Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )

["Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>]

Hi Jody ( and all ),
I'm completely sane ;-)
Please look at the mail-log in th advisory page , you can see that NASA
staff was conected a week ago and they have
the systems patched , i sent an email to NASA staff telling that i will
publish the report so they know ehat i was doing
everytime.
My behavior and treatment with NASA staff was fine and their treatment and
comm. were fine too.
So , don't panic.
I'm responding in public because you said things that are wrong.
REMEMBER: NASA staff patched the websites and they were contected a week ago
and they had 2 dyas of private access to the advisory,
it was a really good job between me and NASA staff.
Don't worry , and think that when i was little i loved NASA and now i'm
really interested in NASA campaigns,
so , it's stupid to think that i can do damage aganist them, they are
working fine at the momment.
Again , read carefully the mail-action-advisory log at:
http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt
you will be better and fine reading it.
NOTE: this is for everybody that thinks that i didn't contacted NASA staff ,
it is not true ! check the log please
and....no important information is disclosed in the advisory , like mail
addresses and others.
the disclaimer is simple:
i will not provide exploiting information nor important info that can be
used against NASA websites
the information of the advisory is only for educational purpouses and NASA
staff knows the existence of
the advisory and its contents ( they know the advisory before anybody except
me , they know it since
15 of october , 003 )
Thanks to everybody of this Fantastic-Disclosure list ;-)
Thanks to John ( NASA Staff ) , the Root of nasa.gov and others of their
fantastic communication with me,

Best regards,
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->/* not csh but sh */
0x02->$ PATH=pretending!/usr/ucb/which sense
0x03-> no sense in pretending!
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________
----- Original Message ----- 
From: "MELBOURNE,Jody" <Jody.MELBOURNE () dewr gov au>
To: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>
Sent: Friday, October 24, 2003 8:25 AM
Subject: RE: [Full-disclosure] NASA WebSites Multiple Vulnerabilities
ADVISORY opened to public access ( NASA websites Patched )


> Are you insane?
>
> Why are you hacking into NASA webservers and making your findings
> public?
>
> Do you think the NASA admins will thank you? I am sure they are thinking
> of ways to prosecute you right now.
>
> Are you just trying to get some publicity for your company (I think so,
> considering all of your recents XSS posts to full disclosure).
>
> Please respond in private. I'm impressed by your work but I worry that
> you have not considered the actions that NASA might take. The US
> government is very unfriendly towards hackers at the moment.
>
> Cheers
> .jm
>
>
> -----Original Message-----
> From: Lorenzo Hernandez Garcia-Hierro
> [mailto:lorenzohgh () nsrg-security com]
> Sent: Friday, October 24, 2003 6:53 AM
> To: Full-Disclosure
> Cc: BUGTRAQ
> Subject: [Full-disclosure] NASA WebSites Multiple Vulnerabilities
> ADVISORY opened to public access ( NASA websites Patched )
>
>
> Hello friends,
> I'm happy and sad in the same time.
> The NASA websites are patched but they didn't contacted me after i sent
> the access instructions to advisories, so, i have now the advisory open
> and a complete action-mail/advisory log for probe and provide the
> communication between NASA staff and me. __ ACCESS INFORMATION __
> Advisory access:
>
> http://advisories.nsrg-security.com/Nasa.gov-MV/
>
> Mail & Action & Advisory Log :
>
> http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt
>
> ScreenShots:
>
> http://advisories.nsrg-security.com/Nasa.gov-MV/screenshots/
>
> __ <<<EOF __
>
> That's all , about one week of work and a very short and strange
> communication between NASA staff and me.
> NOTE: not all the things are patched but i think that the most important
> , it's very possible that the NASA staff will ignore some security
> holes.... Best regards to all people of Full-Disclosure , Nasa staff (
> John ! ) ;-) , every body...
> -------------------------------
> 0x00->Lorenzo Hernandez Garcia-Hierro
> 0x01->/* not csh but sh */
> 0x02->$ PATH=pretending!/usr/ucb/which sense
> 0x03-> no sense in pretending!
> __________________________________
> PGP: Keyfingerprint
> 4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
> ID: 0x91805F5B
> **********************************
> No Secure Root Group Security Research Team http://www.nsrg-security.com
> ______________________
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> Notice:
> The information contained in this e-mail message and any attached files
may
> be confidential information, and may also be the subject of legal
> professional privilege.  If you are not the intended recipient any use,
> disclosure or copying of this e-mail is unauthorised.  If you have
received
> this e-mail in error, please notify the sender immediately by reply e-mail
> and delete all copies of this transmission together with any attachments.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html