Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )

From: daniel uriah clemens <daniel_clemens () autism birmingham-infragard org>
Date: Fri, 24 Oct 2003 17:00:36 +0000 (GMT)

Lorenzo,
If you truly '_cared_' about the security posture they took then why are
you talking about it on a public mailing list?

Sounds like you are trying to validate your self worth through telling us
all how great it makes you feel when you find out a large government
funded organization has lax security posture.

Are you hoping the media will say something like 'computer whiz kid finds
holes at super secure .gov site'...

?

What is your motivation for telling the entire world you had problems
getting them to fix their stuff ?

Truly being concerned about the security of this type of  organization
sometimes
involves you not validating your own actions by waiting for the response
you get back from them.

-Dan

On Fri, 24 Oct 2003, Jon Hart wrote:


On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:

Hello friends,
I'm happy and sad in the same time.
The NASA websites are patched but they didn't contacted me after i sent the
access instructions to advisories, so,
i have now the advisory open and a complete action-mail/advisory log for
probe and provide the communication
between NASA staff and me.


<snip>

Lorenzo,

I can understand your frustration with not getting full and unwavering
cooperation from NASA.  However, I'm not sure I blame them when you use
language like this:

      You have exactly 3 days to patch the systems , full info about the
      vulnerabilities in the report.

Keep in mind this is NOT a kidnapping or a hostage situation, this is
you doing a favor for them by alerting them of potential security issues
on sites in the nasa.gov domain.  Using demanding language like this
simply strikes me as a threat.  Threatening companies or even worse,
threatening large and powerful governmental bodies, will get you nowhere
fast except into a pile of trouble.

Also, recognize that what you are doing is not (necessarily) discovering
new vulnerabilities, but rather finding specific cases of old
vulnerabilities on NASA's sites.  This is called a penetration test or
vulnerability test in some circles, and computer crime in others.  One
you get paid for, the other you end up doing time for.

Of course, this is just my opinion.  I certainly would've approached
this entire situation differently.  Had I decided to disclose this
information to NASA, I certainly would've been considerably more
professional and thorough about it, and I almost certainly wouldn't have
made this information public until I had the full cooperation of
concerned parties.  But, all this might just be because I like to be
able to walk down the street without being tailed by men in black
trenchcoats and I like to be able to sleep at night without worrying
about hearing the wumpa-wumpa of government/military helicopters over my
house at 2am.

Good luck,

-jon


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



-Daniel Uriah Clemens

Esse quam videra
     (to be, rather than to appear)
                     -Moments of Sorrow are Moments of Sobriety
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: