lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200412272126.iBRLQMGw027874@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: This sums up Yahoo!s security policyto a -T- 

On Mon, 27 Dec 2004 10:05:55 EST, Mary Landesman said:

> Now, if there were reason to believe that a crime had been committed and
> that evidence lies in the email, that's a different story. In such a case, I
> believe the email should be turned over to the authorities. But absent legal
> need, turning over email to a grieving parent/spouse/child is a dangerous
> and undesirable precedent.

Amen.  Absent a properly executed subpoena, Yahoo shouldn't be coughing up
the data to anybody.  IANAL, but the "No right of survivorship" would probably
trump the executor's rights.  But even there, the *right* thing for the
executor is to have a judge issue a temporary restraining order, and hand
Yahoo the TRO and say "sit on this account until a judge rules on who wins".

It's amazing that nobody on *this* list has picked up on another thing that
Yahoo has to protect against: Social engineering.  Find a Yahoo userid that
hasn't been used in a few days, and "notify" Yahoo that you're the next of kin
and they just got killed in a car crash.

Do you really *want* Yahoo to take your word for it? (Remember, although *this*
case is high-profile, and the parents were probably on TV and all that, if
I pick some random Joe Smith across town, and tell Yahoo that I'm Joe Smith Sr,
why should they fall for it?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041227/1ced2859/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ