lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20070607114104.DE30722824@mailserver9.hushmail.com>
Date: Thu, 07 Jun 2007 07:40:44 -0400
From: <rlogin@...h.ai>
To: <larry@...ryseltzer.com>,<jericho@...rition.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: You shady bastards.

The key is *personal* e-mail.  It's not unreasonable for any 
company to assume their e-mail systems are used primarily for 
business purposes. The e-mail doesn't indicate it's personal. It 
doesn't say, "Your Ghonorrhea test results have come back!  Click 
here for the results."  The e-mail has no contents other than a 
link and doesn't indicate that the "Zero Day" promise was made 
after this employee left the company. In fact, the subject "Zero 
Day" is directly related to SecureWork's business and it's entirely 
reasonable to expect a security company to investigate the 
contents. I'm actually surprised someone actually monitors these 
accounts and took the time to look into it!

On Wed, 06 Jun 2007 20:28:26 -0400 security curmudgeon 
<jericho@...rition.org> wrote:
>: >>A more ethical company would have sent HDM a polite note 
>saying that
>: the person no longer works there before curiosity got the best 
>of them. 
>: 
>: Does your company do this for all former employee e-mail 
>accounts?
>
>No. But they also don't continue to accept mail to those accounts 
>either.
>
>: Let's hope he unsubscribed from all his mailing lists before he 
>left.
>
>If a company is going to continue monitoring a former employee's 
>mailbox 
>(intentionally or via a 'catch all'), that is fine. But when they 
>specifically act on a personal private mail between someone 
>outside of 
>their company and the former employee, they are crossing the line 
>of 
>ethical behavior I think. As I said, the least they should have 
>done is 
>mail HDM and notified him the person no longer works there. If 
>they didn't 
>do that, and if you think they shouldn't be required to, then they 
>
>shouldn't act on the information in the mail either.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Click to become a master chef, own a restaurant and make millions
http://tagline.hushmail.com/fc/CAaCXv1QhbNmqK0ynJatT1qFQMwOiVRg/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ