[Full-Disclosure] NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
Lorenzo Hernandez Garcia-Hierro
lorenzohgh at nsrg-security.com
Fri Oct 24 22:25:48 BST 2003
hahahaha , a good one the joke about helicopters.
i'm not a english speaker , so , sometimes i make mistakes,
ididn't know how to treat with NASA staff and i wrote the pharse that you
it was a mistake , i know , everytime i wanted to help them , it is my
but you are wrong saying that the vulnerabilities were old , yes , some of
the security holes are related with known security issues but there are
specific vulnerabilities , look at the report.
but NASA staff hada very good communication with me except they didn't
contacted me after i sent to them the final message providing an eclusive
access code ( for private access ) to the advisory.
i checked again most important security holes and they patched them so i
made the report public.
do you understand ?
ok , thanks a lot of your time suggestions,
and tell me what's the meaning of wumpa-wumpa xD i don't know that
best regards !
0x00->Lorenzo Hernandez Garcia-Hierro
0x02->The truth is out there,
0x03-> outside your mind .
4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B
----- Original Message -----
From: "Jon Hart" <warchild at spoofed.org>
To: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh at nsrg-security.com>
Cc: <full-disclosure at lists.netsys.com>
Sent: Friday, October 24, 2003 11:14 PM
Subject: Re: [Full-Disclosure] NASA WebSites Multiple Vulnerabilities
ADVISORY opened to public access ( NASA websites Patched )
> On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro
> > Hello friends,
> > I'm happy and sad in the same time.
> > The NASA websites are patched but they didn't contacted me after i sent
> > access instructions to advisories, so,
> > i have now the advisory open and a complete action-mail/advisory log for
> > probe and provide the communication
> > between NASA staff and me.
> I can understand your frustration with not getting full and unwavering
> cooperation from NASA. However, I'm not sure I blame them when you use
> language like this:
> You have exactly 3 days to patch the systems , full info about the
> vulnerabilities in the report.
> Keep in mind this is NOT a kidnapping or a hostage situation, this is
> you doing a favor for them by alerting them of potential security issues
> on sites in the nasa.gov domain. Using demanding language like this
> simply strikes me as a threat. Threatening companies or even worse,
> threatening large and powerful governmental bodies, will get you nowhere
> fast except into a pile of trouble.
> Also, recognize that what you are doing is not (necessarily) discovering
> new vulnerabilities, but rather finding specific cases of old
> vulnerabilities on NASA's sites. This is called a penetration test or
> vulnerability test in some circles, and computer crime in others. One
> you get paid for, the other you end up doing time for.
> Of course, this is just my opinion. I certainly would've approached
> this entire situation differently. Had I decided to disclose this
> information to NASA, I certainly would've been considerably more
> professional and thorough about it, and I almost certainly wouldn't have
> made this information public until I had the full cooperation of
> concerned parties. But, all this might just be because I like to be
> able to walk down the street without being tailed by men in black
> trenchcoats and I like to be able to sleep at night without worrying
> about hearing the wumpa-wumpa of government/military helicopters over my
> house at 2am.
> Good luck,
Full-Disclosure is hosted and sponsored by Secunia.