Full Disclosure mailing list archives
Re: Explanations about the NASA security issues and confused people
From: qobaiashi <qobaiashi () gmx net>
Date: Sat, 25 Oct 2003 17:28:35 +0200
Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez Garcia-Hierro:
Hi all, Some people is a little confused with the NASA related security issues and my advisory, so i'm explaining the confusing things: 1.- Every time NASA staff was knowing what i was doing , i sent messages to administrators before doing anything. 2.- John R. Ray of the NASA Competency Center ( Information Technologies Security ) contacted me for solve the issues. 3.- The report was completely closed to public access when the systems were vulnerable 4.- I provided an accesscode to see the advisory for the NASA staff.
leet
5.- I was everytime testing the vulnerabilities and when i found that the most important were patched i make public with some restrictions the advisory. 6.- Of course , i wrote a disclaimer that can be found in the main web site and http://advisories.nsrg-security.com/disclaimer.txt 7.- A mail log that has all the exchanged mail between NASA staff and me ( and action log too with dates and details ) is available at: http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt So ,please , be careful saying that i made it public without contacting before the NASA staff.
pretty cool, man!
8.- In the report there is no private information about NASA nor working exploits against important security holes like sql injections.
multo importante!
9.- ScreenShots are modified for remove private url addresses ( like www.nasa.gov portal admin access )
0day screenshots?
10.- Some people was saying that i wanted fame doing it , definately not , i made it for demostrate that web security is a real problem and a thing that must be included in security policies of the enterprises.
now i see it's not about fame. naming "NASA" +10 times is just to sound...erm trustworthy.
The next generation of hackers will can make damage against servers with the only help of a web navigator, the web browser will be a really dangerous hacking tool, and it is not the future , it is now , just see last advisories about phpnuke , etc
yeah that's realy interesting! i've just started writing my new 0day browser with neat phpnuke sploiting capability!!
11.- The communication between NASA staff and me was completely clear except that i didn't received response after i sent a message confirmand that the report was finished an they had the access code to see it. CONCLUSIONS It was a completely clear job between NASA staff and me , they were really fast patching ( one day ) and really fast replying my first email. The important thing is that NASA staff knows now wich risk has web applications security and how to solve web application securiuty issues.
saint lorenzo! and thanks for letting all of us know what you've done!
Everything in this life has a final mean , in this case : web security must be treated as other security issues , if not , you are in risk
clear thing!
How much times i must rewrite this mail ?
we'll see..
Best regards and thanks to all members of Ful-Disclosure,
-- -q/UNF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Explanations about the NASA security issues and confused people Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: Explanations about the NASA security issues and confused people qobaiashi (Oct 25)
- Re: Explanations about the NASA security issues and confused people Michael Boord (Oct 26)
- Re: Explanations about the NASA security issues and confused people qobaiashi (Oct 25)