lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 16:31:18 +0100
From: Ferenc Kovacs <tyra3l@...il.com>
To: Sanguinarious Rose <SanguineRose@...ultusterra.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Student expelled from Montreal college after
 finding vulnerability that compromised security of 250, 000

yeah, this is why most banks sucks: they won't let me try to break in, even
if I have my money there and only doing it for making sure that it is
secure.
I promise I wouldn't touch anything else.


On Tue, Jan 22, 2013 at 3:08 AM, Sanguinarious Rose <
SanguineRose@...ultusterra.com> wrote:

> And that is the reason why no one wants to report anything they find,
> it's because of people like you and your kind of thinking.
>
> Did they public post all the private information?
> No
>
> Did they try to use it for malious or illicit purposes?
> No
>
> Did they report it when they found it?
> Yes
>
> A horrible moral compass indeed! Arrest these people for being
> concerned and reporting it after stumbling upon security flaws!
> Amiright?
>
> On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald
> <nick@...us-l.demon.co.uk> wrote:
> > Jeffrey Walton wrote:
> >
> >> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse <philip@...uk.com>
> wrote:
> >> > Moreover, he ran it again after reporting it to see if it was still
> there.
> >> > Essentially he's doing an unauthorised pen test having alerted them
> that
> >> > he'd done one already.
> >> If his personal information is in the proprietary system, I believe he
> >> has every right to very the security of the system.
> >
> > BUT how can he "verify" (I assume that was the word you meant?") proper
> > security of _his_ personal details?  He would have to test using
> > someone _else's_ access credentials.  That is "unauthorized access" by
> > most relevant legislation in most jurisdictions.
> >
> > Alternately, he could try accessing someone else's data from his login,
> > and that is equally clearly unauthorized access.
> >
> > He and his colleague who originally discovered the flaw may have used
> > each other's access credentials to access their own data, or used their
> > own credentials to access the other's data _in agreement between
> > themselves_ BUT in so doing most likely broke the terms of service of
> > the system/their school/etc, _equally_ putting them afoul of most
> > unauthorized access legislation.
> >
> >> Is he allowed to "opt-out" of the system (probably not)? If not, he
> >> has a responsibility to check.
> >
> > BUT he has no resposibility to check on anyone _else's_ data and no
> > _authority_ to use anyone else's credentials to check on his own.
> >
> > So, what "responsibility" does he really have?
> >
> > It sounds like he should have left well alone once he had reported this
> > to the university and the vendors.  That he did not have the sense or
> > moral compass to recognize that tells us something important about him.
> >
> >
> >
> > Regards,
> >
> > Nick FitzGerald
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists