lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 22 Feb 2010 19:52:33 +0000
From: Benji <me@...ji.com>
To: the hacker <info@...-hacker.info>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: ACM.ORG data leak still there 4 days after
	announcing to CEO John White

Not to be a dick or anything, but whether it should be or not is irrelevant,
it is a crime. As you seem to be a "security expert"  doing "penetration
testing and security audits" I'm sure you'd understand that for example, a
remote file include is literally just a case of 'modifying one parameter of
an url'.

You didnt enumerate passwords, well, I guess that makes the crime slightly
less serious. Personal info isnt worth that much I've heard.

Infact, by publishing data and the fact there is a hole, you could argue
that infact you couldve made the situation worse for ACM. Hypothetically,
now you've displayed that a hole is there, someone could go and dump the
database saving them the time of even looking for a vulnerable site.

I'm just wondering what makes you so sure they wont do anything like that?

On Mon, Feb 22, 2010 at 7:46 PM, the hacker <info@...-hacker.info> wrote:

> Hello Benji
>
> I did not crack/enumerate any passwords, use buffer overflow with
> metasploit or whatever other tools...
>
> I dont think that by just modifying one parameter of an url you already
> break a law (or all people that have spelling problems when entering an url
> would be in jail).
>
> Also I have contacted ACM with my REAL name, address, phone number etc. via
> email.
>
> I've even called the CEO twice!
>
> So they know my identity because I just wanted to let them know about the
> problem on their website - but when they did not react for 4 days I
> extracted some sample data (I could have got much more) from the site to
> mail it to them. I've extracted enought to show them that its not just 10
> addresses, but its far from everything.
>
> So I wonder why I should be in trouble for wanting to help them?
>
> Do you other guys on the list also think that this is already a crime?
>
> By the way, I've sent the mail with the data 2 hours ago but no reaction.
>
> Greetings
>
> th
>
>
>
>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ