[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <67ea64530710091105r11cb5f3an15b3d6ddaa026c6b@mail.gmail.com>
Date: Tue, 9 Oct 2007 19:05:31 +0100
From: "worried security" <worriedsecurity@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: If internet goes down out of hours,
we're screwed
On 10/9/07, Steven Adair <steven@...urityzone.org> wrote:
>
> I think you guys are both mixing up CERT (cert.org) and US-CERT
> (us-cert.gov) -- both of which have very different functions. As
> mentioned though, you probably wouldn't want to call either if your
> Internet goes down.
>
> Steven
>
> They both suck though, and its not clear cut who is responsible for what.
> The US-CERT vulnerability and incident report proceedure sends e-mail to
> both US-CERT and CERT.
Also it was the US-CERT bulletin alert e-mail which had cert@...t.org in it,
so those folks who are ment to be running an emergency response team better
get their shit together,
People want to know where to tell the government about something, and the
government should be approachable. lots of folks are scared to contact the
government directly about shit, incase it draws attention to them and they
end up getting into trouble for something completely different.
I also believe the spying and undercover work that goes on on irc channels
for example is stupid, and befriending folks to get information on the
latest security news is wrong. If there were known government folks on the
irc channels and they were open about who they were, the government would
gather far more intelligence about hacks than being undercover.
Trust me, the government think they need to be undercover to get the best
intelligence, but the way I see it, the government would be suprised how
many folks come forward in a friendly way if they said, yes i work for cert
or the dhs, i'm a cyber security contact if anyone wants to talk to me about
anything. the government need to get this whole situation sorted out with
tricking and entrapping folks on irc and other places.
while i know in some investigation work undercover is the way to go, there
is also a need for the government to be more open with the security
community when lurking around the underground communities.
the government should have a "cyber security contact" in the major public
underground irc channels, not the whole big undercover operation the
government currently run.
plus, i don't believe their keyword data mining uncovers everything the
government should know, conversations on the internet by the bad guys are
often crafted in a certain way, because they know they are being monitored,
now if the government had open points of contact for the underground to talk
to, who were friendly approachable people, then the government would do far
better in public relations with the computer security community than they do
at present.
i'm sick of the government as it currently stands, i'm sick of the
government and their intelligence services thinking the only way to find out
about things is to be undercover and have sophisticated intelligence
collecting software.
trust me, if the government were just open with everyone everyone would be
the winner.
there are people that are happy to give vulnerabilities, zero-day and
intelligence to the government, and you want to know why? because not
everyone likes everyone, so its within the hackers agenda to give zero-day
to the government which belong to their enemies, to cancel out the enemies
own agenda.
back in the day when i first began the whole hacking thing, i would backstab
my friends by telling yahoo security team what they were upto and give them
zero-day software, to get patched, this is so, their zero-day were patched
out, but my stuff wasn't. so there are always reasons why the security
community would approach the government if their was a friendly approachable
representaitive in all the major public communties.
what i want the government to get away from is the impression people have of
them and thats "big bad government with dark security services posing as
normal people in communities", and not just online communities, i mean in
real life as well, they have folks in towns and cities as well, doing
devious undercover general surveillance, but if the government were just
open with folks, things would be a lot easier.
while full-disclosure is close to being a point of contact to disclose
things, there would be a lot more unearthed if their were human points of
contacts in the major public communities, because a mailing list isn't
always the way people want to contact the government and an online e-mail
form on a website isn't always suitable for the hacker either, hackers want
human interaction with the government over irc, and other forms of real time
communication.
stop the whole devious government thing, and get open points of contacts
within communities. hackers don't want to use online e-mail forms and
hackers want assurances that they won't become suspects themselves for
being informants to a human cyber security point of contact on mediums such
as internet relay chat.
so yeah, government, stop the whole hiding away in control centers and
designing sophisticated software, if you actually get humans into
communities to talk with the security communities over current affairs, you
would gather the right kind of intelligence about people and hacks, which is
quality information, that doesn't need intelligence analysts to rub their
heads for hours wondering, "is this a credible threat or is this guy just
joking around".
the dhs and cert have got the whole public relations thing with the
underground at present all wrong, you need folks like me with a fresh
approach to everything, instead of ramping up a "war on terror" which cannot
be won. all wars begin and end in dialog, so take that into the cyber
security arena and get some friendly nicknames around the internet
communities which are known by the good and bad guys... and you will rake in
the rewards.
at the moment there is no cyber terrorist threat out there, but that doesn't
mean there always won't be, so its better to get into the underground
security communities in the early on years, so in 5 to 10 or 15 years time
when cyber terrorism is a real threat then you'll know who everyone is in
the major public security communities and you'll have people within those
communities who are approaching you on a daily basis to update you on whats
going on in the security community.
money isn't needed. while in real life, with drug scene informants, they
want money to inform the government about folks, this isn't the case online,
because its not as dangerous for a member of the public to be devious and
collect intelligence on folks. what i'm suggestiing is i know many folks who
would give free intelligence for no money, just to cancel out their rivals,
and just to generally be helpful because they are bored, than to demand a
certain sum of money for a certain level of importance of intelligence tip
off.
what i'm suggesting is these open points of contact i want setup would only
be there for folks to volenteer information on a free basis, and anyone
starting to blackmail those point of contacts for cash would simply be
ignored. whats needed is open human points of contact who are approachable
on the basis of certain individuals coming forward to give free
intelligence, not to be a way for that individual to cash in, on the social
circles he is involved in or the zero-day software he has acquired.
to get back to the beginning, the whole contacting cert and dhs is currently
wrong in relation to the cyber security community, your website sucks, and
its not a friendly and approachable looking site for everyday hackers,
script kids and security professionals to use. the whole dhs/us-cert
badge/logo/graphics etc scare people away. if your site was less big bad
serious government looking, then maybe folks would send you a lot more
voluntary intelligence, but like i've already said, e-mail forms don't
attract the underground, get known nicknames into communities, its the only
way forward if you really want to get ontop of the whole cyber security
scene, now in the early years before real threats start to gather as the
whole cyber terrorism threat is being ramped up for future years.
stop the whole we're the big bad serious dhs and cert and get your big
government sovereignty logos etc taken off sites which are supposed to be
designed for the underground contacting you. at the moment your the big
scary dhs and cert, it doesn't need to be that way. become friendly and
approachable, become open and honest in underground communities and quit
undercover work and devious befriending for general surveillance and
intelligence gathering. whats wrong, you can have both undercover folks and
have known cyber security contacts in underground communities, whats there
to lose? absolutely nothing.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists