[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Who Do I Contact?
- To: "Brian Eaton" <eaton.lists@xxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Who Do I Contact?
- From: "CrYpTiC MauleR" <crypticmauler@xxxxxxxxxxxxx>
- Date: Sat, 22 Apr 2006 15:13:40 -0500
I have not viewed anyones SSNs not even one. I just know the hole is there and
that someone can view mine which makes it possible for anyone to view anyone's.
I have been careful not to overstep my bounds by accessing anything not already
accesible legally. I just wish for this to be fixed so I can sleep at night,
but instead knowing that I may already have had my SSN stolen. Who knows. I'm
just very frustrated at the school's lack of concern and speed.
> ----- Original Message -----
> From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] Who Do I Contact?
> Date: Sat, 22 Apr 2006 15:59:25 -0400
>
>
> On 4/22/06, CrYpTiC MauleR <crypticmauler@xxxxxxxxxxxxx> wrote:
> > I'm sorry I don't plan on going public with the details of the
> > hole except with
> > school staff and/or law enforcement. Main reason being dont want to put my
> > info and my parents info in any great danger than it already is
> > in. As you know
> > identity theft is one of the fastest growing crimes so I feel
> > that releasing the
> > news before the holes is fixed will do more damage than good.
>
> Understood. I would have the same concerns if I were in your
> position. For what it's worth, I was not suggesting you go public
> with details. I was thinking the process would go more like this:
>
> - you talk to the editor of the paper, explain the impact of the hole,
> and make sure they understand that if they were to publish too much
> information about the problem it could lead to several thousand SSNs
> getting stolen.
>
> - the paper could visit the VP of IT and interview them, get them to
> confirm the problem and explain what is being done to resolve the
> issue.
>
> - hopefully that pushes the IT department to move a little more
> quickly to either fix the problem, or at least take steps to reduce
> the risk of it being exploited.
>
> - If the problem gets fixed, great. The paper gets a scoop by
> publishing the story, the info doesn't get stolen, everybody sleeps
> better at night.
>
> - If the problem doesn't get fixed, the paper gets to release a little
> bit of information about the hole, hopefully not too much. The VP of
> IT starts getting pressure from students, parents, and alumni to
> resolve the issue. Almost nobody sleeps better at night, but
> hopefully there will be quicker progress once there is more pressure.
>
> I do suggest you be careful. You (apparently) have exploited this
> hole to view at least a few SSNs. Though I'm sure you had only good
> intentions, you were probably breaking the law when you did that.
> Also, people don't tend to react well when threatened. It's better to
> play nice and keep lines of communication open.
>
> Best of luck to you.
>
> Regards,
> Brian
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/