lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 06 Aug 2007 18:01:53 +0200
From: "Michal Bucko" <michal.bucko@...ytt.com>
To: bugtraq@...urityfocus.com
Subject: RE: Question about exploit exposing SSN & user info

Hello,

I think you chose the right list for such a question. 

I have had various experience working with different companies in
this field - I've led HACKPL Security Dep., and we receive plenty
of information about various security issues. 

I think it is quite common that companies try to behave as if nothing
really happened, or as if the issue wasn't that important. From my 
experience, huge a lot of companies fail to inform their clients of 
problems when the issue is patched. If you want to make the information
public, make sure everything is _really_ patched, then ask the company 
to inform their Clients (if they don't want to act so). If the company 
says:

'Nothing baaad really happened. This and this could be done. Our clients
are safe thanks for Our Gosh-So-Perfect Security Program. Thank You
for sharing information with our Security Team.'

then, in my opinion, you are free to inform the public what really 
happened as you intention was to bring true information to public in 
order to make the community safer and _aware_ of the problem. (I would
first inform the company of my plans, and if they didn't change their
decision, I would reveal the information about the issue).The issue might 
have affected many people, and people have full right to be aware of 
eventual problems. 

Finally, not only do many companies fail to react properly, but also fail
to act at all. I have experienced many situations when I informed of the
problems many times, and there was no response. Fortunately, the majority
of serious companies solves the problems and treats clients with enough 
respect (to inform of the problem). 



One more thing, if you feel like skating on thin ice, provide additional 
information on my personal email: michal.bucko <at> eleytt <dot> com.
I think we could find a good solution for your problem. Before writing,
be sure to check on the legislation in your country (it would be nice 
if you had any lawyer friend who could advise you)


Cheers!

mb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ