| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jul 2007 12:03:09 -0400 (EDT)
From: Bob Bruen <bruen@...drain.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Wachovia Bank website sends confidential
information
While it is true that lots of folk pick on vendors for a few minutes of
fame, the Wachovia case is slightly different.
They do have an attitude problem and are technically challenged. The basis
for this is a law enforcement conference about six months ago. During a
pressentation a Wachovia representative told a speaker to stop blaming the
banks for problems. This was the third presentation this individual has
listened to in which each speaker had blamed the banks for not doing
enough and the frustration level was a bit high.
This only comes up because of the current Wachovia web site issue. It
shows that there is an internal problem, worse than most, endind with the
current situation. And no I will not indentify any of the players.
--bob
On Wed, 11 Jul 2007, J. Oquendo wrote:
> Valdis.Kletnieks@...edu wrote:
>> On Tue, 10 Jul 2007 21:39:33 EDT, Jim Popovitch said:
>>
>>
>>> 7 days? "industry practice"? Come on Bob I know you know that large
>>> corporations can't feed a cat in 7 days let alone make unscheduled
>>> website changes that fast. Change control approvals alone would include
>>> 14 or more days in most enterprises. Why the rush to "say so"?
>>>
>>
>> On the other hand, I think that they *could* manage at least a "Wow d00dz,
>> we
>> really *do* have a hole there" reply and at least give a handwaving about
>> when they'd fix it. Of course, actually *fixing* a design flaw that big
>> is going to take them *months*.
>>
>
> Driver walks into a dealer and speaks to customer service:
>
> "These brake pads are extremely vulnerable to slipping during X
> conditions on a 90 degree slalom" says the driver. Puzzled and
> not knowing squat about slaloms, or the breaking system, the
> customer service rep send the driver to a mechanic.
>
> "These brake pads are extremely vulnerable to slipping during X
> conditions on a 90 degree slalom. Someone will die!" says the
> driver to the mechanic... Not being able to change the auto's
> design nor engineering, the mechanic is puzzled and offers to
> take the information although he is even more puzzled on who
> this should be directed to.
>
> Two days later driver rambles on news stations nationwide:
> "Their arrogance will get people killed. I warned them repeatedly"
> People moan and grumble, etc., recalls, fixes...
>
> This Wachovia thread is pointless. I see no mention or posting
> to perhaps any security list (and I'm on many both public and
> private) saying: "Hey is there anyone who can put me in touch
> with someone in the know at Wachovia" on any list. All I see
> is... "I called customer service". So what, if you're a security
> professional you will know damn well you're getting nowhere
> with them. "I spoke to their w3bm4ster". And? Either the poster
> is looking for attention or a complete and utter idiot. If his
> or her true intention was to provide a report of a security
> woe concerning said business or product, he or she could have
> easily jumped on any security mailing list and found the right
> connection instead of rambling on "the sky is falling..."
>
> Let me see:
> wachovia security cissp "incident" +network via Google
>
> This looks interesting:
> http://www.bryceporter.com/
>
> I would have contacted someone on this level to put me in
> touch with the right person. But hey, guess its more hip
> to add stupid little tags next to your resume or webpage:
> I broke $INSERT_VENDOR_HERE
>
>
>
>
>
--
Dr. Robert Bruen
Cold Rain Technologies
http://coldrain.net
+1.802.579.6288
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists