Re: Operation TIPS - the FEMA response
From: KF (dotslash@snosoft.com)Date: 07/30/02
- Previous message: Adam Malewski: "php-4.0.6 vulnerability"
- In reply to: George Imburgia: "Re: Operation TIPS - the FEMA response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Jul 2002 09:41:21 -0400 From: KF <dotslash@snosoft.com> To: vuln-dev@securityfocus.com
Ever try to call NIPC and have an intelligent "computer security"
conversation? Don't bother... The 2 times I called to report security
issues I found it hard to find someone someone to speak to that had
skill beyond your local whopper flopper at burger king.
-KF
George Imburgia wrote:
>It wasn't quite as bad as a friend expected;
>
>"those people will say you have an infectious disease and lock you up
>forever 20 stories under the nevada desert"
>
>...but it wasn't nice either.
>
>I called FEMA's technical contact, got voicemail, left my name, phone
>number, stated that it was a security problem with a FEMA web server,
>asked that they return my call and then said my name and phone number
>again.
>
>The next day, they claimed they hadn't contacted me because they didn't
>have my phone number.
>
>After being prodded by the press, they did call and a hostile woman
>identifying herself as being with "FEMA's cybersecurity office" began to
>berate me for talking to the press.
>
>I informed her that I didn't like the tone of the conversation, and did
>not want to continue without assurances that "this won't get ugly".
>
>We went back and forth over what that meant for a while, and then the
>previously unidentified and unannounced Mr. Schmidt spoke up, identified
>himself as the "head of cybersecurity" and tried to convince me to comply
>with their demands by using the term "federal government computer system"
>a lot.
>
>The term "____ off" comes to mind.
>
>Then the content and underlying code of the site changed.
>
>Now, they are telling people "he has a long history of falsely reporting
>security problems with government computer systems".
>
>Are they claiming that the FBI's windows 3.51 web server was not
>vulnerable to dir?C| and variants in 1999?
>
>Are they claiming that the Dept of Ed. didn't have a world writable ftp
>mirror of their web site? Or did the fact that it took 6 calls, and
>responses like "we don't know what permissions are, we all use Macs
>here" make it a false report?
>
>Are they claiming it was a bad idea to null route the old
>www.whitehouse.gov net block when codered hit? Then why is it still a
>blackhole?
>
>Are they claiming that DG/UX wasn't vulnerable, or that a 3 letter agency
>wasn't running it as a mail server?
>
>Are they claiming a state legislature wasn't running a vulnerable
>configuration of Lotus, their admin confirmed it, and stated he didn't
>know it was accessible from the internet?
>
>Are they claiming a popular DSLAM doesn't have a default password of
>ANS#150 and a firmware backdoor?
>
>Are they claiming that Qwest didn't have variants of "Algiers97" as the
>password on most of their routers as an algerian was attempting to blow up
>Seattle's millenium celebration?
>
>Or maybe they are claiming the login bug I discovered in the 1970's and
>enjoyed for years never existed?
>
>Verizon, Wilshire, Xerox and Comcast are a few of my recent (false?!?)
>reports.
>
>Who has the credibility problem here?
>
>
>
>
>George Imburgia
>Senior Network Security Engineer
>Capitol Networking
>gti@armorfirewall.com
>
>
>
>
- Previous message: Adam Malewski: "php-4.0.6 vulnerability"
- In reply to: George Imburgia: "Re: Operation TIPS - the FEMA response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
