lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed Jul  5 15:12:23 2006
From: screwedbytaxes at hushmail.com (screwedbytaxes@...hmail.com)
Subject: Re: Who should i contact?

Answers to clarify the situation:

# It's not H&R Block.

# I have checked the privacy policy and they explicitly assert that 
they will never share the email address for **any** reason with 
**any** party. Email address is to be used ONLY for filing taxes.

# The system that was used for taxes was specifically built for 
that specific tax season, and it was wiped (zeroes) and rebuilt two 
weeks later. It was not used for any other applications. It never 
saw ANY other networking or websites than simply filing taxes. Data 
was burned to disk afterwards and remains stored in a safe. This 
computer sat behind a firewall in a DMZ blocked even from the rest 
of the network. IIRC, this was also THREE years ago, and Bagle has 
only been around about two.

# While the addresses are not "random-proof", please explain how 
else these FOUR email addresses were specifically "randomly" 
generated and spammed within 72 hours of each other from the same 
IP address that sent no other spam to any other address on the 
server. One, sure. Two, big maybe. Three, very very unlikely. Four? 
Hell no.

# As for email, the only email these addresses have ever received 
were confirmations of the original filing (2 each, from the period 
of original filing) and then two promotional emails (for the tax 
service) last year and again this year. Granted, these messages 
introduce at least the potential for exploitation on my side, but 
again, JUST the tax-related address? I use over 100 email 
legitimate addresses, more than 40 of them on a given day, my other 
email addresses are plastered EVERYWHERE online. But NONE of those 
addresses were spammed by that IP, and these four, ALL tied to this 
one tax company, were? No way in hell is that a coincidence.


But more importantly, this is NOT about the spam. Sure, I'm upset - 
companies that pull that suck, but I don't really care about the 
spam. The spam is just a symptom of data being shared or exposed in 
violation of their privacy policy (we chose this company with their 
privacy policy in mind). I *do* care that the /rest/ of my data was 
likely lifted as well. I want to know if that was the case and if 
they have any hope or intent of doing anything about it.

Frankly, I don't think they care. If they did, they wouldn't put me 
in a position where I have to drag this into the media or a court 
just to get a simple answer.



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ