Ever try to call NIPC and have an intelligent "computer security" conversation? Don't bother... The 2 times I called to report security issues I found it hard to find someone someone to speak to that had skill beyond your local whopper flopper at burger king. -KF George Imburgia wrote: >It wasn't quite as bad as a friend expected; > >"those people will say you have an infectious disease and lock you up >forever 20 stories under the nevada desert" > >...but it wasn't nice either. > >I called FEMA's technical contact, got voicemail, left my name, phone >number, stated that it was a security problem with a FEMA web server, >asked that they return my call and then said my name and phone number >again. > >The next day, they claimed they hadn't contacted me because they didn't >have my phone number. > >After being prodded by the press, they did call and a hostile woman >identifying herself as being with "FEMA's cybersecurity office" began to >berate me for talking to the press. > >I informed her that I didn't like the tone of the conversation, and did >not want to continue without assurances that "this won't get ugly". > >We went back and forth over what that meant for a while, and then the >previously unidentified and unannounced Mr. Schmidt spoke up, identified >himself as the "head of cybersecurity" and tried to convince me to comply >with their demands by using the term "federal government computer system" >a lot. > >The term "____ off" comes to mind. > >Then the content and underlying code of the site changed. > >Now, they are telling people "he has a long history of falsely reporting >security problems with government computer systems". > >Are they claiming that the FBI's windows 3.51 web server was not >vulnerable to dir?C| and variants in 1999? > >Are they claiming that the Dept of Ed. didn't have a world writable ftp >mirror of their web site? Or did the fact that it took 6 calls, and >responses like "we don't know what permissions are, we all use Macs >here" make it a false report? > >Are they claiming it was a bad idea to null route the old >www.whitehouse.gov net block when codered hit? Then why is it still a >blackhole? > >Are they claiming that DG/UX wasn't vulnerable, or that a 3 letter agency >wasn't running it as a mail server? > >Are they claiming a state legislature wasn't running a vulnerable >configuration of Lotus, their admin confirmed it, and stated he didn't >know it was accessible from the internet? > >Are they claiming a popular DSLAM doesn't have a default password of >ANS#150 and a firmware backdoor? > >Are they claiming that Qwest didn't have variants of "Algiers97" as the >password on most of their routers as an algerian was attempting to blow up >Seattle's millenium celebration? > >Or maybe they are claiming the login bug I discovered in the 1970's and >enjoyed for years never existed? > >Verizon, Wilshire, Xerox and Comcast are a few of my recent (false?!?) >reports. > >Who has the credibility problem here? > > > > >George Imburgia >Senior Network Security Engineer >Capitol Networking >gtiat_private > > > >
This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 10:01:11 PDT