Full Disclosure mailing list archives
Re: If internet goes down out of hours, we're screwed
From: <full-disclosure () hushmail com>
Date: Tue, 09 Oct 2007 22:45:09 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You also missed an apostrophe in this post. On Tue, 09 Oct 2007 22:06:47 -0400 Dude VanWinkle <dudevanwinkle () gmail com> wrote:
I didn't read that book you sent in response to an offhanded remark, but I am impressed you learned about paragraphs! Now, lets focus on capital letters. -JP<who doesn't want to strain netdev with punctuation just yet, not to mention logic and brevity> On 10/9/07, worried security <worriedsecurity () googlemail com> wrote:On 10/9/07, Steven Adair <steven () securityzone org> wrote:I think you guys are both mixing up CERT (cert.org) and US-CERT( us-cert.gov) -- both of which have very different functions.Asmentioned though, you probably wouldn't want to call either ifyourInternet goes down. Steven They both suck though, and its not clear cut who isresponsible for what.The US-CERT vulnerability and incident report proceedure sends e-mail toboth US-CERT and CERT. Also it was the US-CERT bulletin alert e-mail which hadcert () cert org in it,so those folks who are ment to be running an emergency responseteam betterget their shit together, People want to know where to tell the government aboutsomething, and thegovernment should be approachable. lots of folks are scared tocontact thegovernment directly about shit, incase it draws attention tothem and theyend up getting into trouble for something completely different. I also believe the spying and undercover work that goes on onirc channelsfor example is stupid, and befriending folks to get informationon thelatest security news is wrong. If there were known governmentfolks on theirc channels and they were open about who they were, thegovernment wouldgather far more intelligence about hacks than being undercover. Trust me, the government think they need to be undercover to getthe bestintelligence, but the way I see it, the government would besuprised howmany folks come forward in a friendly way if they said, yes iwork for certor the dhs, i'm a cyber security contact if anyone wants to talkto me aboutanything. the government need to get this whole situation sortedout withtricking and entrapping folks on irc and other places. while i know in some investigation work undercover is the way togo, thereis also a need for the government to be more open with thesecuritycommunity when lurking around the underground communities. the government should have a "cyber security contact" in themajor publicunderground irc channels, not the whole big undercover operationthegovernment currently run. plus, i don't believe their keyword data mining uncoverseverything thegovernment should know, conversations on the internet by the badguys areoften crafted in a certain way, because they know they are beingmonitored,now if the government had open points of contact for theunderground to talkto, who were friendly approachable people, then the governmentwould do farbetter in public relations with the computer security communitythan they doat present. i'm sick of the government as it currently stands, i'm sick ofthegovernment and their intelligence services thinking the only wayto find outabout things is to be undercover and have sophisticatedintelligencecollecting software. trust me, if the government were just open with everyoneeveryone would bethe winner. there are people that are happy to give vulnerabilities, zero-day andintelligence to the government, and you want to know why?because noteveryone likes everyone, so its within the hackers agenda togive zero-dayto the government which belong to their enemies, to cancel outthe enemiesown agenda. back in the day when i first began the whole hacking thing, iwould backstabmy friends by telling yahoo security team what they were uptoand give themzero-day software, to get patched, this is so, their zero-daywere patchedout, but my stuff wasn't. so there are always reasons why thesecuritycommunity would approach the government if their was a friendlyapproachablerepresentaitive in all the major public communties. what i want the government to get away from is the impressionpeople have ofthem and thats "big bad government with dark security servicesposing asnormal people in communities", and not just online communities,i mean inreal life as well, they have folks in towns and cities as well,doingdevious undercover general surveillance, but if the governmentwere justopen with folks, things would be a lot easier. while full-disclosure is close to being a point of contact todisclosethings, there would be a lot more unearthed if their were humanpoints ofcontacts in the major public communities, because a mailing listisn'talways the way people want to contact the government and anonline e-mailform on a website isn't always suitable for the hacker either,hackers wanthuman interaction with the government over irc, and other formsof real timecommunication. stop the whole devious government thing, and get open points ofcontactswithin communities. hackers don't want to use online e-mailforms andhackers want assurances that they won't become suspectsthemselves for beinginformants to a human cyber security point of contact on mediumssuch asinternet relay chat. so yeah, government, stop the whole hiding away in controlcenters anddesigning sophisticated software, if you actually get humansintocommunities to talk with the security communities over currentaffairs, youwould gather the right kind of intelligence about people andhacks, which isquality information, that doesn't need intelligence analysts torub theirheads for hours wondering, "is this a credible threat or is thisguy justjoking around". the dhs and cert have got the whole public relations thing withtheunderground at present all wrong, you need folks like me with afreshapproach to everything, instead of ramping up a "war on terror"which cannotbe won. all wars begin and end in dialog, so take that into thecybersecurity arena and get some friendly nicknames around theinternetcommunities which are known by the good and bad guys... and youwill rake inthe rewards. at the moment there is no cyber terrorist threat out there, butthat doesn'tmean there always won't be, so its better to get into theundergroundsecurity communities in the early on years, so in 5 to 10 or 15years timewhen cyber terrorism is a real threat then you'll know whoeveryone is inthe major public security communities and you'll have peoplewithin thosecommunities who are approaching you on a daily basis to updateyou on whatsgoing on in the security community. money isn't needed. while in real life, with drug sceneinformants, theywant money to inform the government about folks, this isn't thecase online,because its not as dangerous for a member of the public to bedevious andcollect intelligence on folks. what i'm suggestiing is i knowmany folks whowould give free intelligence for no money, just to cancel outtheir rivals,and just to generally be helpful because they are bored, than todemand acertain sum of money for a certain level of importance ofintelligence tipoff. what i'm suggesting is these open points of contact i want setupwould onlybe there for folks to volenteer information on a free basis, andanyonestarting to blackmail those point of contacts for cash wouldsimply beignored. whats needed is open human points of contact who areapproachableon the basis of certain individuals coming forward to give free intelligence, not to be a way for that individual to cash in, onthe socialcircles he is involved in or the zero-day software he hasacquired.to get back to the beginning, the whole contacting cert and dhsis currentlywrong in relation to the cyber security community, your websitesucks, andits not a friendly and approachable looking site for everydayhackers,script kids and security professionals to use. the whole dhs/us-certbadge/logo/graphics etc scare people away. if your site was lessbig badserious government looking, then maybe folks would send you alot morevoluntary intelligence, but like i've already said, e-mail formsdon'tattract the underground, get known nicknames into communities,its the onlyway forward if you really want to get ontop of the whole cybersecurityscene, now in the early years before real threats start togather as thewhole cyber terrorism threat is being ramped up for futureyears.stop the whole we're the big bad serious dhs and cert and getyour biggovernment sovereignty logos etc taken off sites which aresupposed to bedesigned for the underground contacting you. at the moment yourthe bigscary dhs and cert, it doesn't need to be that way. becomefriendly andapproachable, become open and honest in underground communitiesand quitundercover work and devious befriending for general surveillanceandintelligence gathering. whats wrong, you can have bothundercover folks andhave known cyber security contacts in underground communities,whats thereto lose? absolutely nothing. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcMPLUACgkQ+dWaEhErNvQEBQP+OndJqqLfI8vf4asMZslcezLQ6F9A EFaazhNb7pHdEX/rDxe6pH/l5jBinbW4nNGGtJ93SSTh4i/KZ56r+QVKmi57PqTma2mW LNl8dyg+zFPvl/avfSJ4wH2m0Gcp/oKPjadr+5TOkQuML/GbjZeKv81H4tfdb4vvN4zI +sLdl20= =93KD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: If internet goes down out of hours, we're screwed full-disclosure (Oct 09)
- <Possible follow-ups>
- Re: If internet goes down out of hours, we're screwed full-disclosure (Oct 09)
- Re: If internet goes down out of hours, we're screwed Dude VanWinkle (Oct 09)
- Re: If internet goes down out of hours, we're screwed full-disclosure (Oct 10)