Full Disclosure mailing list archives
RE: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
From: "Mortis" <m0rtis () adelphia net>
Date: Mon, 27 Oct 2003 02:20:26 -0500
I'm happy and sad in the same time. The NASA websites are patched but they didn't contacted me after i sent the access instructions to advisories, so,
Poor Lorenzo. You're sad about how NASA treated you? You'll be more depressed when you're sitting in a cell next to Lame-o. I should start a colander pool for long it will take you to get into trouble with your new hacking hobby. Did anyone ever tell you it is rude to run a nessus scan against someone else's machine and publish it to the whole wide world? It is. Trust Mortis. The word stupid comes to mind, although I'm sure immature is more proper this time. Would you like it if I started probing you like that? I think not. I don't see a national emergency in the faults you published, either. Maybe I'm just being a mormon^h^h^hon again. It happens. Did you think up something valuable you could do with these vulnerabilities? Please tell us. Scare us good - here's your chance. No one seemed to point out that you're playing with an informational site hosted by Speedera networks. That's about how Mortis sees it. Almost nothing at all to do with NASA except the bill at the end of the month. You could rmfr the site and they would restore it from a backup. No one would care too much if it was down. You could mess with my home page settings and the first/last name that I entered. Ouch. You could break into the weak ssh daemon and 0wn Speedera. That's a whole different story. You didn't point that out, but it was more interesting than the rest of the discussion. Thanks for the tip. I guess with the xss and db issues you could cause a national media frenzy by announcing a shuttle crash or something. Mortis sees this as being entertaining. Not scary. The media needs a wake-up call once in a while. Right, Dick? I wish you injected a fake article on the site telling us about your trip to Saturn. Complete with nudie pictures of the aliens. And DING-DING. That would have been elite. Well, maybe not elite, but at least funny. Were you trying to impress me because you found fault with NASA? I would be a lot more impressed if you published a sploit for the recent openssh bugs or a new IIS remote control hook. Not only is it more respectable work, but you can do it in the lab without getting yourself in trouble. ObFD: NASA facts from a vendor perspective: * Some of the people are really bright. Some of them are not. Just like where you work. * Any intelligent dumpster diver could figure his way past the main gate. I wouldn't recommend it - but you could. * Vendors could get more access than is appropriate (left alone, root on boxen). * Was able to bypass security procedures to get the job done (ip/network restrictions...) * I'm surprised they updated the site without a month of code review. -- As a mad man who casteth firebrands, arrows, and death, Mortis P.S. Since you gave us hints for your game, here's a hint for you. People would never use the same password in more than one place, would they? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 23)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) mcbethh (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Jon Hart (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) daniel uriah clemens (Oct 24)
- RE: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Mortis (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- Message not available
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Stefan Larsson (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) nosp (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- <Possible follow-ups>
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 24)