[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f5dc671002221152u4d8452eewd89b880eca90fcac@mail.gmail.com>
Date: Mon, 22 Feb 2010 19:52:33 +0000
From: Benji <me@...ji.com>
To: the hacker <info@...-hacker.info>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: ACM.ORG data leak still there 4 days after
announcing to CEO John White
Not to be a dick or anything, but whether it should be or not is irrelevant,
it is a crime. As you seem to be a "security expert" doing "penetration
testing and security audits" I'm sure you'd understand that for example, a
remote file include is literally just a case of 'modifying one parameter of
an url'.
You didnt enumerate passwords, well, I guess that makes the crime slightly
less serious. Personal info isnt worth that much I've heard.
Infact, by publishing data and the fact there is a hole, you could argue
that infact you couldve made the situation worse for ACM. Hypothetically,
now you've displayed that a hole is there, someone could go and dump the
database saving them the time of even looking for a vulnerable site.
I'm just wondering what makes you so sure they wont do anything like that?
On Mon, Feb 22, 2010 at 7:46 PM, the hacker <info@...-hacker.info> wrote:
> Hello Benji
>
> I did not crack/enumerate any passwords, use buffer overflow with
> metasploit or whatever other tools...
>
> I dont think that by just modifying one parameter of an url you already
> break a law (or all people that have spelling problems when entering an url
> would be in jail).
>
> Also I have contacted ACM with my REAL name, address, phone number etc. via
> email.
>
> I've even called the CEO twice!
>
> So they know my identity because I just wanted to let them know about the
> problem on their website - but when they did not react for 4 days I
> extracted some sample data (I could have got much more) from the site to
> mail it to them. I've extracted enought to show them that its not just 10
> addresses, but its far from everything.
>
> So I wonder why I should be in trouble for wanting to help them?
>
> Do you other guys on the list also think that this is already a crime?
>
> By the way, I've sent the mail with the data 2 hours ago but no reaction.
>
> Greetings
>
> th
>
>
>
>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists