It wasn't quite as bad as a friend expected; "those people will say you have an infectious disease and lock you up forever 20 stories under the nevada desert" ...but it wasn't nice either. I called FEMA's technical contact, got voicemail, left my name, phone number, stated that it was a security problem with a FEMA web server, asked that they return my call and then said my name and phone number again. The next day, they claimed they hadn't contacted me because they didn't have my phone number. After being prodded by the press, they did call and a hostile woman identifying herself as being with "FEMA's cybersecurity office" began to berate me for talking to the press. I informed her that I didn't like the tone of the conversation, and did not want to continue without assurances that "this won't get ugly". We went back and forth over what that meant for a while, and then the previously unidentified and unannounced Mr. Schmidt spoke up, identified himself as the "head of cybersecurity" and tried to convince me to comply with their demands by using the term "federal government computer system" a lot. The term "____ off" comes to mind. Then the content and underlying code of the site changed. Now, they are telling people "he has a long history of falsely reporting security problems with government computer systems". Are they claiming that the FBI's windows 3.51 web server was not vulnerable to dir?C| and variants in 1999? Are they claiming that the Dept of Ed. didn't have a world writable ftp mirror of their web site? Or did the fact that it took 6 calls, and responses like "we don't know what permissions are, we all use Macs here" make it a false report? Are they claiming it was a bad idea to null route the old www.whitehouse.gov net block when codered hit? Then why is it still a blackhole? Are they claiming that DG/UX wasn't vulnerable, or that a 3 letter agency wasn't running it as a mail server? Are they claiming a state legislature wasn't running a vulnerable configuration of Lotus, their admin confirmed it, and stated he didn't know it was accessible from the internet? Are they claiming a popular DSLAM doesn't have a default password of ANS#150 and a firmware backdoor? Are they claiming that Qwest didn't have variants of "Algiers97" as the password on most of their routers as an algerian was attempting to blow up Seattle's millenium celebration? Or maybe they are claiming the login bug I discovered in the 1970's and enjoyed for years never existed? Verizon, Wilshire, Xerox and Comcast are a few of my recent (false?!?) reports. Who has the credibility problem here? George Imburgia Senior Network Security Engineer Capitol Networking gtiat_private
This archive was generated by hypermail 2b30 : Mon Jul 29 2002 - 20:53:33 PDT