[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
- To: Jon Hart <warchild@spoofed.org>
- Subject: Re: [Full-Disclosure] NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
- From: daniel uriah clemens <daniel_clemens@autism.birmingham-infragard.org>
- Date: Fri, 24 Oct 2003 17:00:36 +0000 (GMT)
Lorenzo,
If you truly '_cared_' about the security posture they took then why are
you talking about it on a public mailing list?
Sounds like you are trying to validate your self worth through telling us
all how great it makes you feel when you find out a large government
funded organization has lax security posture.
Are you hoping the media will say something like 'computer whiz kid finds
holes at super secure .gov site'...
?
What is your motivation for telling the entire world you had problems
getting them to fix their stuff ?
Truly being concerned about the security of this type of organization
sometimes
involves you not validating your own actions by waiting for the response
you get back from them.
-Dan
On Fri, 24 Oct 2003, Jon Hart wrote:
> On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro
> wrote:
> > Hello friends,
> > I'm happy and sad in the same time.
> > The NASA websites are patched but they didn't contacted me after i sent the
> > access instructions to advisories, so,
> > i have now the advisory open and a complete action-mail/advisory log for
> > probe and provide the communication
> > between NASA staff and me.
>
> <snip>
>
> Lorenzo,
>
> I can understand your frustration with not getting full and unwavering
> cooperation from NASA. However, I'm not sure I blame them when you use
> language like this:
>
> You have exactly 3 days to patch the systems , full info about the
> vulnerabilities in the report.
>
> Keep in mind this is NOT a kidnapping or a hostage situation, this is
> you doing a favor for them by alerting them of potential security issues
> on sites in the nasa.gov domain. Using demanding language like this
> simply strikes me as a threat. Threatening companies or even worse,
> threatening large and powerful governmental bodies, will get you nowhere
> fast except into a pile of trouble.
>
> Also, recognize that what you are doing is not (necessarily) discovering
> new vulnerabilities, but rather finding specific cases of old
> vulnerabilities on NASA's sites. This is called a penetration test or
> vulnerability test in some circles, and computer crime in others. One
> you get paid for, the other you end up doing time for.
>
> Of course, this is just my opinion. I certainly would've approached
> this entire situation differently. Had I decided to disclose this
> information to NASA, I certainly would've been considerably more
> professional and thorough about it, and I almost certainly wouldn't have
> made this information public until I had the full cooperation of
> concerned parties. But, all this might just be because I like to be
> able to walk down the street without being tailed by men in black
> trenchcoats and I like to be able to sleep at night without worrying
> about hearing the wumpa-wumpa of government/military helicopters over my
> house at 2am.
>
> Good luck,
>
> -jon
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
-Moments of Sorrow are Moments of Sobriety
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html