[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
- To: Sanguinarious Rose <SanguineRose@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
- From: Ferenc Kovacs <tyra3l@xxxxxxxxx>
- Date: Thu, 24 Jan 2013 16:31:18 +0100
yeah, this is why most banks sucks: they won't let me try to break in, even
if I have my money there and only doing it for making sure that it is
secure.
I promise I wouldn't touch anything else.
On Tue, Jan 22, 2013 at 3:08 AM, Sanguinarious Rose <
SanguineRose@xxxxxxxxxxxxxxxxx> wrote:
> And that is the reason why no one wants to report anything they find,
> it's because of people like you and your kind of thinking.
>
> Did they public post all the private information?
> No
>
> Did they try to use it for malious or illicit purposes?
> No
>
> Did they report it when they found it?
> Yes
>
> A horrible moral compass indeed! Arrest these people for being
> concerned and reporting it after stumbling upon security flaws!
> Amiright?
>
> On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald
> <nick@xxxxxxxxxxxxxxxxxxx> wrote:
> > Jeffrey Walton wrote:
> >
> >> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse <philip@xxxxxxxxx>
> wrote:
> >> > Moreover, he ran it again after reporting it to see if it was still
> there.
> >> > Essentially he's doing an unauthorised pen test having alerted them
> that
> >> > he'd done one already.
> >> If his personal information is in the proprietary system, I believe he
> >> has every right to very the security of the system.
> >
> > BUT how can he "verify" (I assume that was the word you meant?") proper
> > security of _his_ personal details? He would have to test using
> > someone _else's_ access credentials. That is "unauthorized access" by
> > most relevant legislation in most jurisdictions.
> >
> > Alternately, he could try accessing someone else's data from his login,
> > and that is equally clearly unauthorized access.
> >
> > He and his colleague who originally discovered the flaw may have used
> > each other's access credentials to access their own data, or used their
> > own credentials to access the other's data _in agreement between
> > themselves_ BUT in so doing most likely broke the terms of service of
> > the system/their school/etc, _equally_ putting them afoul of most
> > unauthorized access legislation.
> >
> >> Is he allowed to "opt-out" of the system (probably not)? If not, he
> >> has a responsibility to check.
> >
> > BUT he has no resposibility to check on anyone _else's_ data and no
> > _authority_ to use anyone else's credentials to check on his own.
> >
> > So, what "responsibility" does he really have?
> >
> > It sounds like he should have left well alone once he had reported this
> > to the university and the vendors. That he did not have the sense or
> > moral compass to recognize that tells us something important about him.
> >
> >
> >
> > Regards,
> >
> > Nick FitzGerald
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/