Hacker Leaks Unreleased CERT Reports

Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."

FD and Bugtraq

[jmays]

If you enjoy Bugtraq and can put up with the occasional flame war ... FD is an awesome list. FD Charter [netsys.com]

Full disclosure link

[AEton]

The reports this story talks about can be found at the Full Disclosure archives:
http://lists.netsys.com/pipermail/full-disclosure/ [netsys.com];
go to March--view by author--hack4life@hushmail.com.

Re:You've spelled Cracker wrong.

[Anonymous Coward]

Language is determined by the masses, not by a small minority who get to determine what's PC or right.

That may be true in many countries...but not in france. They have a language standards board that decides what changes are adopted.

Re:Interesting to note...

[spasm]

you mean stuff like:

this? [smh.com.au]

carried by the rest of the world's media?

Re:Maybe it's an inside job.

[indiigo]

Perhaps the DoD is on a different list, but the lists I was on I would get updates at least a day or two after known exploit, or nothing at all. I don't care about priorities, I need to know if a system I run is vulnerable, and It wasn't cutting it.

It was the Guardian Observer...

[WiseWeasel]

It was the Observer [observer.co.uk] that leaked the NSA memo, and here is the link [observer.co.uk]. Strange (not really, but at least interesting) we haven't heard of this in the US press. . .

oh, and link to story on subsequent arrest:

[WiseWeasel]

Here's the Observer's story [observer.co.uk] on the subsequent arrest of a British Intelligence employee...

Re:Well....

[Florian Weimer]

Unfortuneately, the reason the information was leaked is because CERT charges people to get early access to security problems like this...

Note that isn't one of Slashdot's conspiracy theories. If you report something to CERT/CC for free, they sell it to their subscribers.

Unfortunately, this process is not defined in a way that is transparent for those who contact CERT/CC. I've seen conflicting reports regarding the question whether this sharing is mandatory or optional, implicit or explicit. Not surprisingly, the CERT/CC website is not very helpful:

We also send vulnerability information to others who can contribute to the solution and with whom we have a trusted relationship. In addition to vendors, this may include experts in the community, CERT/CC sponsors, and members of the Internet Security Alliance (including private sector organizations). We also send vulnerability information to sites that are part of critical infrastructures that we believe are at risk.

(From the CERT/CC FAQ [cert.org].)

Re:It was the Guardian Observer...

[tuffy]

Strange (not really, but at least interesting) we haven't heard of this in the US press. . .

But not surprising. That's why I get my news from google [google.com]. It's not hard to tell which "unpopular" stories will fall through the cracks of US news reporting.