\x72\x75\x6c\x75\x78
0x02->The truth is out there,
0x03-> outside your mind .
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
\x6e\x73\x72\x67
\x73\x65\x63\x75\x72\x69\x74\x79
\x72\x65\x73\x65\x61\x72\x63\x68
http://www.nsrg-security.com
______________________
----- Original Message ----- 
From: "Jon Hart" <warchild@...ofed.org>
To: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Friday, October 24, 2003 11:14 PM
Subject: Re: [Full-Disclosure] NASA WebSites Multiple Vulnerabilities
ADVISORY opened to public access ( NASA websites Patched )


> On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro
wrote:
> > Hello friends,
> > I'm happy and sad in the same time.
> > The NASA websites are patched but they didn't contacted me after i sent
the
> > access instructions to advisories, so,
> > i have now the advisory open and a complete action-mail/advisory log for
> > probe and provide the communication
> > between NASA staff and me.
>
> <snip>
>
> Lorenzo,
>
> I can understand your frustration with not getting full and unwavering
> cooperation from NASA.  However, I'm not sure I blame them when you use
> language like this:
>
> You have exactly 3 days to patch the systems , full info about the
> vulnerabilities in the report.
>
> Keep in mind this is NOT a kidnapping or a hostage situation, this is
> you doing a favor for them by alerting them of potential security issues
> on sites in the nasa.gov domain.  Using demanding language like this
> simply strikes me as a threat.  Threatening companies or even worse,
> threatening large and powerful governmental bodies, will get you nowhere
> fast except into a pile of trouble.
>
> Also, recognize that what you are doing is not (necessarily) discovering
> new vulnerabilities, but rather finding specific cases of old
> vulnerabilities on NASA's sites.  This is called a penetration test or
> vulnerability test in some circles, and computer crime in others.  One
> you get paid for, the other you end up doing time for.
>
> Of course, this is just my opinion.  I certainly would've approached
> this entire situation differently.  Had I decided to disclose this
> information to NASA, I certainly would've been considerably more
> professional and thorough about it, and I almost certainly wouldn't have
> made this information public until I had the full cooperation of
> concerned parties.  But, all this might just be because I like to be
> able to walk down the street without being tailed by men in black
> trenchcoats and I like to be able to sleep at night without worrying
> about hearing the wumpa-wumpa of government/military helicopters over my
> house at 2am.
>
> Good luck,
>
> -jon
>
>
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ