[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Who Do I Contact?



I can not stress the fact I will not be going public with it since it risks MY 
information and MY PARENTS' information. Reason I have not given details of the 
hole other than its implications and will not post the school's name or even 
state which it resides in until this is fixed and the site has at least been 
audited. I am a supporter of full disclosure, but when I see in this situation 
the pros and cons of going FD the cons heavily outweigh any benefit. Yes the 
school may move faster, or they wont but in the process it would put thousands 
of student records at risk to misuse and id theft. ID theft is the worst case 
scenario since without a good credit, etc your life in the modern world is 
pretty crappy financially. I do not want to put anyone in danger of having 
their lives ruined by going FD. I just want one thing and that is for this to 
be fixed so I can rest assured that I do not have to worry that my info could 
be stolen by someone as they please. I am in the process of contacting people 
and will also be contacting the Attorney General of the state the school is in. 
Unfortunately that can only be done on Monday, so school has extra 24 hours to 
fix hole or I will bring media attention to them to get it done. I don't care 
for publicity, fame, etc I just don't want my damn information vulnerable 
period! If I had the choice I would leave the school right now but that would 
hurt me financially and academically. Thank you so far everyone for the input 
and helpful suggestions and information on how to deal with this matter. Very 
much appreciated.

Regards,
CM


> ----- Original Message -----
> From: "Javor Ninov" <drfrancky@xxxxxxxxxxx>
> To: "Don Bailey" <don.bailey@xxxxxxxxx>
> Subject: Re: [Full-disclosure] Who Do I Contact?
> Date: Sun, 23 Apr 2006 00:40:10 +0300
> 
> 
> Then what is the meaning of "Full Disclosure" ?
> 
> --
> Javor Ninov aka DrFrancky
> http://securitydot.net/
> 
> Don Bailey wrote:
> >>> "If the vendor refuses to act upon the news of the 
> >>> vulnerability, then Full Disclosure is in order."  (don't 
> >>> release the numbers of course but release a generic statement 
> >>> that "this" universtity is not secure.
> >>>
> >
> > Is this a joke? Absolutely do *not* implement full disclosure. Doing
> > so will cause unnecessary and probable exposure of private
> > information.
> >
> > First, contact the university's IT department. If that doesn't work,
> > contact a regent of the university. They will put you in touch
> > with an individual that can fix the problem. There is no reason
> > to reveal the university to parties that have no business with
> > said information. Public forums only disclose information to
> > people that have no right to that information. You can not
> > control the actions individuals in the public have.
> >
> > Risking the privacy of innocent students and faculty is not
> > the proper means to solve a problem.
> >
> > Do you want X number of script kids pounding a university
> > causing them more problems?
> >
> >>> Send a copy of the email to the University.  Might want to 
> >>> include their local TV news as well.  You'd be surprised how 
> >>> the alumni will react to get that fixed.
> >>>
> >
> > What are you, a media whore?
> >
> >>> In order to give them one more shot you may wish to tell them 
> >>> on which date it will be publically released.
> >>>
> >
> > Ridiculous.
> >
> > Don "north" Bailey
> >
> >
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> << signature.asc >>
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

>


-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/