| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060422201340.80BDE2435A@ws5-3.us4.outblaze.com> Date: Sat Apr 22 21:14:12 2006 From: crypticmauler at linuxmail.org (CrYpTiC MauleR) Subject: Who Do I Contact? I have not viewed anyones SSNs not even one. I just know the hole is there and that someone can view mine which makes it possible for anyone to view anyone's. I have been careful not to overstep my bounds by accessing anything not already accesible legally. I just wish for this to be fixed so I can sleep at night, but instead knowing that I may already have had my SSN stolen. Who knows. I'm just very frustrated at the school's lack of concern and speed. > ----- Original Message ----- > From: "Brian Eaton" <eaton.lists@...il.com> > To: full-disclosure@...ts.grok.org.uk > Subject: Re: [Full-disclosure] Who Do I Contact? > Date: Sat, 22 Apr 2006 15:59:25 -0400 > > > On 4/22/06, CrYpTiC MauleR <crypticmauler@...uxmail.org> wrote: > > I'm sorry I don't plan on going public with the details of the > > hole except with > > school staff and/or law enforcement. Main reason being dont want to put my > > info and my parents info in any great danger than it already is > > in. As you know > > identity theft is one of the fastest growing crimes so I feel > > that releasing the > > news before the holes is fixed will do more damage than good. > > Understood. I would have the same concerns if I were in your > position. For what it's worth, I was not suggesting you go public > with details. I was thinking the process would go more like this: > > - you talk to the editor of the paper, explain the impact of the hole, > and make sure they understand that if they were to publish too much > information about the problem it could lead to several thousand SSNs > getting stolen. > > - the paper could visit the VP of IT and interview them, get them to > confirm the problem and explain what is being done to resolve the > issue. > > - hopefully that pushes the IT department to move a little more > quickly to either fix the problem, or at least take steps to reduce > the risk of it being exploited. > > - If the problem gets fixed, great. The paper gets a scoop by > publishing the story, the info doesn't get stolen, everybody sleeps > better at night. > > - If the problem doesn't get fixed, the paper gets to release a little > bit of information about the hole, hopefully not too much. The VP of > IT starts getting pressure from students, parents, and alumni to > resolve the issue. Almost nobody sleeps better at night, but > hopefully there will be quicker progress once there is more pressure. > > I do suggest you be careful. You (apparently) have exploited this > hole to view at least a few SSNs. Though I'm sure you had only good > intentions, you were probably breaking the law when you did that. > Also, people don't tend to react well when threatened. It's better to > play nice and keep lines of communication open. > > Best of luck to you. > > Regards, > Brian > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
Powered by blists - more mailing lists