| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060313001921.82200.qmail@web36909.mail.mud.yahoo.com> Date: Mon Mar 13 00:19:30 2006 From: system_outage at yahoo.com (SO SECURITY RESEARCH INSTITUTE) Subject: Yahoo security give blogger the thumbs up If you can provide the evidence to support your claim that the information published by the blogger was already in the public non-corporate circuit prior to the blog entry being made, do get in touch. While the information may be common knowledge amoung corporate users of ADP, it doesn't say the information rightly belongs within that of a public weblog, accessable to the world wide web. The blogger has broke its complaints proceedure also, where the blogger went to his blog before consulting Yahoo or ADP on his concern with password policy for the probusiness domain. This kind of employee conduct should not become common place within Yahoo in relation to its partners and security proceedures implemented within partner websites, no matter how low the severity of the information may appear to the individual corporate user. Generally, an individual corporate user outwidth the security profession hasn't the expertise to decide on-the-fly if and how such information could be used in relation to the compromisation of internet facing systems, and shouldn't take it upon himself to publish any nature of security policy in some one man crusade via a blog to bring change to security policy at an outsourced partner linked to that of Yahoo. If any change in policy is to be made, it should be that to make it impossible for an employee, such as in this case, never to be able to repeat this behaviour, without disciplinary action being looked at. Mark <markc@...gebox.liquidev.com> wrote: This isn't confidential Yahoo information. It's not even confidential ADP information -- any company who uses ADP's probusiness workcenter has subjected its employees to this ridiculous password complexity requirement. On Sun, Mar 12, 2006 at 08:41:18AM -0800, SO SECURITY RESEARCH INSTITUTE wrote: > Do you, uh, Yahoo? > It appears no action will be taken against a Yahoo employee who disclosed confidential corporate side security information (with screenshots) to his weblog. This obviously gives the green light for anyone at Yahoo to do the same in the future. Why have a Yahoo policy if its not going to be inforced? Regardless of the security value of the blog entry, a clear breach of the confidentiality agreement between Yahoo and ADP has been made. Yahoo's response was "Jeremy is Jeremy, he can blog about anything he wants." Making it sound like if you're a celebrity Yahoo blogger then you can walk all over company policy. ADP were unavailable for comment at time of this message being submitted to Full-Disclosure mailing list. http://tinyurl.com/plqt3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060312/69e33a79/attachment.html
Powered by blists - more mailing lists