-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You missed an apostrophe here:
http://lists.grok.org.uk/pipermail/full-disclosure/2007- October/066452.html On Tue, 09 Oct 2007 22:06:47 -0400 Dude VanWinkle <[EMAIL PROTECTED]> wrote: >I didn't read that book you sent in response to an offhanded >remark, >but I am impressed you learned about paragraphs! > >Now, lets focus on capital letters. > >-JP<who doesn't want to strain netdev with punctuation just yet, >not >to mention logic and brevity> > >On 10/9/07, worried security <[EMAIL PROTECTED]> >wrote: >> On 10/9/07, Steven Adair <[EMAIL PROTECTED]> wrote: >> > I think you guys are both mixing up CERT (cert.org) and US- >CERT >> > ( us-cert.gov) -- both of which have very different functions. > As >> > mentioned though, you probably wouldn't want to call either if >your >> > Internet goes down. >> > >> > Steven >> > >> > They both suck though, and its not clear cut who is >responsible for what. >> The US-CERT vulnerability and incident report proceedure sends e- >mail to >> both US-CERT and CERT. >> >> >> Also it was the US-CERT bulletin alert e-mail which had >[EMAIL PROTECTED] in it, >> so those folks who are ment to be running an emergency response >team better >> get their shit together, >> >> People want to know where to tell the government about >something, and the >> government should be approachable. lots of folks are scared to >contact the >> government directly about shit, incase it draws attention to >them and they >> end up getting into trouble for something completely different. >> >> I also believe the spying and undercover work that goes on on >irc channels >> for example is stupid, and befriending folks to get information >on the >> latest security news is wrong. If there were known government >folks on the >> irc channels and they were open about who they were, the >government would >> gather far more intelligence about hacks than being undercover. >> >> Trust me, the government think they need to be undercover to get >the best >> intelligence, but the way I see it, the government would be >suprised how >> many folks come forward in a friendly way if they said, yes i >work for cert >> or the dhs, i'm a cyber security contact if anyone wants to talk >to me about >> anything. the government need to get this whole situation sorted >out with >> tricking and entrapping folks on irc and other places. >> >> while i know in some investigation work undercover is the way to >go, there >> is also a need for the government to be more open with the >security >> community when lurking around the underground communities. >> >> the government should have a "cyber security contact" in the >major public >> underground irc channels, not the whole big undercover operation >the >> government currently run. >> >> plus, i don't believe their keyword data mining uncovers >everything the >> government should know, conversations on the internet by the bad >guys are >> often crafted in a certain way, because they know they are being >monitored, >> now if the government had open points of contact for the >underground to talk >> to, who were friendly approachable people, then the government >would do far >> better in public relations with the computer security community >than they do >> at present. >> >> i'm sick of the government as it currently stands, i'm sick of >the >> government and their intelligence services thinking the only way >to find out >> about things is to be undercover and have sophisticated >intelligence >> collecting software. >> >> trust me, if the government were just open with everyone >everyone would be >> the winner. >> >> there are people that are happy to give vulnerabilities, zero- >day and >> intelligence to the government, and you want to know why? >because not >> everyone likes everyone, so its within the hackers agenda to >give zero-day >> to the government which belong to their enemies, to cancel out >the enemies >> own agenda. >> >> back in the day when i first began the whole hacking thing, i >would backstab >> my friends by telling yahoo security team what they were upto >and give them >> zero-day software, to get patched, this is so, their zero-day >were patched >> out, but my stuff wasn't. so there are always reasons why the >security >> community would approach the government if their was a friendly >approachable >> representaitive in all the major public communties. >> >> what i want the government to get away from is the impression >people have of >> them and thats "big bad government with dark security services >posing as >> normal people in communities", and not just online communities, >i mean in >> real life as well, they have folks in towns and cities as well, >doing >> devious undercover general surveillance, but if the government >were just >> open with folks, things would be a lot easier. >> >> while full-disclosure is close to being a point of contact to >disclose >> things, there would be a lot more unearthed if their were human >points of >> contacts in the major public communities, because a mailing list >isn't >> always the way people want to contact the government and an >online e-mail >> form on a website isn't always suitable for the hacker either, >hackers want >> human interaction with the government over irc, and other forms >of real time >> communication. >> >> stop the whole devious government thing, and get open points of >contacts >> within communities. hackers don't want to use online e-mail >forms and >> hackers want assurances that they won't become suspects >themselves for being >> informants to a human cyber security point of contact on mediums >such as >> internet relay chat. >> >> so yeah, government, stop the whole hiding away in control >centers and >> designing sophisticated software, if you actually get humans >into >> communities to talk with the security communities over current >affairs, you >> would gather the right kind of intelligence about people and >hacks, which is >> quality information, that doesn't need intelligence analysts to >rub their >> heads for hours wondering, "is this a credible threat or is this >guy just >> joking around". >> >> the dhs and cert have got the whole public relations thing with >the >> underground at present all wrong, you need folks like me with a >fresh >> approach to everything, instead of ramping up a "war on terror" >which cannot >> be won. all wars begin and end in dialog, so take that into the >cyber >> security arena and get some friendly nicknames around the >internet >> communities which are known by the good and bad guys... and you >will rake in >> the rewards. >> >> at the moment there is no cyber terrorist threat out there, but >that doesn't >> mean there always won't be, so its better to get into the >underground >> security communities in the early on years, so in 5 to 10 or 15 >years time >> when cyber terrorism is a real threat then you'll know who >everyone is in >> the major public security communities and you'll have people >within those >> communities who are approaching you on a daily basis to update >you on whats >> going on in the security community. >> >> money isn't needed. while in real life, with drug scene >informants, they >> want money to inform the government about folks, this isn't the >case online, >> because its not as dangerous for a member of the public to be >devious and >> collect intelligence on folks. what i'm suggestiing is i know >many folks who >> would give free intelligence for no money, just to cancel out >their rivals, >> and just to generally be helpful because they are bored, than to >demand a >> certain sum of money for a certain level of importance of >intelligence tip >> off. >> >> what i'm suggesting is these open points of contact i want setup >would only >> be there for folks to volenteer information on a free basis, and >anyone >> starting to blackmail those point of contacts for cash would >simply be >> ignored. whats needed is open human points of contact who are >approachable >> on the basis of certain individuals coming forward to give free >> intelligence, not to be a way for that individual to cash in, on >the social >> circles he is involved in or the zero-day software he has >acquired. >> >> to get back to the beginning, the whole contacting cert and dhs >is currently >> wrong in relation to the cyber security community, your website >sucks, and >> its not a friendly and approachable looking site for everyday >hackers, >> script kids and security professionals to use. the whole dhs/us- >cert >> badge/logo/graphics etc scare people away. if your site was less >big bad >> serious government looking, then maybe folks would send you a >lot more >> voluntary intelligence, but like i've already said, e-mail forms >don't >> attract the underground, get known nicknames into communities, >its the only >> way forward if you really want to get ontop of the whole cyber >security >> scene, now in the early years before real threats start to >gather as the >> whole cyber terrorism threat is being ramped up for future >years. >> >> stop the whole we're the big bad serious dhs and cert and get >your big >> government sovereignty logos etc taken off sites which are >supposed to be >> designed for the underground contacting you. at the moment your >the big >> scary dhs and cert, it doesn't need to be that way. become >friendly and >> approachable, become open and honest in underground communities >and quit >> undercover work and devious befriending for general surveillance >and >> intelligence gathering. whats wrong, you can have both >undercover folks and >> have known cyber security contacts in underground communities, >whats there >> to lose? absolutely nothing. >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: >> http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcMPIQACgkQ+dWaEhErNvSf5AQAgHRx0lmy2bLh+THBeM5Rp0cvONsu g95omqBUWGVsFcUFecEuPEASnkfhxyNqohs0MwEsCwk+lmSeaK4FKHqqz6N9s6UExdtH 7kJKnsdxt1f4ATbL05Ldl46jMPxH7/zJjA+L7ftsUOiMFZ938iCIZw2ORtLTVwXJQ5Ra 7cuio6w= =DALP -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
