| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <44A9A7EA.6030002@syneticon.de> Date: Tue Jul 4 00:27:50 2006 From: seclists at syneticon.de (Denis Jedig) Subject: Undisclosed breach at major US facility r r wrote: > I would like to know what to do if I --hypothetically speaking-- I > were to retrieve _complete_ databases of a MAJOR us hospital. My > hypothetical model is not brute force, but rather an 'accidental' > discovery by trying to retrieve updates from a software vendor. In my opinion, a public service operated insecurely is a danger to every single of its customers. Publishing this kind of information (not the data dump of course, only pointing out the kind of flaws and the responsible persons or organizations) is a service to current and potential customers of the public service. You might try to get the "ordinary" (non-tech, non-security) press, but in my expirience the sensation index of such incidents is just too low to interest journalists and they think that the technical stuff is too complicated anyway. So the second option is to report an offence to the prosecutive authorities (no idea who handles data security issues in the states - the FBI maybe?) or supervisory bodies (US Department of Health?). You could do both, just so you tried, and maybe add some politican known to be keen on privacy and data security to your list of contacts. If you expect that there is no chance for the flaw to be fixed correctly (i.e. without a chance to reoccur in a different flavour within some days), there is little sense in contacting the involved parties directly. Denis
Powered by blists - more mailing lists