lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <61f54f4f0707271121i92b5c04uf6f15165d07779a9@mail.gmail.com>
Date: Fri, 27 Jul 2007 11:21:33 -0700
From: "secure poon" <suckure@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Hash

fucktard morons, (now write me a 10 paragraph response, im waiting!)


On 7/27/07, Tremaine Lea <tremaine@...il.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 27-Jul-07, at 7:49 AM, Valdis.Kletnieks@...edu wrote:
>
> > On Thu, 26 Jul 2007 18:23:37 MDT, Tremaine Lea said:
> >
> >> Apparently you've never heard of a mail administrator tagging
> >> outbound email for all users. It's pretty common.  Of course, you may
> >> lack the experience of dealing with large companies.
> >
> > The fact a large company does it doesn't make it any less stupid.
> > And you
> > think a large company could afford their own mailserver rather than
> > making their
> > people use Gmail (now wrap your head around the concept of
> > "confidential mail
> > anywhere *near* a Google-owned server"... ;)
>
> I was as amused by that as you.
>
>
> >
> > To pick up on a part of the sig that Nick didn't rip into publicly:
> >
> >> "and delete it from your system"
> >
> > Presumably, Tremaine, in his self-claimed role as "Security
> > Consultant"
> > *and* "Paranoia for hire", realizes that it quite likely sat on my
> > site's main
> > mail server for anywhere from several seconds to several hours (in
> > fact, there
> > are probably copies on *3* different servers in our mail cluster) -
> > and that
> > until some *other* piece of mail happens to land on those same
> > blocks of storage,
> > the text is quite easy to recover by any decent computer forensics
> > practitioner.
>
> Yes, I do realize this.  Duh.
>
>
> >
> > On the other hand, actually going in and overwriting the affected
> > block(s) is
> > quite challenging, especially when it's a 10 terabyte mailstore
> > handling
> > several million messages a day for 100K users.  We'll be happy to
> > do it - *IF*
> > Tremaine's company is willing to indemnify us for the downtime.
>
> Why would I (or the company I contract to) be interested in what you
> do to delete Sergio's email?
>
>
> >
> > So there's 2 possible outcomes here:
> >
> > 1) The request has zero legal standing, and Tremaine's company is
> > relying on
> > the kindness of strangers rather than using PGP or S/MIME to
> > actually secure
> > their mail.  This sort of thing is usually called "lack of due
> > diligence",
> > and I don't think any company wants to be flaunting it.
>
> Speaking of due diligence...  I'm pretty sure literacy and following
> a trail of information is basic to this field.  As you've clearly
> missed, Sergio has nothing to do with me, the company I work with,
> or ... hell, who knows.  I don't know the guy from Adam.  Or you.
>
>
> >
> > 2) The request *does* have legal standing - in which case
> > Tremaine's company
> > may indeed have some liability to pick up any and all associated
> > costs.
>
>
> Again with the not being able to follow the bouncing ball.
>
> >
> > Particularly interesting is the legal question of what happens when a
> > "please delete all copies" request is attached to something that's
> > sent to
> > a company that is required to retain copies of *everything* for
> > regulatory
> > compliance (as is true for some financial-sector companies).....
>
> That's the only really interesting thing you've contributed, and it's
> a good question.  Any one know of any court cases on this?
>
> - ---
> Tremaine Lea
> Network Security Consultant
> Intrepid ACL
> "Paranoia for hire"
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iQEcBAEBAgAGBQJGqgm0AAoJEKGa22zRy9WCEvgIALax083+iHxWUphyIh+aXg7+
> d9oqyw8CRe6iZ5Fe6GKYh1RHXO07PrJAx3kttMUyzvsIEupwsVmQdFtdzyGm7wPu
> U1MRBPMFV9pIMhr6BF5Q96mYLmNf8dRvmMCIAoEoo1HmXRp3KocKzliLd3RqNJ6G
> 7Rsp+WOtpZJHnX4O+2Hn2EVAjIZTP3kZ7wko7FNVUTQcTe703/Cx9h82eGDgVmVZ
> zaasGUsEX2Y9hgvPPFYdNebnX8EihkFZ1FjaLKpyXzl2aLBTGsmFKtoK0KdbS93Y
> YwgMPiDByvXKNqTCR1Ehzl9c/Y6KVUMgR34jyFs9OQCr8/Cr2ePKZ5WGdT+YCxk=
> =bgWU
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ