Penetration Testing mailing list archives
Re: Default Admin Account
From: "J. Oquendo" <sil () infiltrated net>
Date: Tue, 10 Feb 2009 15:21:45 -0600
On Fri, 06 Feb 2009, M.D.Mufambisi wrote:
I do agree with scott. The young fellow did commit a crime. Curiosity is not an excuse. However, having said that, someone at the military should be held accountable for such poor security practice. Someone did not do their job correctly considering the sensitive info the military deal with. Whilst the young man should be charged for unauthorised access to computer systems, someone at the military security should be charged with negligence. Regards, Munyaradzi mufambisi
Going off topic (this entire thread) so hopefully, we can have some more serious discussion. So this will be my last two cents on this... 1) How do you know it wasn't the responsibility of an outsourced contractor (deployment of the machine) 2) How do you know these weren't merely honeypots. 3) Apparently you've not heard about the mechanisms of government and the bureaucracy involved with making such moves where it's not always going to be up to the "military security". I'll iterate briefly what I re-call from a recent discussion I had with someone @ a higher agency... Went something like this: "We'd go in to perform duty-x in the military. While we may have been explicitly told not to surf the net, we implicitly understood we could. I mean if they didn't want us surfing, disconnect the machine. It was in the middle of nowhere solely because the CSM needed something to do whenever he was around. Who was I to go up my rank and call out my CSM?" There are plenty of reasons that a machine might not be taken out of the loop (network) for whatever reason, it is not an invitation to break in, but again - leaving your apartment door open and expecting the world to be as *morally full of ethics* as most have rambled on about, is outright dumb and borderline criminal. So much so, negligent. Also, the assumption that NIPR/SIPR/RIPR information traverses some of these publicly accessible machines is debatable. Makes for good budgeting requests, but horrible real world scenarios. If anyone claimed it to be so (OMFG they stole uberNIPR secrets) I say nonsense. If they did, heads would fly from all sorts of posts. So many in fact, these job cuts would seem like small fries for the amount of servers compromised by someone like \\st0rm\\ during the late 90's (OMG! No he didn't!). Anyhow, enough rambling on this. I thought it was pentesting not "Days Oph 0ur 90's l1v3s!" =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Current thread:
- Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 03)
- RE: Default Admin Account Prodigi Child (Feb 05)
- Re: Default Admin Account J. Oquendo (Feb 09)
- RE: Default Admin Account Prodigi Child (Feb 10)
- Re: Default Admin Account David Howe (Feb 11)
- Re: Default Admin Account J. Oquendo (Feb 09)
- Message not available
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 05)
- Re: Default Admin Account Paul Slade (Feb 10)
- RE: Default Admin Account Levenglick, Jeff (Feb 10)
- Re: Default Admin Account R. DuFresne (Feb 10)
- Re: Default Admin Account M.D.Mufambisi (Feb 10)
- Re: Default Admin Account J. Oquendo (Feb 11)
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 11)
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 05)
- Re: Default Admin Account pand0ra (Feb 11)
- RE: Default Admin Account Prodigi Child (Feb 05)
- <Possible follow-ups>
- RE: Default Admin Account jay . tomas (Feb 10)