lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <46B76F2C.9090006@infiltrated.net>
Date: Mon, 06 Aug 2007 14:57:48 -0400
From: "J. Oquendo" <sil@...iltrated.net>
To: hsukowa@...oo.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Question about exploit exposing SSN & user info

Comments inline:

> -----Original Message-----
> From: hsukowa@...oo.com [mailto:hsukowa@...oo.com] 
> Sent: Sunday, August 05, 2007 10:35 PM
> To: bugtraq@...urityfocus.com
> Subject: Question about exploit exposing SSN & user info

> with this type of a situation? --- Where a company has silenced an
> exploit without notifying customers who may have been victims of it?
> Does anyone have any recommendations for a course of action I might take
> to somehow ensure users whose private information may have been
> compromised are notified in the event the company chooses to "sweep it
> under the rug"? 

Let's be realistic for a minute here with this snippet. On all logical
sense do you think there has been a time that say a bank or financial
services company has been compromised and said nothing of the incident?
You'd be insane to think they willingly provide this information. If you
take a look at the majority of article regarding lost/stolen data, it
mainly comes to light when someone points it out. RARELY does one see a
company come out with a public service announcement stating "Look for
years we gave away your information unknowingly. We've since then
remedied the problem and offer you this toaster as a token of our
appreciation."

A few things to think of:

1) Do you value your job? If so then hire an attorney before you do or
say anything. Chances are you will be canned. Whether or not its because
of downsizing, you were the best of the best, history shows
whistleblowers are almost always shafted.

2) Did you discover this information due to the nature of your work or
did you let curiousity get the best of you. a) If it was work related
see number 1). b) Out of curiousity? See 1).


-- 
====================================================
J. Oquendo
"Excusatio non petita, accusatio manifesta"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
sil . infiltrated @ net http://www.infiltrated.net


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5157 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ