Hi Jon, hahahaha , a good one the joke about helicopters. i'm not a english speaker , so , sometimes i make mistakes, ididn't know how to treat with NASA staff and i wrote the pharse that you said. it was a mistake , i know , everytime i wanted to help them , it is my responsability. but you are wrong saying that the vulnerabilities were old , yes , some of the security holes are related with known security issues but there are specific vulnerabilities , look at the report.
but NASA staff hada very good communication with me except they didn't contacted me after i sent to them the final message providing an eclusive access code ( for private access ) to the advisory. i checked again most important security holes and they patched them so i made the report public. do you understand ? ok , thanks a lot of your time suggestions, and tell me what's the meaning of wumpa-wumpa xD i don't know that expression. best regards ! ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->\x74\x72\x75\x6c\x75\x78 0x02->The truth is out there, 0x03-> outside your mind . __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** \x6e\x73\x72\x67 \x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68 http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "Jon Hart" <[EMAIL PROTECTED]> To: "Lorenzo Hernandez Garcia-Hierro" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, October 24, 2003 11:14 PM Subject: Re: [Full-Disclosure] NASA WebSites Multiple Vulnerabilities ADVISORY opened to public access ( NASA websites Patched ) > On Thu, Oct 23, 2003 at 10:53:30PM +0200, Lorenzo Hernandez Garcia-Hierro wrote: > > Hello friends, > > I'm happy and sad in the same time. > > The NASA websites are patched but they didn't contacted me after i sent the > > access instructions to advisories, so, > > i have now the advisory open and a complete action-mail/advisory log for > > probe and provide the communication > > between NASA staff and me. > > <snip> > > Lorenzo, > > I can understand your frustration with not getting full and unwavering > cooperation from NASA. However, I'm not sure I blame them when you use > language like this: > > You have exactly 3 days to patch the systems , full info about the > vulnerabilities in the report. > > Keep in mind this is NOT a kidnapping or a hostage situation, this is > you doing a favor for them by alerting them of potential security issues > on sites in the nasa.gov domain. Using demanding language like this > simply strikes me as a threat. Threatening companies or even worse, > threatening large and powerful governmental bodies, will get you nowhere > fast except into a pile of trouble. > > Also, recognize that what you are doing is not (necessarily) discovering > new vulnerabilities, but rather finding specific cases of old > vulnerabilities on NASA's sites. This is called a penetration test or > vulnerability test in some circles, and computer crime in others. One > you get paid for, the other you end up doing time for. > > Of course, this is just my opinion. I certainly would've approached > this entire situation differently. Had I decided to disclose this > information to NASA, I certainly would've been considerably more > professional and thorough about it, and I almost certainly wouldn't have > made this information public until I had the full cooperation of > concerned parties. But, all this might just be because I like to be > able to walk down the street without being tailed by men in black > trenchcoats and I like to be able to sleep at night without worrying > about hearing the wumpa-wumpa of government/military helicopters over my > house at 2am. > > Good luck, > > -jon > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html