Re: If internet goes down out of hours, we're screwed

[<full-disclosure () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You also missed an apostrophe in this post.

On Tue, 09 Oct 2007 22:06:47 -0400 Dude VanWinkle
<dudevanwinkle () gmail com> wrote:
> I didn't read that book you sent in response to an offhanded
> remark,
> but I am impressed you learned about paragraphs!
>
> Now, lets focus on capital letters.
>
> -JP<who doesn't want to strain netdev with punctuation just yet,
> not
> to mention logic and brevity>
>
> On 10/9/07, worried security <worriedsecurity () googlemail com>
> wrote:
> > On 10/9/07, Steven Adair <steven () securityzone org> wrote:
> > > I think you guys are both mixing up CERT (cert.org) and US-
> CERT
> > > ( us-cert.gov) -- both of which have very different functions.
> As
> > > mentioned though, you probably wouldn't want to call either if
> your
> > > Internet goes down.
> > >
> > > Steven
> > >
> > > They both suck though, and its not clear cut who is
> responsible for what.
> > The US-CERT vulnerability and incident report proceedure sends e-
> mail to
> > both US-CERT and CERT.
> >
> >
> > Also it was the US-CERT bulletin alert e-mail which had
> cert () cert org in it,
> > so those folks who are ment to be running an emergency response
> team better
> > get their shit together,
> >
> > People want to know where to tell the government about
> something, and the
> > government should be approachable. lots of folks are scared to
> contact the
> > government directly about shit, incase it draws attention to
> them and they
> > end up getting into trouble for something completely different.
> >
> > I also believe the spying and undercover work that goes on on
> irc channels
> > for example is stupid, and befriending folks to get information
> on the
> > latest security news is wrong. If there were known government
> folks on the
> > irc channels and they were open about who they were, the
> government would
> > gather far more intelligence about hacks than being undercover.
> >
> > Trust me, the government think they need to be undercover to get
> the best
> > intelligence, but the way I see it, the government would be
> suprised how
> > many folks come forward in a friendly way if they said, yes i
> work for cert
> > or the dhs, i'm a cyber security contact if anyone wants to talk
> to me about
> > anything. the government need to get this whole situation sorted
> out with
> > tricking and entrapping folks on irc and other places.
> >
> > while i know in some investigation work undercover is the way to
> go, there
> > is also a need for the government to be more open with the
> security
> > community when lurking around the underground communities.
> >
> > the government should have a "cyber security contact" in the
> major public
> > underground irc channels, not the whole big undercover operation
> the
> > government currently run.
> >
> > plus, i don't believe their keyword data mining uncovers
> everything the
> > government should know, conversations on the internet by the bad
> guys are
> > often crafted in a certain way, because they know they are being
> monitored,
> > now if the government had open points of contact for the
> underground to talk
> > to, who were friendly approachable people, then the government
> would do far
> > better in public relations with the computer security community
> than they do
> > at present.
> >
> > i'm sick of the government as it currently stands, i'm sick of
> the
> > government and their intelligence services thinking the only way
> to find out
> > about things is to be undercover and have sophisticated
> intelligence
> > collecting software.
> >
> > trust me, if the government were just open with everyone
> everyone would be
> > the winner.
> >
> > there are people that are happy to give vulnerabilities, zero-
> day and
> > intelligence to the government, and you want to know why?
> because not
> > everyone likes everyone, so its within the hackers agenda to
> give zero-day
> > to the government which belong to their enemies, to cancel out
> the enemies
> > own agenda.
> >
> > back in the day when i first began the whole hacking thing, i
> would backstab
> > my friends by telling yahoo security team what they were upto
> and give them
> > zero-day software, to get patched, this is so, their zero-day
> were patched
> > out, but my stuff wasn't. so there are always reasons why the
> security
> > community would approach the government if their was a friendly
> approachable
> > representaitive in all the major public communties.
> >
> > what i want the government to get away from is the impression
> people have of
> > them and thats "big bad government with dark security services
> posing as
> > normal people in communities", and not just online communities,
> i mean in
> > real life as well, they have folks in towns and cities as well,
> doing
> > devious undercover general surveillance, but if the government
> were just
> > open with folks, things would be a lot easier.
> >
> > while full-disclosure is close to being a point of contact to
> disclose
> > things, there would be a lot more unearthed if their were human
> points of
> > contacts in the major public communities, because a mailing list
> isn't
> > always the way people want to contact the government and an
> online e-mail
> > form on a website isn't always suitable for the hacker either,
> hackers want
> > human interaction with the government over irc, and other forms
> of real time
> > communication.
> >
> > stop the whole devious government thing, and get open points of
> contacts
> > within communities. hackers don't want to use online e-mail
> forms and
> > hackers want assurances that they won't become suspects
> themselves for being
> > informants to a human cyber security point of contact on mediums
> such as
> > internet relay chat.
> >
> > so yeah, government, stop the whole hiding away in control
> centers and
> > designing sophisticated software, if you actually get humans
> into
> > communities to talk with the security communities over current
> affairs, you
> > would gather the right kind of intelligence about people and
> hacks, which is
> > quality information, that doesn't need intelligence analysts to
> rub their
> > heads for hours wondering, "is this a credible threat or is this
> guy just
> > joking around".
> >
> > the dhs and cert have got the whole public relations thing with
> the
> > underground at present all wrong, you need folks like me with a
> fresh
> > approach to everything, instead of ramping up a "war on terror"
> which cannot
> > be won. all wars begin and end in dialog, so take that into the
> cyber
> > security arena and get some friendly nicknames around the
> internet
> > communities which are known by the good and bad guys... and you
> will rake in
> > the rewards.
> >
> > at the moment there is no cyber terrorist threat out there, but
> that doesn't
> > mean there always won't be, so its better to get into the
> underground
> > security communities in the early on years, so in 5 to 10 or 15
> years time
> > when cyber terrorism is a real threat then you'll know who
> everyone is in
> > the major public security communities and you'll have people
> within those
> > communities who are approaching you on a daily basis to update
> you on whats
> > going on in the security community.
> >
> > money isn't needed. while in real life, with drug scene
> informants, they
> > want money to inform the government about folks, this isn't the
> case online,
> > because its not as dangerous for a member of the public to be
> devious and
> > collect intelligence on folks. what i'm suggestiing is i know
> many folks who
> > would give free intelligence for no money, just to cancel out
> their rivals,
> > and just to generally be helpful because they are bored, than to
> demand a
> > certain sum of money for a certain level of importance of
> intelligence tip
> > off.
> >
> > what i'm suggesting is these open points of contact i want setup
> would only
> > be there for folks to volenteer information on a free basis, and
> anyone
> > starting to blackmail those point of contacts for cash would
> simply be
> > ignored. whats needed is open human points of contact who are
> approachable
> > on the basis of certain individuals coming forward to give free
> > intelligence, not to be a way for that individual to cash in, on
> the social
> > circles he is involved in or the zero-day software he has
> acquired.
> > to get back to the beginning, the whole contacting cert and dhs
> is currently
> > wrong in relation to the cyber security community, your website
> sucks, and
> > its not a friendly and approachable looking site for everyday
> hackers,
> > script kids and security professionals to use. the whole dhs/us-
> cert
> > badge/logo/graphics etc scare people away. if your site was less
> big bad
> > serious government looking, then maybe folks would send you a
> lot more
> > voluntary intelligence, but like i've already said, e-mail forms
> don't
> > attract the underground, get known nicknames into communities,
> its the only
> > way forward if you really want to get ontop of the whole cyber
> security
> > scene, now in the early years before real threats start to
> gather as the
> > whole cyber terrorism threat is being ramped up for future
> years.
> > stop the whole we're the big bad serious dhs and cert and get
> your big
> > government sovereignty logos etc taken off sites which are
> supposed to be
> > designed for the underground contacting you. at the moment your
> the big
> > scary dhs and cert, it doesn't need to be that way. become
> friendly and
> > approachable, become open and honest in underground communities
> and quit
> > undercover work and devious befriending for general surveillance
> and
> > intelligence gathering. whats wrong, you can have both
> undercover folks and
> > have known cyber security contacts in underground communities,
> whats there
> > to lose? absolutely nothing.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcMPLUACgkQ+dWaEhErNvQEBQP+OndJqqLfI8vf4asMZslcezLQ6F9A
EFaazhNb7pHdEX/rDxe6pH/l5jBinbW4nNGGtJ93SSTh4i/KZ56r+QVKmi57PqTma2mW
LNl8dyg+zFPvl/avfSJ4wH2m0Gcp/oKPjadr+5TOkQuML/GbjZeKv81H4tfdb4vvN4zI
+sLdl20=
=93KD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/