Full Disclosure mailing list archives

for the record... (Tru64 / Compaq)

From: full-disclosure () lists netsys com (KF)
Date: Wed, 31 Jul 2002 19:42:44 -0700
This is a multi-part message in MIME format.

------=_NextPart_000_0017_01C238CA.70848F00
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

http://www.msnbc.com/news/788216.asp?0dm=3DT14JT

Clarke cautioned that hackers should be responsible in reporting =
programming mistakes. A hacker should contact the software maker first, =
he said, then go to the government if the software maker does not =
respond soon.

------------------------------------


For the record... we contacted HP(at the time Compaq), and CERT several =
times. I attached the original version of our su exploit (not the one =
that phased leaked) to NIPC and to CERT BOTH. We recieved an extremely =
long delay at CERT before they even responded. At that point I called =
CERT 2 times to see what the heck was going on and eventually I =
establish contact (Ian Finley). I also mailed nipc.watch () nipc gov or =
whatever the email address on their page was. They didn't mail back ... =
no auto responder or nothing. ( I mailed the back weeks later and said I =
was shocked that I got no response and still got nothing back). I then =
called the NIPC hotline 3 times. The first 2 times I called I spoke to =
someone that should have been flopping whoppers "uhhhh a non-executable =
computer security what... let me send you to so and so's voicemail". =
Then I called back a week later and gave them the CERT vu numbers (after =
CERT finally responed). I left my cell phone number on someones =
voicemail again at NIPC... no one called me back.=20

I deeply regret the fact that one of my team members plagerized another =
and leaked some code but my god people WE TRYED to give SEVERAL people a =
heads up!=20

-KF=20



------=_NextPart_000_0017_01C238CA.70848F00
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4916.2300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2><A=20
href=3D"http://www.msnbc.com/news/788216.asp?0dm=3DT14JT";>http://www.msnb=
c.com/news/788216.asp?0dm=3DT14JT</A></FONT></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" =
size=3D3>Clarke=20
cautioned that hackers should be responsible in reporting programming =
mistakes.=20
A hacker should contact the software maker first, he said, then go to =
the=20
government if the software maker does not respond =
soon.</FONT></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman"=20
size=3D3></FONT></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman"=20
size=3D3>------------------------------------</FONT></DIV>
<DIV><BR></DIV></FONT>
<DIV><FONT face=3DArial size=3D2>For the record... we contacted HP(at =
the time=20
Compaq),&nbsp;and CERT several times. I attached the original version of =
our su=20
exploit (not the one that phased leaked) to NIPC and to CERT BOTH. We =
recieved=20
an extremely long delay at CERT before they&nbsp;even responded. =
At&nbsp;that=20
point I called CERT 2 times to see what the heck was going on and =
eventually=20
I&nbsp;establish contact (Ian Finley). I also mailed <A=20
href=3D"mailto:nipc.watch () nipc gov">nipc.watch () nipc gov</A> or whatever =
the email=20
address on their page was. They didn't mail back ... no auto responder =
or=20
nothing. ( I mailed the back weeks later and said I was shocked that I =
got no=20
response and still got nothing back). I then called the NIPC hotline 3 =
times.=20
The first 2 times I called I spoke to someone that should have been =
flopping=20
whoppers "uhhhh a non-executable computer security what... let me send =
you to so=20
and so's voicemail". Then I called back a week later and gave them the =
CERT vu=20
numbers (after CERT finally responed). I left my cell phone number on =
someones=20
voicemail again at NIPC... no one called me back. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I deeply regret the fact that one of my =
team=20
members plagerized another and leaked some code but my god people WE =
TRYED to=20
give SEVERAL people a heads up! </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>-KF</FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><BR>&nbsp;</DIV></FONT></BODY></HTML>

------=_NextPart_000_0017_01C238CA.70848F00--
Current thread:

for the record... (Tru64 / Compaq) KF (Jul 31)
- for the record... (Tru64 / Compaq) KF (Jul 31)