lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat Apr 22 19:31:19 2006
From: crypticmauler at linuxmail.org (CrYpTiC MauleR)
Subject: [inbox] Re: [EDU-ops] Who Do I Contact?

I have not compromised it. I have not viewed anyones SSN numbers. I just know the hole is there and that it can lead to someome being able to view my infomation thus in turn anyone viewing anyone's I was not born yesterday and know that overstepping my bounds and actually exploiting the hole to view other people's info is illegal.


> ----- Original Message -----
> From: Exibar <exibar@...lair.com>
> To: "CrYpTiC MauleR" <crypticmauler@...uxmail.org>, RLVaughn <Randy_Vaughn@...lor.edu>
> Subject: RE: [inbox] Re: [EDU-ops] [Full-disclosure] Who Do I Contact?
> Date: Sat, 22 Apr 2006 14:23:33 -0400
> 
> 
> Sounds like you've already compromised this vulnerability ans een data.
> You've already stepped over the line, no turning back from here.
>    Cut and past a couple lines of what you've seen, "X" out a couple places
> in the SSN if it makes you feel better, then send them that information.
> Tell them in the e-mail that you will contact their local news stations for
> advise on who to contact to get it fixed, as you don't have anywhere else to
> turn as all the local authorities have turned you to other authorities.
> 
>     Exibar
> 
> > -----Original Message-----
> > From: CrYpTiC MauleR [mailto:crypticmauler@...uxmail.org]
> > Sent: Saturday, April 22, 2006 2:15 PM
> > To: RLVaughn
> > Cc: full-disclosure@...ts.grok.org.uk
> > Subject: [inbox] Re: [EDU-ops] [Full-disclosure] Who Do I Contact?
> >
> >
> > Yeah looking at just 'new' students there are potentially 7,000+
> > socials that can be stolen. This does not include students
> > already attending. I dont know an exact count of the student
> > population, but only had a new student registration list posted
> > on site. So estimates are based on those and the fact that
> > parents' SSNs can be viewed too because were provided for
> > financial aid. So a family's identity can be stolen in turn =o/
> >
> >
> > > ----- Original Message -----
> > > From: RLVaughn <Randy_Vaughn@...lor.edu>
> > > To: "Gadi Evron" <ge@...uxbox.org>
> > > Subject: Re: [EDU-ops] [Full-disclosure] Who Do I Contact?
> > > Date: Sat, 22 Apr 2006 11:41:59 -0500
> > >
> > >
> > > Gadi Evron wrote:
> > > > CrYpTiC MauleR wrote:
> > > >> I am sorry I am not going to say who the school is. Mainly
> > > >> because so many socials numbers are at risk including mine. I
> > > >> have contacted the VP of Information Technology and he assured
> > > >> me he would call the company that makes the website. After 20
> > > >> days the hole was not fixed, so I called the department heads
> > > >> and am giving them 48 hours from then which is now currently at
> > > >> 24 hours before I move onto notifying someone else. I was also
> > > >> thinking about contacting FBI about this seeing they handle
> > > >> school breaches but not sure.
> > > >>
> > > >> I will not go full disclosure with the info, collect SSNs and
> > > >> show school (illegal) and also please don't ask me for the
> > > >> school's name or the details of the hole. The school has been
> > > >> careless even with the tech department making a support ticket
> > > >> about my initial report which I later found out anyone could
> > > >> view too. They obviously don't know how to do anything right. So
> > > >> if anyone could provide me with a phone number or place I can
> > > >> contact would be great. Please do not reply with a name or
> > > >> number without it being posted on a credited site or be easily
> > > >> verifiable. I am not going to just randomly call whoever someone
> > > >> tells me too. Could be some idiot wants to just trick me into
> > > >> giving the details to him. Thank for the help so far guys!
> > > >>
> > > >
> > > > I will see if someone can contact you.
> > > > _______________________________________________
> > > > EDU-ops mailing list
> > > > EDU-ops@...tf.org
> > > > http://isotf.org/mailman/listinfo/edu-ops
> > > I am checking on an appropriate contact.  I fully understand
> > your desire to
> > > establish a credible contact and to protect information at risk.  Given
> > > this is a weekend a contact may not be forthcoming until Monday
> > or Tuesday.
> > >
> > > --
> > > Best Regards,
> > > Randal Vaughn
> > > Professor, Information Systems
> > > Baylor University
> > > (254) 710 4756
> >
> > >
> >
> >
> > --
> > _______________________________________________
> > Check out the latest SMS services @ http://www.linuxmail.org
> > This allows you to send and receive SMS through your mailbox.
> >
> > Powered by Outblaze
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >

>


-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ