Date: Wed, 10 Oct 2007 19:29:03 +0100
From: "worried security" <worriedsecurity@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: If internet goes down out of hours,
	we're screwed

Yahoo have have points of contact in their own yahoo chat community for
years for the underground to contact yahoo security team off the record
about vulnerabilities and intelligence about hackers, so all i was saying it
would be nice if that was more wide spread with "other" vendors, and the
government.

dialog is what its all about, the government should stop the sneaking around
gathering intelligence on people with devious undercover work when its not
always needed to be as cunning.

lots of people would welcome the government having representatives on the
irc channels, because i talk from experience, if it worked on yahoo chat
community, then there is no reason why hackers wouldn't volenteer
intelligence to known nicknames belonging to the intelligence services or
whoever is responsible for collecting information on the cyber security
scene.

and i know it would work because it worked on yahoo.

if yahoo get a tip off, they will in some circumstances approach the
username involved in hacking via yahoo instant messenger or yahoo chat and
ask them about their behaviour, or the hack they've been handing out to
script kids, and you would expect a rude response like "i'm not talking to a
yahoo admin", but thats not what generally happens, what happens is these
hackers are actually flattered they've been contacted via a real time
communication, and are happy to help out with letting yahoo understand the
hack in full.

even the most anti social of folks i've seen on the yahoo scene have reacted
in a friendly manner when approached by employees going into the hacker
communities and asking for further information on hacks.

its something i was impressed with and would like the government to take
that approach in the wild wild irc channels than using undercover work to
befriend when in reality, if the government just approached the folks and
admitted they are there to find out information about a hack or individuals,
they would find folks would be more than willing to share intelligence with
them.

cert, dhs, nsa whoever, get into these irc communities, admit who you are,
where you work, and why you're there and you'll be surpised how friendly
everyone is with you.

not always needed is the sophisticated data mining software and devious
undercover work.

what i'm saying isn't just a fly idea, its actually what yahoo has been
doing for a while. yahoo won't officially confirm this, but they do do what
i said to get information when contacting an individual via e-mail isn't an
option.

they go into communities and announce who they are and why they are there
and get lots of information passed to them with the frank honest approach
than doing sneaky undercover work.

its about time the authorities took a leaf out of yahoo's book when
conducting their cyber security operations on collecting information thats
needed for the mission critical.

yes, "mission critical" is my favorite buzzword right now...

and there are easy ways for the representative to validate they are cert,
dhs, nsa whoever, and not just someone pretending.


On 10/10/07, Dude VanWinkle <dudevanwinkle@...il.com > wrote:
>
> I didn't read that book you sent in response to an offhanded remark,
> but I am impressed you learned about paragraphs!
>
> Now, lets focus on capital letters.
>
> -JP<who doesn't want to strain netdev with punctuation just yet, not
> to mention logic and brevity>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists