lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon Mar 13 10:27:25 2006
From: nocfed at gmail.com (nocfed)
Subject: Yahoo security give blogger the thumbs up

On 3/12/06, SO SECURITY RESEARCH INSTITUTE <system_outage@...oo.com> wrote:
>
> If you can provide the evidence to support your claim that the information
> published by the blogger was already in the public non-corporate circuit
> prior to the blog entry being made, do get in touch.

You got me thinking about something; you are a complete tool.  Please
show us the "clear breach of the confidentiality agreement between
Yahoo and ADP".  I would like to read the confidentiality agreement
that you are reading.  Surely you have this agreement, right?

>While the information
> may be common knowledge amoung corporate users of ADP, it doesn't say the
> information rightly belongs within that of a public weblog, accessable to
> the world wide web.

It doesn't?  Please provide the source for this information.

>The blogger has broke its complaints proceedure also,
> where the blogger went to his blog before consulting Yahoo or ADP on his
> concern with password policy for the probusiness domain.

Did I miss something?  Are you in Management at both Yahoo and ADP?

>This kind of
> employee conduct should not become common place within Yahoo in relation to
> its partners and security proceedures implemented within partner websites,
> no matter how low the severity of the information may appear to the
> individual corporate user.

What kind of employee conduct is that?

>Generally, an individual corporate user outwidth
> the security profession hasn't the expertise to decide on-the-fly if and how
> such information could be used in relation to the compromisation of internet
> facing systems, and shouldn't take it upon himself to publish any nature of
> security policy in some one man crusade via a blog to bring change to
> security policy at an outsourced partner linked to that of Yahoo.

I'm not sure what you are getting at here as I understand that you are
writing with words that do not exist here nor there and can not nor
would not be defined in Webster's, Oxford, Cambridge, Longman or
others.  Wow, I tried but could not run my sentence on as long as
yours.

>If any
> change in policy is to be made, it should be that to make it impossible for
> an employee, such as in this case, never to be able to repeat this
> behaviour, without disciplinary action being looked at.
>

Please, please provide the policy.

>
> Mark <markc@...gebox.liquidev.com> wrote:
>
> This isn't confidential Yahoo information. It's not even confidential
> ADP information -- any company who uses ADP's probusiness workcenter has
> subjected its employees to this ridiculous password complexity
> requirement.
>

And without a confidentiality agreement that restricts the release of
this information.  How ever would I know though, right?  :)  Thank you
Mark.

>
> On Sun, Mar 12, 2006 at 08:41:18AM - 0800, SO SECURITY RESEARCH INSTITUTE
> wrote:
> > Do you, uh, Yahoo?
> > It appears no action will be taken against a Yahoo employee who disclosed
> confidential corporate side security information (with screenshots) to his
> weblog.

Why would action need to be taken?

>This obviously gives the green light for anyone at Yahoo to do the
> same in the future.

There was a red light?

>Why have a Yahoo policy if its not going to be inforced?

To inforce it of course.

> Regardless of the security value of the blog entry, a clear breach of the
> confidentiality agreement between Yahoo and ADP has been made.

Hard copy OR soft copy requested.

>Yahoo's
> response was "Jeremy is Jeremy, he can blog about anything he wants." Making
> it sound like if you're a celebrity Yahoo blogger then you can walk all over
> company policy.

Who's response was this?  Please provide a name when quoting someone.

>ADP were unavailable for comment at time of this message
> being submitted to Full-Disclosure mailing list. http://tinyurl.com/plqt3

Unavailable to an email, a phone call, in person?

Now, as the twit pointed out, "If you have questions or issues about
access to this service, please contact the payroll manager/supervisor
at your company."

Is THIS supposed to be a confidentiality agreement?

"Any confidential, proprietary, or trade secret information is
obviously off-limits for your blog per the Proprietary Information
Agreement you have signed with Yahoo!."

Confidential, proprietary, trade secret?

So it's official, yet again, that someone does not understand english.

Now STOP relaying crap like this to the list where the twit has been
banned, for a reason.  While I am at it, RFC1855.  Please, please read
over rfc 1855.

And after that, read this.
http://www.journalism.org/resources/tools/reporting/accuracy/print.asp

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ