Fwd: Re: [Full-Disclosure] for the record... (Tru64 / Compaq)

From: John Scimone (sertat_private)
Date: Wed Jul 31 2002 - 13:23:23 PDT

Next message: Richard Forno: "Comment on DMCA, Security, and Vuln Reporting"

Previous message: Dallachiesa Michele: "bug in KSTAT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

kf wanted this sent on
-sert

----------  Forwarded Message  ----------

Subject: Re: [Full-Disclosure] for the record... (Tru64 / Compaq)
Date: Wed, 31 Jul 2002 20:01:07 -0700
From: "KF" <dotslashat_private>
To: <full-disclosureat_private>

I can't seem to get this to bugtraq ... darn mime types keep barking at me...
 someone wanna forward it. -KF

  ----- Original Message -----
  From: KF
  To: full-disclosureat_private ; bugtraqat_private ;
 reconat_private Sent: Wednesday, July 31, 2002 7:42 PM
  Subject: [Full-Disclosure] for the record... (Tru64 / Compaq)

  http://www.msnbc.com/news/788216.asp?0dm=T14JT

  Clarke cautioned that hackers should be responsible in reporting
 programming mistakes. A hacker should contact the software maker first, he
 said, then go to the government if the software maker does not respond soon.

  ------------------------------------

  For the record... we contacted HP(at the time Compaq), and CERT several
 times. I attached the original version of our su exploit (not the one that
 phased leaked) to NIPC and to CERT BOTH. We recieved an extremely long delay
 at CERT before they even responded. At that point I called CERT 2 times to
 see what the heck was going on and eventually I establish contact (Ian
 Finley). I also mailed nipc.watchat_private or whatever the email address on
 their page was. They didn't mail back ... no auto responder or nothing. ( I
 mailed the back weeks later and said I was shocked that I got no response
 and still got nothing back). I then called the NIPC hotline 3 times. The
 first 2 times I called I spoke to someone that should have been flopping
 whoppers "uhhhh a non-executable computer security what... let me send you
 to so and so's voicemail". Then I called back a week later and gave them the
 CERT vu numbers (after CERT finally responed). I left my cell phone number
 on someones voicemail again at NIPC... no one called me back.

  I deeply regret the fact that one of my team members plagerized another and
 leaked some code but my god people WE TRYED to give SEVERAL people a heads
 up!

  -KF

-------------------------------------------------------

Next message: Richard Forno: "Comment on DMCA, Security, and Vuln Reporting"
Previous message: Dallachiesa Michele: "bug in KSTAT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 21:08:37 PDT