| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH-PCH5JDSdhXXmwyxP=VX-C+sz952+74PNLDLT-p4yiVuVjnQ@mail.gmail.com>
Date: Thu, 24 Jan 2013 16:31:18 +0100
From: Ferenc Kovacs <tyra3l@...il.com>
To: Sanguinarious Rose <SanguineRose@...ultusterra.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Student expelled from Montreal college after
finding vulnerability that compromised security of 250, 000
yeah, this is why most banks sucks: they won't let me try to break in, even
if I have my money there and only doing it for making sure that it is
secure.
I promise I wouldn't touch anything else.
On Tue, Jan 22, 2013 at 3:08 AM, Sanguinarious Rose <
SanguineRose@...ultusterra.com> wrote:
> And that is the reason why no one wants to report anything they find,
> it's because of people like you and your kind of thinking.
>
> Did they public post all the private information?
> No
>
> Did they try to use it for malious or illicit purposes?
> No
>
> Did they report it when they found it?
> Yes
>
> A horrible moral compass indeed! Arrest these people for being
> concerned and reporting it after stumbling upon security flaws!
> Amiright?
>
> On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald
> <nick@...us-l.demon.co.uk> wrote:
> > Jeffrey Walton wrote:
> >
> >> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse <philip@...uk.com>
> wrote:
> >> > Moreover, he ran it again after reporting it to see if it was still
> there.
> >> > Essentially he's doing an unauthorised pen test having alerted them
> that
> >> > he'd done one already.
> >> If his personal information is in the proprietary system, I believe he
> >> has every right to very the security of the system.
> >
> > BUT how can he "verify" (I assume that was the word you meant?") proper
> > security of _his_ personal details? He would have to test using
> > someone _else's_ access credentials. That is "unauthorized access" by
> > most relevant legislation in most jurisdictions.
> >
> > Alternately, he could try accessing someone else's data from his login,
> > and that is equally clearly unauthorized access.
> >
> > He and his colleague who originally discovered the flaw may have used
> > each other's access credentials to access their own data, or used their
> > own credentials to access the other's data _in agreement between
> > themselves_ BUT in so doing most likely broke the terms of service of
> > the system/their school/etc, _equally_ putting them afoul of most
> > unauthorized access legislation.
> >
> >> Is he allowed to "opt-out" of the system (probably not)? If not, he
> >> has a responsibility to check.
> >
> > BUT he has no resposibility to check on anyone _else's_ data and no
> > _authority_ to use anyone else's credentials to check on his own.
> >
> > So, what "responsibility" does he really have?
> >
> > It sounds like he should have left well alone once he had reported this
> > to the university and the vendors. That he did not have the sense or
> > moral compass to recognize that tells us something important about him.
> >
> >
> >
> > Regards,
> >
> > Nick FitzGerald
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists