lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Jul 2007 10:27:35 -0400
From: "J. Oquendo" <sil@...iltrated.net>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Wachovia Bank website sends
	confidential	information

Valdis.Kletnieks@...edu wrote:
> On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said:
>
>   
>> 7 days?   "industry practice"?   Come on Bob I know you know that large
>> corporations can't feed a cat in 7 days let alone make unscheduled
>> website changes that fast.  Change control approvals alone would include
>> 14 or more days in most enterprises.   Why the rush to "say so"?
>>     
>
> On the other hand, I think that they *could* manage at least a "Wow d00dz, we
> really *do* have a hole there" reply and at least give a handwaving about
> when they'd fix it.  Of course, actually *fixing* a design flaw that big
> is going to take them *months*.
>   

Driver walks into a dealer and speaks to customer service:

"These brake pads are extremely vulnerable to slipping during X
conditions on a 90 degree slalom" says the driver. Puzzled and
not knowing squat about slaloms, or the breaking system, the
customer service rep send the driver to a mechanic.

"These brake pads are extremely vulnerable to slipping during X
conditions on a 90 degree slalom. Someone will die!" says the
driver to the mechanic... Not being able to change the auto's
design nor engineering, the mechanic is puzzled and offers to
take the information although he is even more puzzled on who
this should be directed to.

Two days later driver rambles on news stations nationwide:
"Their arrogance will get people killed. I warned them repeatedly"
People moan and grumble, etc., recalls, fixes...

This Wachovia thread is pointless. I see no mention or posting
to perhaps any security list (and I'm on many both public and
private) saying: "Hey is there anyone who can put me in touch
with someone in the know at Wachovia" on any list. All I see
is... "I called customer service". So what, if you're a security
professional you will know damn well you're getting nowhere
with them. "I spoke to their w3bm4ster". And? Either the poster
is looking for attention or a complete and utter idiot. If his
or her true intention was to provide a report of a security
woe concerning said business or product, he or she could have
easily jumped on any security mailing list and found the right
connection instead of rambling on "the sky is falling..."

Let me see:
wachovia security cissp "incident" +network via Google

This looks interesting:
http://www.bryceporter.com/

I would have contacted someone on this level to put me in
touch with the right person. But hey, guess its more hip
to add stupid little tags next to your resume or webpage:
I broke $INSERT_VENDOR_HERE




-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g' 

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato



Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5157 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ