Full Disclosure mailing list archives
Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>
Date: Fri, 24 Oct 2003 23:25:48 +0200
Hi Jon, hahahaha , a good one the joke about helicopters. i'm not a english speaker , so , sometimes i make mistakes, ididn't know how to treat with NASA staff and i wrote the pharse that you said. it was a mistake , i know , everytime i wanted to help them , it is my responsability. but you are wrong saying that the vulnerabilities were old , yes , some of the security holes are related with known security issues but there are specific vulnerabilities , look at the report. but NASA staff hada very good communication with me except they didn't contacted me after i sent to them the final message providing an eclusive access code ( for private access ) to the advisory. i checked again most important security holes and they patched them so i made the report public. do you understand ? ok , thanks a lot of your time suggestions, and tell me what's the meaning of wumpa-wumpa xD i don't know that expression. best regards ! ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->\x74\x72\x75\x6c\x75\x78 0x02->The truth is out there, 0x03-> outside your mind . __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** \x6e\x73\x72\x67 \x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68 http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "Jon Hart" <warchild () spoofed org> To: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com> Cc: <full-disclosure () lists netsys com> Sent: Friday, October 24, 2003 11:14 PM Subject: Re: [Full-disclosure] NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro
wrote:
Hello friends, I'm happy and sad in the same time. The NASA websites are patched but they didn't contacted me after i sent
the
access instructions to advisories, so, i have now the advisory open and a complete action-mail/advisory log for probe and provide the communication between NASA staff and me.<snip> Lorenzo, I can understand your frustration with not getting full and unwavering cooperation from NASA. However, I'm not sure I blame them when you use language like this: You have exactly 3 days to patch the systems , full info about the vulnerabilities in the report. Keep in mind this is NOT a kidnapping or a hostage situation, this is you doing a favor for them by alerting them of potential security issues on sites in the nasa.gov domain. Using demanding language like this simply strikes me as a threat. Threatening companies or even worse, threatening large and powerful governmental bodies, will get you nowhere fast except into a pile of trouble. Also, recognize that what you are doing is not (necessarily) discovering new vulnerabilities, but rather finding specific cases of old vulnerabilities on NASA's sites. This is called a penetration test or vulnerability test in some circles, and computer crime in others. One you get paid for, the other you end up doing time for. Of course, this is just my opinion. I certainly would've approached this entire situation differently. Had I decided to disclose this information to NASA, I certainly would've been considerably more professional and thorough about it, and I almost certainly wouldn't have made this information public until I had the full cooperation of concerned parties. But, all this might just be because I like to be able to walk down the street without being tailed by men in black trenchcoats and I like to be able to sleep at night without worrying about hearing the wumpa-wumpa of government/military helicopters over my house at 2am. Good luck, -jon
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 23)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) mcbethh (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Jon Hart (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) daniel uriah clemens (Oct 24)
- RE: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Mortis (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- Message not available
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Stefan Larsson (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) nosp (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- <Possible follow-ups>
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 24)