lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACt_CWmx3gkU8QOQkFL_Qs97GtKra7Ubbn8GHvajaKRN3Nrdzg@mail.gmail.com> Date: Tue, 22 Jan 2013 15:48:37 +1300 From: Daniel Richards <kyhwana@...il.com> To: Full-Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 The correct answer you're looking for is: Sell it on the black vulnerability/exploit market. Profit! On Tue, Jan 22, 2013 at 3:08 PM, Sanguinarious Rose <SanguineRose@...ultusterra.com> wrote: > And that is the reason why no one wants to report anything they find, > it's because of people like you and your kind of thinking. > > Did they public post all the private information? > No > > Did they try to use it for malious or illicit purposes? > No > > Did they report it when they found it? > Yes > > A horrible moral compass indeed! Arrest these people for being > concerned and reporting it after stumbling upon security flaws! > Amiright? > > On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald > <nick@...us-l.demon.co.uk> wrote: >> Jeffrey Walton wrote: >> >>> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse <philip@...uk.com> wrote: >>> > Moreover, he ran it again after reporting it to see if it was still there. >>> > Essentially he's doing an unauthorised pen test having alerted them that >>> > he'd done one already. >>> If his personal information is in the proprietary system, I believe he >>> has every right to very the security of the system. >> >> BUT how can he "verify" (I assume that was the word you meant?") proper >> security of _his_ personal details? He would have to test using >> someone _else's_ access credentials. That is "unauthorized access" by >> most relevant legislation in most jurisdictions. >> >> Alternately, he could try accessing someone else's data from his login, >> and that is equally clearly unauthorized access. >> >> He and his colleague who originally discovered the flaw may have used >> each other's access credentials to access their own data, or used their >> own credentials to access the other's data _in agreement between >> themselves_ BUT in so doing most likely broke the terms of service of >> the system/their school/etc, _equally_ putting them afoul of most >> unauthorized access legislation. >> >>> Is he allowed to "opt-out" of the system (probably not)? If not, he >>> has a responsibility to check. >> >> BUT he has no resposibility to check on anyone _else's_ data and no >> _authority_ to use anyone else's credentials to check on his own. >> >> So, what "responsibility" does he really have? >> >> It sounds like he should have left well alone once he had reported this >> to the university and the vendors. That he did not have the sense or >> moral compass to recognize that tells us something important about him. >> >> >> >> Regards, >> >> Nick FitzGerald >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists