Re: Operation TIPS - the FEMA response

[KF <dotslash () snosoft com>]

Ever try to call NIPC and have an intelligent "computer security" 
conversation? Don't bother... The 2 times I called to report security 
issues I found it hard to find someone someone to speak to that had 
skill beyond your local whopper flopper at burger king.
-KF



George Imburgia wrote:

> It wasn't quite as bad as a friend expected;
>
> "those people will say you have an infectious disease and lock you up
> forever 20 stories under the nevada desert"
>
> ...but it wasn't nice either.
>
> I called FEMA's technical contact, got voicemail, left my name, phone
> number, stated that it was a security problem with a FEMA web server,
> asked that they return my call and then said my name and phone number
> again.
>
> The next day, they claimed they hadn't contacted me because they didn't
> have my phone number.
>
> After being prodded by the press, they did call and a hostile woman
> identifying herself as being with "FEMA's cybersecurity office" began to
> berate me for talking to the press.
>
> I informed her that I didn't like the tone of the conversation, and did
> not want to continue without assurances that "this won't get ugly". 
>
> We went back and forth over what that meant for a while, and then the
> previously unidentified and unannounced Mr. Schmidt spoke up, identified
> himself as the "head of cybersecurity" and tried to convince me to comply
> with their demands by using the term "federal government computer system"
> a lot.
>
> The term "____ off" comes to mind.
>
> Then the content and underlying code of the site changed.
>
> Now, they are telling people "he has a long history of falsely reporting
> security problems with government computer systems".
>
> Are they claiming that the FBI's windows 3.51 web server was not
> vulnerable to dir?C| and variants in 1999?
>
> Are they claiming that the Dept of Ed. didn't have a world writable ftp
> mirror of their web site? Or did the fact that it took 6 calls, and
> responses like "we don't know what permissions are, we all use Macs
> here" make it a false report?
>
> Are they claiming it was a bad idea to null route the old
> www.whitehouse.gov net block when codered hit? Then why is it still a
> blackhole?
>
> Are they claiming that DG/UX wasn't vulnerable, or that a 3 letter agency
> wasn't running it as a mail server?
>
> Are they claiming a state legislature wasn't running a vulnerable
> configuration of Lotus, their admin confirmed it, and stated he didn't
> know it was accessible from the internet?
>
> Are they claiming a popular DSLAM doesn't have a default password of
> ANS#150 and a firmware backdoor?
>
> Are they claiming that Qwest didn't have variants of "Algiers97" as the
> password on most of their routers as an algerian was attempting to blow up
> Seattle's millenium celebration?
>
> Or maybe they are claiming the login bug I discovered in the 1970's and
> enjoyed for years never existed?
>
> Verizon, Wilshire, Xerox and Comcast are a few of my recent (false?!?)
> reports.
>
> Who has the credibility problem here?
>
>
>
>
> George Imburgia
> Senior Network Security Engineer
> Capitol Networking
> gti () armorfirewall com
>
>
>