[Full-Disclosure] NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
daniel uriah clemens
daniel_clemens at autism.birmingham-infragard.org
Fri Oct 24 18:00:36 BST 2003
If you truly '_cared_' about the security posture they took then why are
you talking about it on a public mailing list?
Sounds like you are trying to validate your self worth through telling us
all how great it makes you feel when you find out a large government
funded organization has lax security posture.
Are you hoping the media will say something like 'computer whiz kid finds
holes at super secure .gov site'...
What is your motivation for telling the entire world you had problems
getting them to fix their stuff ?
Truly being concerned about the security of this type of organization
involves you not validating your own actions by waiting for the response
you get back from them.
On Fri, 24 Oct 2003, Jon Hart wrote:
> On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:
> > Hello friends,
> > I'm happy and sad in the same time.
> > The NASA websites are patched but they didn't contacted me after i sent the
> > access instructions to advisories, so,
> > i have now the advisory open and a complete action-mail/advisory log for
> > probe and provide the communication
> > between NASA staff and me.
> I can understand your frustration with not getting full and unwavering
> cooperation from NASA. However, I'm not sure I blame them when you use
> language like this:
> You have exactly 3 days to patch the systems , full info about the
> vulnerabilities in the report.
> Keep in mind this is NOT a kidnapping or a hostage situation, this is
> you doing a favor for them by alerting them of potential security issues
> on sites in the nasa.gov domain. Using demanding language like this
> simply strikes me as a threat. Threatening companies or even worse,
> threatening large and powerful governmental bodies, will get you nowhere
> fast except into a pile of trouble.
> Also, recognize that what you are doing is not (necessarily) discovering
> new vulnerabilities, but rather finding specific cases of old
> vulnerabilities on NASA's sites. This is called a penetration test or
> vulnerability test in some circles, and computer crime in others. One
> you get paid for, the other you end up doing time for.
> Of course, this is just my opinion. I certainly would've approached
> this entire situation differently. Had I decided to disclose this
> information to NASA, I certainly would've been considerably more
> professional and thorough about it, and I almost certainly wouldn't have
> made this information public until I had the full cooperation of
> concerned parties. But, all this might just be because I like to be
> able to walk down the street without being tailed by men in black
> trenchcoats and I like to be able to sleep at night without worrying
> about hearing the wumpa-wumpa of government/military helicopters over my
> house at 2am.
> Good luck,
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
-Moments of Sorrow are Moments of Sobriety
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
Full-Disclosure is hosted and sponsored by Secunia.