Full Disclosure mailing list archives
for the record... (Tru64 / Compaq)
From: full-disclosure () lists netsys com (KF)
Date: Wed, 31 Jul 2002 20:01:07 -0700
This is a multi-part message in MIME format. ------=_NextPart_000_0044_01C238CD.020E7BF0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I can't seem to get this to bugtraq ... darn mime types keep barking at = me... someone wanna forward it.=20 -KF ----- Original Message -----=20 From: KF=20 To: full-disclosure () lists netsys com ; bugtraq () securityfocus com ; = recon () snosoft com=20 Sent: Wednesday, July 31, 2002 7:42 PM Subject: [Full-disclosure] for the record... (Tru64 / Compaq) http://www.msnbc.com/news/788216.asp?0dm=3DT14JT Clarke cautioned that hackers should be responsible in reporting = programming mistakes. A hacker should contact the software maker first, = he said, then go to the government if the software maker does not = respond soon. ------------------------------------ For the record... we contacted HP(at the time Compaq), and CERT = several times. I attached the original version of our su exploit (not = the one that phased leaked) to NIPC and to CERT BOTH. We recieved an = extremely long delay at CERT before they even responded. At that point I = called CERT 2 times to see what the heck was going on and eventually I = establish contact (Ian Finley). I also mailed nipc.watch () nipc gov or = whatever the email address on their page was. They didn't mail back ... = no auto responder or nothing. ( I mailed the back weeks later and said I = was shocked that I got no response and still got nothing back). I then = called the NIPC hotline 3 times. The first 2 times I called I spoke to = someone that should have been flopping whoppers "uhhhh a non-executable = computer security what... let me send you to so and so's voicemail". = Then I called back a week later and gave them the CERT vu numbers (after = CERT finally responed). I left my cell phone number on someones = voicemail again at NIPC... no one called me back.=20 I deeply regret the fact that one of my team members plagerized = another and leaked some code but my god people WE TRYED to give SEVERAL = people a heads up!=20 -KF=20 ------=_NextPart_000_0044_01C238CD.020E7BF0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4916.2300" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>I can't seem to get this to bugtraq ... = darn mime=20 types keep barking at me... someone wanna forward it. </FONT></DIV> <DIV><FONT face=3DArial size=3D2>-KF<BR></FONT></DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Ddotslash () snosoft com = href=3D"mailto:dotslash () snosoft com">KF</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20 title=3Dfull-disclosure () lists netsys com=20 = href=3D"mailto:full-disclosure () lists netsys com">full-disclosure () lists ne= tsys.com</A>=20 ; <A title=3Dbugtraq () securityfocus com=20 = href=3D"mailto:bugtraq () securityfocus com">bugtraq () securityfocus com</A> = ; <A=20 title=3Drecon () snosoft com = href=3D"mailto:recon () snosoft com">recon () snosoft com</A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Wednesday, July 31, 2002 = 7:42=20 PM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Full-Disclosure] for = the=20 record... (Tru64 / Compaq)</DIV> <DIV><BR></DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2><A=20 = href=3D"http://www.msnbc.com/news/788216.asp?0dm=3DT14JT">http://www.msnb= c.com/news/788216.asp?0dm=3DT14JT</A></FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" = size=3D3>Clarke=20 cautioned that hackers should be responsible in reporting programming=20 mistakes. A hacker should contact the software maker first, he said, = then go=20 to the government if the software maker does not respond=20 soon.</FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman"=20 size=3D3></FONT></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman"=20 size=3D3>------------------------------------</FONT></DIV> <DIV><BR></DIV></FONT> <DIV><FONT face=3DArial size=3D2>For the record... we contacted HP(at = the time=20 Compaq), and CERT several times. I attached the original version = of our=20 su exploit (not the one that phased leaked) to NIPC and to CERT BOTH. = We=20 recieved an extremely long delay at CERT before they even = responded.=20 At that point I called CERT 2 times to see what the heck was = going on and=20 eventually I establish contact (Ian Finley). I also mailed <A=20 href=3D"mailto:nipc.watch () nipc gov">nipc.watch () nipc gov</A> or = whatever the=20 email address on their page was. They didn't mail back ... no auto = responder=20 or nothing. ( I mailed the back weeks later and said I was shocked = that I got=20 no response and still got nothing back). I then called the NIPC = hotline 3=20 times. The first 2 times I called I spoke to someone that should have = been=20 flopping whoppers "uhhhh a non-executable computer security what... = let me=20 send you to so and so's voicemail". Then I called back a week later = and gave=20 them the CERT vu numbers (after CERT finally responed). I left my cell = phone=20 number on someones voicemail again at NIPC... no one called me back.=20 </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I deeply regret the fact that one of = my team=20 members plagerized another and leaked some code but my god people WE = TRYED to=20 give SEVERAL people a heads up! </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>-KF</FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial = size=3D2><BR> </DIV></BLOCKQUOTE></FONT></BODY></HTML> ------=_NextPart_000_0044_01C238CD.020E7BF0--
Current thread:
- for the record... (Tru64 / Compaq) KF (Jul 31)
- for the record... (Tru64 / Compaq) KF (Jul 31)