Full Disclosure mailing list archives
Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched )
From: Jon Hart <warchild () spoofed org>
Date: Fri, 24 Oct 2003 17:14:49 -0400
On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:
Hello friends, I'm happy and sad in the same time. The NASA websites are patched but they didn't contacted me after i sent the access instructions to advisories, so, i have now the advisory open and a complete action-mail/advisory log for probe and provide the communication between NASA staff and me.
<snip> Lorenzo, I can understand your frustration with not getting full and unwavering cooperation from NASA. However, I'm not sure I blame them when you use language like this: You have exactly 3 days to patch the systems , full info about the vulnerabilities in the report. Keep in mind this is NOT a kidnapping or a hostage situation, this is you doing a favor for them by alerting them of potential security issues on sites in the nasa.gov domain. Using demanding language like this simply strikes me as a threat. Threatening companies or even worse, threatening large and powerful governmental bodies, will get you nowhere fast except into a pile of trouble. Also, recognize that what you are doing is not (necessarily) discovering new vulnerabilities, but rather finding specific cases of old vulnerabilities on NASA's sites. This is called a penetration test or vulnerability test in some circles, and computer crime in others. One you get paid for, the other you end up doing time for. Of course, this is just my opinion. I certainly would've approached this entire situation differently. Had I decided to disclose this information to NASA, I certainly would've been considerably more professional and thorough about it, and I almost certainly wouldn't have made this information public until I had the full cooperation of concerned parties. But, all this might just be because I like to be able to walk down the street without being tailed by men in black trenchcoats and I like to be able to sleep at night without worrying about hearing the wumpa-wumpa of government/military helicopters over my house at 2am. Good luck, -jon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 23)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) mcbethh (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Jon Hart (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 24)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) daniel uriah clemens (Oct 24)
- RE: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Mortis (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- Message not available
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Stefan Larsson (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) nosp (Oct 27)
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 27)
- <Possible follow-ups>
- Re: NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) Lorenzo Hernandez Garcia-Hierro (Oct 24)