[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-Disclosure] Explanations about the NASA security issues and confused people
From:       Michael Boord <MichaelBoord () yahoo ! co ! uk>
Date:       2002-10-26 22:11:13
[Download RAW message or body]

Am i the only one getting annoyed a lil bit
by this Lorenzo Hernandez Garcia-Hierro??

Everyone in favor of +kb raise your hand?





On Sat, 25 Oct 2003 17:28:35 +0200, qobaiashi <qobaiashi@gmx.net> wrote:

> Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez 
> Garcia-Hierro:
>> Hi all,
>> Some people is a little confused with the NASA related security
>> issues and my advisory,
>> so i'm explaining the confusing things:
>>
>> 1.- Every time NASA staff was knowing what i was doing , i sent
>> messages to administrators before doing anything.
>>
>> 2.- John R. Ray of the NASA Competency Center ( Information
>> Technologies Security ) contacted me for solve the issues.
>>
>> 3.- The report was completely closed to public access when the
>> systems were vulnerable
>>
>> 4.- I provided an accesscode to see the advisory for the NASA staff.
>
> leet
>
>> 5.- I was everytime testing the vulnerabilities and when i found that
>> the most important were patched i make public with some restrictions
>> the advisory.
>>
>> 6.- Of course , i wrote a disclaimer that can be found in the main
>> web site and http://advisories.nsrg-security.com/disclaimer.txt
>>
>> 7.- A mail log that has all the exchanged mail between NASA staff and
>> me ( and action log too with dates and details ) is available at:
>>      http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt
>>      So ,please , be careful saying that i made it public without
>> contacting before the NASA staff.
>
> pretty cool, man!
>
>> 8.- In the report there is no private information about NASA nor
>> working exploits against important security holes like sql
>> injections.
>
> multo importante!
>
>> 9.- ScreenShots are modified for remove private url addresses ( like
>> www.nasa.gov portal admin access )
>
> 0day screenshots?
>
>> 10.- Some people was saying that i wanted fame doing it , definately
>> not , i made it for demostrate that web security is a real problem
>> and a thing that must be included in security policies of the
>> enterprises.
>
> now i see it's not about fame. naming "NASA" +10 times is just to 
> sound...erm
> trustworthy.
>
>> The next generation of hackers will can make damage against servers
>> with the only help of a web navigator, the web browser will be a
>> really dangerous hacking tool, and it is not the future , it is now ,
>> just see last advisories about phpnuke , etc
>>
>
> yeah that's realy interesting!
> i've just started writing my new 0day browser with neat phpnuke sploiting
> capability!!
>
>> 11.- The communication between NASA staff and me was completely clear
>> except that i didn't received response after i sent a message
>> confirmand that the report was finished an they had the access code
>> to see it.
>>
>> CONCLUSIONS
>>
>> It was a completely clear job between NASA staff and me , they were
>> really fast patching ( one day ) and really fast replying my first
>> email.
>>
>> The important thing is that NASA staff knows now wich risk has web
>> applications security and how to solve web application securiuty
>> issues.
>
> saint lorenzo!
> and thanks for letting all of us know what you've done!
>
>> Everything in this life has a final mean , in this case : web
>> security must be treated as other security issues , if not , you are
>> in risk
>
> clear thing!
>
>> How much times i must rewrite this mail ?
>
> we'll see..
>
>> Best regards and thanks to all members of Ful-Disclosure,
>



-- 
Michael Boord

http://www.xboxombouw.tk 06-29221787

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]