Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Operation TIPS - the FEMA response

From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Tue, 30 Jul 2002 13:27:32 -0400
I've had conversations with FBI field office staff assigned to NIPC.  Each time I've spoken with someone that had a 
clue.  I was actually expecting what you describe below, but was pleasantly surprised.  Maybe the central co-ordination 
center is staffed with less-than-optimal folks, but the field folks (in my experience)  seem to be clued-up.  Note 
however, that my contact has been with a small group of folks out of one field office.  Maybe I just got lucky.  Maybe 
it's a case of beaurocrats in technical positions, while the real techies are out in the field.  Who knows.  Maybe duck 
below the middle management and make your reports to field folks.  Maybe that'll land you in jail.  I think I'd prefer 
to not deal with them except when absolutely necessary from an investigative standpoint.



-----Original Message-----
From: KF [mailto:dotslash () snosoft com]
Sent: Tuesday, July 30, 2002 9:41 AM
To: vuln-dev () securityfocus com
Subject: Re: Operation TIPS - the FEMA response


Ever try to call NIPC and have an intelligent "computer security" 
conversation? Don't bother... The 2 times I called to report security 
issues I found it hard to find someone someone to speak to that had 
skill beyond your local whopper flopper at burger king.
-KF



George Imburgia wrote:


It wasn't quite as bad as a friend expected;

"those people will say you have an infectious disease and lock you up
forever 20 stories under the nevada desert"

...but it wasn't nice either.

I called FEMA's technical contact, got voicemail, left my name, phone
number, stated that it was a security problem with a FEMA web server,
asked that they return my call and then said my name and phone number
again.

The next day, they claimed they hadn't contacted me because 

they didn't

have my phone number.

After being prodded by the press, they did call and a hostile woman
identifying herself as being with "FEMA's cybersecurity 

office" began to

berate me for talking to the press.

I informed her that I didn't like the tone of the 

conversation, and did

not want to continue without assurances that "this won't get ugly". 

We went back and forth over what that meant for a while, and then the
previously unidentified and unannounced Mr. Schmidt spoke 

up, identified

himself as the "head of cybersecurity" and tried to convince 

me to comply

with their demands by using the term "federal government 

computer system"

a lot.

The term "____ off" comes to mind.

Then the content and underlying code of the site changed.

Now, they are telling people "he has a long history of 

falsely reporting

security problems with government computer systems".

Are they claiming that the FBI's windows 3.51 web server was not
vulnerable to dir?C| and variants in 1999?

Are they claiming that the Dept of Ed. didn't have a world 

writable ftp

mirror of their web site? Or did the fact that it took 6 calls, and
responses like "we don't know what permissions are, we all use Macs
here" make it a false report?

Are they claiming it was a bad idea to null route the old
www.whitehouse.gov net block when codered hit? Then why is it still a
blackhole?

Are they claiming that DG/UX wasn't vulnerable, or that a 3 

letter agency

wasn't running it as a mail server?

Are they claiming a state legislature wasn't running a vulnerable
configuration of Lotus, their admin confirmed it, and stated 

he didn't

know it was accessible from the internet?

Are they claiming a popular DSLAM doesn't have a default password of
ANS#150 and a firmware backdoor?

Are they claiming that Qwest didn't have variants of 

"Algiers97" as the

password on most of their routers as an algerian was 

attempting to blow up

Seattle's millenium celebration?

Or maybe they are claiming the login bug I discovered in the 

1970's and

enjoyed for years never existed?

Verizon, Wilshire, Xerox and Comcast are a few of my recent 

(false?!?)

reports.

Who has the credibility problem here?




George Imburgia
Senior Network Security Engineer
Capitol Networking
gti () armorfirewall com
Previous By Date Next
Previous By Thread Next

Current thread: