lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat Apr 22 22:58:54 2006
From: crypticmauler at linuxmail.org (CrYpTiC MauleR)
Subject: Who Do I Contact?

I can not stress the fact I will not be going public with it since it risks MY information and MY PARENTS' information. Reason I have not given details of the hole other than its implications and will not post the school's name or even state which it resides in until this is fixed and the site has at least been audited. I am a supporter of full disclosure, but when I see in this situation the pros and cons of going FD the cons heavily outweigh any benefit. Yes the school may move faster, or they wont but in the process it would put thousands of student records at risk to misuse and id theft. ID theft is the worst case scenario since without a good credit, etc your life in the modern world is pretty crappy financially. I do not want to put anyone in danger of having their lives ruined by going FD. I just want one thing and that is for this to be fixed so I can rest assured that I do not have to worry that my info could be stolen by someone as they please. I am in the process of contacting people and will also be contacting the Attorney General of the state the school is in. Unfortunately that can only be done on Monday, so school has extra 24 hours to fix hole or I will bring media attention to them to get it done. I don't care for publicity, fame, etc I just don't want my damn information vulnerable period! If I had the choice I would leave the school right now but that would hurt me financially and academically. Thank you so far everyone for the input and helpful suggestions and information on how to deal with this matter. Very much appreciated.

Regards,
CM


> ----- Original Message -----
> From: "Javor Ninov" <drfrancky@...urax.org>
> To: "Don Bailey" <don.bailey@...il.com>
> Subject: Re: [Full-disclosure] Who Do I Contact?
> Date: Sun, 23 Apr 2006 00:40:10 +0300
> 
> 
> Then what is the meaning of "Full Disclosure" ?
> 
> --
> Javor Ninov aka DrFrancky
> http://securitydot.net/
> 
> Don Bailey wrote:
> >>> "If the vendor refuses to act upon the news of the 
> >>> vulnerability, then Full Disclosure is in order."  (don't 
> >>> release the numbers of course but release a generic statement 
> >>> that "this" universtity is not secure.
> >>>
> >
> > Is this a joke? Absolutely do *not* implement full disclosure. Doing
> > so will cause unnecessary and probable exposure of private
> > information.
> >
> > First, contact the university's IT department. If that doesn't work,
> > contact a regent of the university. They will put you in touch
> > with an individual that can fix the problem. There is no reason
> > to reveal the university to parties that have no business with
> > said information. Public forums only disclose information to
> > people that have no right to that information. You can not
> > control the actions individuals in the public have.
> >
> > Risking the privacy of innocent students and faculty is not
> > the proper means to solve a problem.
> >
> > Do you want X number of script kids pounding a university
> > causing them more problems?
> >
> >>> Send a copy of the email to the University.  Might want to 
> >>> include their local TV news as well.  You'd be surprised how 
> >>> the alumni will react to get that fixed.
> >>>
> >
> > What are you, a media whore?
> >
> >>> In order to give them one more shot you may wish to tell them 
> >>> on which date it will be publically released.
> >>>
> >
> > Ridiculous.
> >
> > Don "north" Bailey
> >
> >
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> << signature.asc >>
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

>


-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ