lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Jun 2007 23:55:58 +0300 (EEST) From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi> To: jericho@...rition.org, larry@...ryseltzer.com, rlogin@...h.ai Cc: full-disclosure@...ts.grok.org.uk Subject: Re: You shady bastards. A very good point. The subject line doesn't always show anything related to personal e-mail message and does the person monitoring messages know what is related to his/hers work? I see adding the word PRIVATE as a part of subject line a good practice. It's not so easy to accidentally post these e-mails to mailing lists etc. Related to Maynor's case: If you are reading the e-mail account of former employer and you click a link included to message with marked as private you really cross the line. HDM made a good decision when using a file name maynor.tar.gz. If you are testing issues like this use very rare file names and it is worth of testing Return Receipt too. And use a complicated directory structure (not easy to guess) when generating the test files like maynor.tar.gz. - Juha-Matti rlogin@...h.ai wrote: > The key is *personal* e-mail. It's not unreasonable for any > company to assume their e-mail systems are used primarily for > business purposes. The e-mail doesn't indicate it's personal. It > doesn't say, "Your Ghonorrhea test results have come back! Click > here for the results." The e-mail has no contents other than a > link and doesn't indicate that the "Zero Day" promise was made > after this employee left the company. In fact, the subject "Zero > Day" is directly related to SecureWork's business and it's entirely > reasonable to expect a security company to investigate the > contents. I'm actually surprised someone actually monitors these > accounts and took the time to look into it! > > On Wed, 06 Jun 2007 20:28:26 -0400 security curmudgeon > <jericho@...rition.org> wrote: > >: >>A more ethical company would have sent HDM a polite note > >saying that > >: the person no longer works there before curiosity got the best > >of them. > >: > >: Does your company do this for all former employee e-mail > >accounts? > > > >No. But they also don't continue to accept mail to those accounts > >either. > > > >: Let's hope he unsubscribed from all his mailing lists before he > >left. > > > >If a company is going to continue monitoring a former employee's > >mailbox > >(intentionally or via a 'catch all'), that is fine. But when they > >specifically act on a personal private mail between someone > >outside of > >their company and the former employee, they are crossing the line > >of > >ethical behavior I think. As I said, the least they should have > >done is > >mail HDM and notified him the person no longer works there. If > >they didn't > >do that, and if you think they shouldn't be required to, then they > > > >shouldn't act on the information in the mail either. > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > > -- > Click to become a master chef, own a restaurant and make millions > http://tagline.hushmail.com/fc/CAaCXv1QhbNmqK0ynJatT1qFQMwOiVRg/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists