lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NHBBLDDODAGPHHEBLBPMKECCCJAA.m0rtis@adelphia.net>
From: m0rtis at adelphia.net (Mortis)
Subject: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )

> I'm happy and sad in the same time.
> The NASA websites are patched but they didn't
> contacted me after i sent the
> access instructions to advisories, so,

Poor Lorenzo.  You're sad about how NASA treated you?
You'll be more depressed when you're sitting in a cell next
to Lame-o.  I should start a colander pool for long it will
take you to get into trouble with your new hacking hobby.

Did anyone ever tell you it is rude to run a nessus scan
against someone else's machine and publish it to the whole
wide world?  It is.  Trust Mortis.  The word stupid comes to
mind, although I'm sure immature is more proper this time.
Would you like it if I started probing you like that?  I
think not.

I don't see a national emergency in the faults you
published, either.  Maybe I'm just being a mormon^h^h^hon
again.  It happens.  Did you think up something valuable you
could do with these vulnerabilities?  Please tell us.  Scare
us good - here's your chance.

No one seemed to point out that you're playing with an
informational site hosted by Speedera networks.  That's
about how Mortis sees it.  Almost nothing at all to do with
NASA except the bill at the end of the month.

You could rmfr the site and they would restore it from a
backup.  No one would care too much if it was down.  You
could mess with my home page settings and the first/last
name that I entered.  Ouch.

You could break into the weak ssh daemon and 0wn Speedera.
That's a whole different story.  You didn't point that out,
but it was more interesting than the rest of the discussion.
Thanks for the tip.

I guess with the xss and db issues you could cause a
national media frenzy by announcing a shuttle crash or
something.  Mortis sees this as being entertaining.  Not
scary.  The media needs a wake-up call once in a while.
Right, Dick?

I wish you injected a fake article on the site telling us
about your trip to Saturn.  Complete with nudie pictures of
the aliens.  And DING-DING.  That would have been elite.
Well, maybe not elite, but at least funny.

Were you trying to impress me because you found fault with
NASA?  I would be a lot more impressed if you published a
sploit for the recent openssh bugs or a new IIS remote
control hook.  Not only is it more respectable work, but you
can do it in the lab without getting yourself in trouble.

ObFD:

NASA facts from a vendor perspective:
* Some of the people are really bright.  Some of them are
not.  Just like where you work.
* Any intelligent dumpster diver could figure his way past
the main gate.  I wouldn't recommend it - but you could.
* Vendors could get more access than is appropriate (left
alone, root on boxen).
* Was able to bypass security procedures to get the job done
(ip/network restrictions...)
* I'm surprised they updated the site without a month of
code review.
--
As a mad man who casteth firebrands, arrows, and death,
Mortis

P.S.  Since you gave us hints for your game, here's a hint
for you.  People would never use the same password in more
than one place, would they?


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ