Lorenzo, If you truly '_cared_' about the security posture they took then why are you talking about it on a public mailing list?
Sounds like you are trying to validate your self worth through telling us all how great it makes you feel when you find out a large government funded organization has lax security posture. Are you hoping the media will say something like 'computer whiz kid finds holes at super secure .gov site'... ? What is your motivation for telling the entire world you had problems getting them to fix their stuff ? Truly being concerned about the security of this type of organization sometimes involves you not validating your own actions by waiting for the response you get back from them. -Dan On Fri, 24 Oct 2003, Jon Hart wrote: > On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote: > > Hello friends, > > I'm happy and sad in the same time. > > The NASA websites are patched but they didn't contacted me after i sent the > > access instructions to advisories, so, > > i have now the advisory open and a complete action-mail/advisory log for > > probe and provide the communication > > between NASA staff and me. > > <snip> > > Lorenzo, > > I can understand your frustration with not getting full and unwavering > cooperation from NASA. However, I'm not sure I blame them when you use > language like this: > > You have exactly 3 days to patch the systems , full info about the > vulnerabilities in the report. > > Keep in mind this is NOT a kidnapping or a hostage situation, this is > you doing a favor for them by alerting them of potential security issues > on sites in the nasa.gov domain. Using demanding language like this > simply strikes me as a threat. Threatening companies or even worse, > threatening large and powerful governmental bodies, will get you nowhere > fast except into a pile of trouble. > > Also, recognize that what you are doing is not (necessarily) discovering > new vulnerabilities, but rather finding specific cases of old > vulnerabilities on NASA's sites. This is called a penetration test or > vulnerability test in some circles, and computer crime in others. One > you get paid for, the other you end up doing time for. > > Of course, this is just my opinion. I certainly would've approached > this entire situation differently. Had I decided to disclose this > information to NASA, I certainly would've been considerably more > professional and thorough about it, and I almost certainly wouldn't have > made this information public until I had the full cooperation of > concerned parties. But, all this might just be because I like to be > able to walk down the street without being tailed by men in black > trenchcoats and I like to be able to sleep at night without worrying > about hearing the wumpa-wumpa of government/military helicopters over my > house at 2am. > > Good luck, > > -jon > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -Daniel Uriah Clemens Esse quam videra (to be, rather than to appear) -Moments of Sorrow are Moments of Sobriety http://www.birmingham-infragard.org | 2053284200 fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
