Security Basics mailing list archives
Re: Ethics Question
From: "Adam Newhard" <atnewhard () microstrain com>
Date: Thu, 21 Aug 2003 14:04:22 -0400
Anonymously report it to that company...either through untraceable email or usps...preferably usps as you're guaranteed it won't be sent back through you. Your only concern is that your old boss knows you mentioned it so that's the only way it's traceable to you (that and bugtraq mail is googled...a quick search on there and there's viable evidence of what you may do in the future for your old boss to accuse you of whatever he may feel plausible...i.e. if someone uses the exploit well then that certainly sucks for you if you mention it). if other people have mentioned it to him then that's another story. do it anonymously if you do decide to do it...your concern shouldn't be getting public recognition. adam ---------------------------------------------------- Adam Newhard Microstrain, Inc. If vegetarians eat vegetables, watch out for humanitarians ----- Original Message ----- From: "Mike Taylor" <mtaylor () ablenology com> To: <security-basics () securityfocus com> Sent: Wednesday, August 20, 2003 10:54 PM Subject: Ethics Question
Hello all Question I have is do I tell a company that I did work for that a system they have is not secure. Background I worked for Company X(left them
because
I could not get paid regularly) they have a contract to support and keep secure Company Y. I noticed on an audit that the machine that is used for finances is VERY insecure. It is a terminal server machine that is set up
so
that 2 people can get to it from the outside. When you remote to this machine it bypass's login and gives you a blank desktop with the finance package login. To bypass all you have to do is send a ctrl-shit-esc get
the
task manager and file run -explorer and you have a machine that can browse the whole network. I had brought this to my then boss's attention he said don't mention it we will fix it later. The hole is still there. What would you do ? Thanks, Mike --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Purging Blaster.worm, (continued)
- RE: Purging Blaster.worm Stuart (Aug 14)
- Re: Purging Blaster.worm Todd (Aug 14)
- RE: Purging Blaster.worm Alexander Suhovey (Aug 16)
- RE: Purging Blaster.worm TheFueley (Aug 15)
- Re: Purging Blaster.worm Meritt James (Aug 15)
- RE: Purging Blaster.worm Stuart (Aug 16)
- Re: Purging Blaster.worm Meritt James (Aug 14)
- Re: Purging Blaster.worm Meritt James (Aug 19)
- RE: Purging Blaster.worm David Gillett (Aug 19)
- Ethics Question Mike Taylor (Aug 21)
- Re: Ethics Question Adam Newhard (Aug 21)
- Re: Ethics Question Suzanne Rodday (Aug 21)
- Re: Ethics Question Sebastian Schneider (Aug 22)
- Re: Ethics Question Michael Thornhill (Aug 21)
- Re: Ethics Question Schneider Sebastian (Aug 21)
- Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)