Re: [Full-Disclosure] NASA.GOV SQL Injections
On Sat, 18 Oct 2003 [EMAIL PROTECTED] wrote: On Fri, 17 Oct 2003 13:03:52 CDT, Ron DuFresne said: private sector jobs provide. Thus, whne the OSB and GAO audits and their released findings that make it into the headlines and before congress now and then come as no surprise. I'll go out on a limb and say that the only reason that GAO audits make government sites look like they leak like a sieve is because private industry leaks just as badly, but isn't usually subject to GAO audits making the news. Well, GAO audits tend to be public information, while a corporation tends to not air it's dirty laundry for sure smile. And far be it that the federal or state governments would lead, rather then lag behind the corporate world. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA.GOV SQL Injections
On Sat, 18 Oct 2003 23:34:38 CDT, Paul Schmehl [EMAIL PROTECTED] said: working on space projects, not the IT people protecting the network. Not that NASA wouldn't have good or even great IT people, but geniuses work on space physics. They *don't* do the grunt work of securing networks. Better have at least one genius over in IT doing security rather than space physics, or you'll be screwed anyhow.. Those grunt workers need direction. :) pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] NASA.GOV SQL Injections
On Sat, Oct 18, 2003 at 11:34:38PM -0500, Paul Schmehl wrote: --On Saturday, October 18, 2003 1:50 PM -0400 [EMAIL PROTECTED] wrote: On Fri, 17 Oct 2003 10:24:59 CDT, Schmehl, Paul L said: No offense meant to the fine IT people at NASA, but do you seriously believe that the one-percenters are securing the network? As opposed to say, figuring out how to land a rover on Mars, how to keep astronauts alive in space, how to overcome the long-term negative effects of zero gravity, etc., etc.??? If the IT people are busy figuring out how to land a rover etc, then: a) What the f--k are the *scientists* doing? b) Who's busy keeping the IT going while the scientists aren't doing the stuff the IT people are doing instead of their jobs? I continue to be amazed at how misunderstood this was. The post to which I was responding suggested that the one percenters were protecting the NASA network. My response was that the one percenters would be the scientists, working on space projects, not the IT people protecting the network. Not that NASA wouldn't have good or even great IT people, but geniuses work on space physics. They *don't* do the grunt work of securing networks. I think there might be a little confusion about those one percenters. Whoever said that a one percenter in astrophysics is also a one percenter in IT security? Couldn't it e that they have the very best for both of the jobs without any overlapping? Florian Streck -- Today is National Existential Ennui Awareness Day. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] NASA.GOV SQL Injections
--On Sunday, October 19, 2003 2:25 AM -0400 [EMAIL PROTECTED] wrote: On Sat, 18 Oct 2003 23:34:38 CDT, Paul Schmehl [EMAIL PROTECTED] said: Better have at least one genius over in IT doing security rather than space physics, or you'll be screwed anyhow.. Those grunt workers need direction. :) I could be wrong, but I don't think geniuses work in the trenches. I think they do research. I'm not aware of any geniuses in security. Are you? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA.GOV SQL Injections
On Sun, 19 Oct 2003 10:58:59 CDT, Paul Schmehl [EMAIL PROTECTED] said: I could be wrong, but I don't think geniuses work in the trenches. I think they do research. I'm not aware of any geniuses in security. Are you? Paul.. learn to read. I said you need at least one genius because the grunts in the trench need direction. And yes, some security geniuses do mostly theoretical research (most cryptographers for example).. but there's a lot of very clever people who spend most of their time thinking about how to make real-world security palatable for the users (for example, I don't think Schneier has had much time to do crypto work of late, and Steve Bellovin took time out to write RFC3514). pgp0.pgp Description: PGP signature
RE: [Full-Disclosure] NASA.GOV SQL Injections
I have no personal information on NASA but would expect it works like any large enterprise company or other government organization which I do have experience with. You tend to have a few really good folks and a bunch of so so folks and some really bad folks. The bigger the organization the easier to hide mediocrity and incompetence. The really good ones tend to set standards and the rest try to follow them or think they know better and do something else. The good ones then have to try to touch base once in a while to make sure those standards are still being set. The idea that a government organization is going to get the cream of the bell curve for Office IT is probably overstating since the government (like most large companies) does a lot of lowest bidder type of work for things not in their direct main line. Office IT is not what NASA is there for, the people responsible for the web sites and word processing tools running are not the people writing the code for the next satellite or space station. Heck the mindsets of those two groups of people is probably extremely different. The folks working on the word processors and web sites are working and this is the best or only job they could get... The people doing the work on the landers and space stations and such are trying to change the world and money probably isn't the main drive - there aren't many places they can go to do what they want to do. As for the janitors, I would bet that they need high security clearance for some of the areas, but having that high security clearance doesn't mean they are the best janitors. They are the best janitors with that security clearance that would work for whatever the pay scale was. That translates to the Office IT workers as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan A. Zdziarski Sent: Friday, October 17, 2003 12:28 PM To: Schmehl, Paul L Cc: full-disclosure Maybe I'm not as familiar with NASA as others might be, but I would think NASA would try and hire the most gifted IT people they could find (e.g. the cream of the crop). Since I've never run into one, I can't prove this theory - I suppose it's possible they're all morons...but if I had the resources NASA has, there wouldn't be any idiots working for me. I wonder if their janitors require security clearance just to work there...if that's the case their IT people are most likely l33t. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA.GOV SQL Injections
On Fri, 17 Oct 2003 10:24:59 CDT, Schmehl, Paul L said: No offense meant to the fine IT people at NASA, but do you seriously believe that the one-percenters are securing the network? As opposed to say, figuring out how to land a rover on Mars, how to keep astronauts alive in space, how to overcome the long-term negative effects of zero gravity, etc., etc.??? If the IT people are busy figuring out how to land a rover etc, then: a) What the f--k are the *scientists* doing? b) Who's busy keeping the IT going while the scientists aren't doing the stuff the IT people are doing instead of their jobs? pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] NASA.GOV SQL Injections
If the IT people are busy figuring out how to land a rover etc, then: They may not be landing the rover, but they're most definitely responsible for the systems infrastructure that allows them to communicate via the command center.. obviously these are going to be different people than the ones who keep nasa.gov running, but I can't imagine they would be too far apart in skillset and discipline...unless of course they outsourced nasa.gov, in which case it's probably sitting next to a fridge of beer in a studio somewhere. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA.GOV SQL Injections
--On Saturday, October 18, 2003 1:50 PM -0400 [EMAIL PROTECTED] wrote: On Fri, 17 Oct 2003 10:24:59 CDT, Schmehl, Paul L said: No offense meant to the fine IT people at NASA, but do you seriously believe that the one-percenters are securing the network? As opposed to say, figuring out how to land a rover on Mars, how to keep astronauts alive in space, how to overcome the long-term negative effects of zero gravity, etc., etc.??? If the IT people are busy figuring out how to land a rover etc, then: a) What the f--k are the *scientists* doing? b) Who's busy keeping the IT going while the scientists aren't doing the stuff the IT people are doing instead of their jobs? I continue to be amazed at how misunderstood this was. The post to which I was responding suggested that the one percenters were protecting the NASA network. My response was that the one percenters would be the scientists, working on space projects, not the IT people protecting the network. Not that NASA wouldn't have good or even great IT people, but geniuses work on space physics. They *don't* do the grunt work of securing networks. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NASA.GOV SQL Injections
Dont you think that some people in nasa might also be reading this list? Just because you can cause a sql error it doesnt necessarily mean you have found a security flaw: it might not be possible to exploit it... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: 15 October 2003 19:24 To: Lorenzo Hernandez Garcia-Hierro Cc: full-disclosure Subject: Re: [Full-Disclosure] NASA.GOV SQL Injections On Wed, 15 Oct 2003 01:45:02 +0200 Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] wrote: Hi all again, http://liftoff.msfc.nasa.gov/toc.asp?s=Tracking' admits sql characters injection but seems not easy to include successful queries security of nasa websites sucks ( sucks the web app security...) Man... Who, other than nasa.gov itself, is affected by this bug ?! Why are you posting it here? You even didn't contacted nasa.gov admins... Hehehe.. It is obvious that my theory about you wanting fame is correct. I remember similar post some time ago.. Some wise person asked 'if you find server with wuftpd 2.4.2, do you send post to full-disclosure that that host is vulnerable?' Think dude. mcbethh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- CRN Channel Awards 2003 - 10th Anniversary Unipalm has been shortlisted for Specialist Distribution Partner Vote for us at http://www.crn.vnunet.com by clicking the logo --- CONFIDENTIALITY AND DISCLAIMER NOTICE This e-mail is intended only for the addressee named above and the contents should not be disclosed to any other person nor copies taken. Any views or opinions presented are solely those of the sender and do not necessarily represent those of ComputerLinks (UK) Ltd. (trading as Unipalm) unless otherwise specifically stated. As internet communications are not secure we do not accept legal responsibility for the contents of this message nor responsibility for any change made to this message after it was sent by the original sender. We advise you to carry out your own virus check before opening any attachment as we cannot accept liability for any damage sustained as a result of any software viruses. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NASA.GOV SQL Injections
Dont you think that some people in nasa might also be reading this list? Hmm if I was in the top 1% of the smartest people in the world, I don't know if I'd have the time to read all the flames and spam that occur on this list. They probably have a team of their own computer geniuses auditing code on a daily basis, at which point it's only a matter of time before they realize the flaw. Just because you can cause a sql error it doesnt necessarily mean you have found a security flaw: it might not be possible to exploit it... Hopefully they haven't given the user any privileged access (to delete, call shell functions, etc.), but come on though, if it's possible to inject SQL code there's most likely some way to exploit at least the database. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NASA.GOV SQL Injections
No offense meant to the fine IT people at NASA, but do you seriously believe that the one-percenters are securing the network? As opposed to say, figuring out how to land a rover on Mars, how to keep astronauts alive in space, how to overcome the long-term negative effects of zero gravity, etc., etc.??? Maybe I'm not as familiar with NASA as others might be, but I would think NASA would try and hire the most gifted IT people they could find (e.g. the cream of the crop). Since I've never run into one, I can't prove this theory - I suppose it's possible they're all morons...but if I had the resources NASA has, there wouldn't be any idiots working for me. I wonder if their janitors require security clearance just to work there...if that's the case their IT people are most likely l33t. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NASA.GOV SQL Injections
On Fri, 17 Oct 2003, Jonathan A. Zdziarski wrote: No offense meant to the fine IT people at NASA, but do you seriously believe that the one-percenters are securing the network? As opposed to say, figuring out how to land a rover on Mars, how to keep astronauts alive in space, how to overcome the long-term negative effects of zero gravity, etc., etc.??? Maybe I'm not as familiar with NASA as others might be, but I would think NASA would try and hire the most gifted IT people they could find (e.g. the cream of the crop). Since I've never run into one, I can't prove this theory - I suppose it's possible they're all morons...but if I had the resources NASA has, there wouldn't be any idiots working for me. I wonder if their janitors require security clearance just to work there...if that's the case their IT people are most likely l33t. Of course, one might think the same thing about the FED gov and the various states govs. Untill one looks at pay rates, and how they compare to the private sector. And that pays little or no mind to the POLITICS in such places. One does not merely work in a gov related setting, one HAS to play a political tightrope walk, with less the proportional pay that private sector jobs provide. Thus, whne the OSB and GAO audits and their released findings that make it into the headlines and before congress now and then come as no surprise. I did an interesting article on the state of cyber security a year or so ago mentioning some of this for TISC Insight Newsletter, and a copy can be found at http://sysinfo.com/sec-state.html. C ourse, if anyone would like to hear the real nightmares of gov related work and the political BS that prevents real work from getting accomplished, I'll be happy to talk offline/offrecord. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NASA.GOV SQL Injections
Of course, one might think the same thing about the FED gov and the various states govs. The gov't in general has a terrible track record in security, primarily due to the fact that they're not willing to pay more than $45,000 and a Buick...NASA on the other hand has got the gov't throwing billions of dollars at them so I'd hope they could afford to pay decent rates...anyone on this list who works for NASA? I would love to hear them speak up on the subject. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NASA.GOV SQL Injections
On Fri, 17 Oct 2003, Jonathan A. Zdziarski wrote: Of course, one might think the same thing about the FED gov and the various states govs. The gov't in general has a terrible track record in security, primarily due to the fact that they're not willing to pay more than $45,000 and a Buick...NASA on the other hand has got the gov't throwing billions of dollars at them so I'd hope they could afford to pay decent rates...anyone on this list who works for NASA? I would love to hear them speak up on the subject. Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA.GOV SQL Injections
FWIW my experience with NASA, while limited, has been equivalent to many large private sector organizations. The rank and file people, including Directors and Assistant Directors, are intelligent, conscientious people who run headlong into uncaring, frustrating upper management bureaucrats who cannot or will not listen to their input. Also, because the organization is broken up into several regional and sectional groups, political rivalries have developed that get in the way of organizational goals. Like I said, same thing as corporate America: politics as usual. We are the people our parents warned us about. G On or about 2003.10.17 13:03:52 +, Ron DuFresne ([EMAIL PROTECTED]) said: Of course, one might think the same thing about the FED gov and the various states govs. Untill one looks at pay rates, and how they compare to the private sector. And that pays little or no mind to the POLITICS in such places. One does not merely work in a gov related setting, one HAS to play a political tightrope walk, with less the proportional pay that private sector jobs provide. Thus, when the OSB and GAO audits and their released findings that make it into the headlines and before congress now and then come as no surprise. I did an interesting article on the state of cyber security a year or so ago mentioning some of this for TISC Insight Newsletter, and a copy can be found at http://sysinfo.com/sec-state.html. -- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: [EMAIL PROTECTED] Computer SecurityICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NASA.GOV SQL Injections
At 02:12 PM 10/17/03 -0400, Jonathan A. Zdziarski wrote: The gov't in general has a terrible track record in security, primarily due to the fact that they're not willing to pay more than $45,000 and a Buick...NASA on the other hand has got the gov't throwing billions of dollars at them so I'd hope they could afford to pay decent rates...anyone on this list who works for NASA? I would love to hear them speak up on the subject. Federal employees of NASA are subject to the same pay schedules as other federal employees. While agency-specific pay banding is gradually replacing the traditional GS (general schedule) system, one agency really can't pay much more than another for the equivalent position. If you compare job security and certain other less tangible benefits, the federal government becomes a much more attractive employer, especially for those who resisted the siren call of ludicrous salaries during the dot com boom and are, as a result, still comfortably employed. As to political considerations, yes, they exist. But except at the highest level they really aren't any worse than corporate politics, and often a great deal less arbitrary. m5x ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [SD:jason.full-disclosure] RE: [Full-Disclosure] NASA.GOV SQL Injections
From my experience working at NASA (moffet field as an intern one summer) was that their IT department (in my building) was good at what they did but had a pretty restrictive security policy (which is a good thing i guess). So i would rate them as excellent although too restrictive. On Fri, 2003-10-17 at 14:03, Ron DuFresne wrote: On Fri, 17 Oct 2003, Jonathan A. Zdziarski wrote: No offense meant to the fine IT people at NASA, but do you seriously believe that the one-percenters are securing the network? As opposed to say, figuring out how to land a rover on Mars, how to keep astronauts alive in space, how to overcome the long-term negative effects of zero gravity, etc., etc.??? Maybe I'm not as familiar with NASA as others might be, but I would think NASA would try and hire the most gifted IT people they could find (e.g. the cream of the crop). Since I've never run into one, I can't prove this theory - I suppose it's possible they're all morons...but if I had the resources NASA has, there wouldn't be any idiots working for me. I wonder if their janitors require security clearance just to work there...if that's the case their IT people are most likely l33t. Of course, one might think the same thing about the FED gov and the various states govs. Untill one looks at pay rates, and how they compare to the private sector. And that pays little or no mind to the POLITICS in such places. One does not merely work in a gov related setting, one HAS to play a political tightrope walk, with less the proportional pay that private sector jobs provide. Thus, whne the OSB and GAO audits and their released findings that make it into the headlines and before congress now and then come as no surprise. I did an interesting article on the state of cyber security a year or so ago mentioning some of this for TISC Insight Newsletter, and a copy can be found at http://sysinfo.com/sec-state.html. C ourse, if anyone would like to hear the real nightmares of gov related work and the political BS that prevents real work from getting accomplished, I'll be happy to talk offline/offrecord. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Sent to jason.full-disclosure Edit forwarding: http://spamdam.compsnki.com//editemail.php?fid=32 Description: full disclosure maling list -- Jason Freidman [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] NASA.GOV SQL Injections
I had the pleasure of meeting one of NASA's IT guys this week actually. He could certainly be considered the cream of the crop. If all NASA IT guys are like him, then NASA certainly has the best of the best employed there. I would also say that yes, even the janitor requires a full background check and security clearance, to some degree. I'm sure that there are areas where even the 1% have to clean up after themselves every day due to the sensitivity of their work. Why would anyone think that NASA wouldn't hire the best of the best, even for administrative work? It's not like they're raking leaves for a living, they send people to the Moon and beyond :-) Exibar - Original Message - From: Jonathan A. Zdziarski [EMAIL PROTECTED] To: Schmehl, Paul L [EMAIL PROTECTED] Cc: full-disclosure [EMAIL PROTECTED] Sent: Friday, October 17, 2003 12:28 PM Subject: RE: [Full-Disclosure] NASA.GOV SQL Injections No offense meant to the fine IT people at NASA, but do you seriously believe that the one-percenters are securing the network? As opposed to say, figuring out how to land a rover on Mars, how to keep astronauts alive in space, how to overcome the long-term negative effects of zero gravity, etc., etc.??? Maybe I'm not as familiar with NASA as others might be, but I would think NASA would try and hire the most gifted IT people they could find (e.g. the cream of the crop). Since I've never run into one, I can't prove this theory - I suppose it's possible they're all morons...but if I had the resources NASA has, there wouldn't be any idiots working for me. I wonder if their janitors require security clearance just to work there...if that's the case their IT people are most likely l33t. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA.GOV SQL Injections
On Wed, 15 Oct 2003 01:45:02 +0200 Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] wrote: Hi all again, http://liftoff.msfc.nasa.gov/toc.asp?s=Tracking' admits sql characters injection but seems not easy to include successful queries security of nasa websites sucks ( sucks the web app security...) Man... Who, other than nasa.gov itself, is affected by this bug ?! Why are you posting it here? You even didn't contacted nasa.gov admins... Hehehe.. It is obvious that my theory about you wanting fame is correct. I remember similar post some time ago.. Some wise person asked 'if you find server with wuftpd 2.4.2, do you send post to full-disclosure that that host is vulnerable?' Think dude. mcbethh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] NASA.GOV SQL Injections
Hi all again, http://liftoff.msfc.nasa.gov/toc.asp?s=Tracking' admits sql characters injection but seems not easy to include successful queries security of nasa websites sucks ( sucks the web app security...) best regards, --- 0x00-Lorenzo Hernandez Garcia-Hierro 0x01-/* not csh but sh */ 0x02-$ PATH=pretending!/usr/ucb/which sense 0x03- no sense in pretending! __ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ** No Secure Root Group Security Research Team http://www.nsrg-security.com __ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html