lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat Apr 22 20:59:34 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: Who Do I Contact?

On 4/22/06, CrYpTiC MauleR <crypticmauler@...uxmail.org> wrote:
> I'm sorry I don't plan on going public with the details of the hole except with
> school staff and/or law enforcement. Main reason being dont want to put my
> info and my parents info in any great danger than it already is in. As you know
> identity theft is one of the fastest growing crimes so I feel that releasing the
> news before the holes is fixed will do more damage than good.

Understood.  I would have the same concerns if I were in your
position.  For what it's worth, I was not suggesting you go public
with details.  I was thinking the process would go more like this:

- you talk to the editor of the paper, explain the impact of the hole,
and make sure they understand that if they were to publish too much
information about the problem it could lead to several thousand SSNs
getting stolen.

- the paper could visit the VP of IT and interview them, get them to
confirm the problem and explain what is being done to resolve the
issue.

- hopefully that pushes the IT department to move a little more
quickly to either fix the problem, or at least take steps to reduce
the risk of it being exploited.

- If the problem gets fixed, great.  The paper gets a scoop by
publishing the story, the info doesn't get stolen, everybody sleeps
better at night.

- If the problem doesn't get fixed, the paper gets to release a little
bit of information about the hole, hopefully not too much.  The VP of
IT starts getting pressure from students, parents, and alumni to
resolve the issue.  Almost nobody sleeps better at night, but
hopefully there will be quicker progress once there is more pressure.

I do suggest you be careful.  You (apparently) have exploited this
hole to view at least a few SSNs.  Though I'm sure you had only good
intentions, you were probably breaking the law when you did that. 
Also, people don't tend to react well when threatened.  It's better to
play nice and keep lines of communication open.

Best of luck to you.

Regards,
Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ