Security Basics mailing list archives
Re: Ethics Question
From: Sebastian Schneider <ses () straightliners de>
Date: Fri, 22 Aug 2003 02:31:21 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The article is kind of interesting. As far as I know, German laws are quite different, but I'm going to find out more on that issue. On Friday 22 August 2003 00:39, Suzanne Rodday wrote:
You might want to read the article on Security Focus (http://www.securityfocus.com/columnists/179) as this article talks about a similar situation... "The Sad Take of a Security Whistleblower" -Suzanne At 2:04 PM -0400 8/21/03, Adam Newhard wrote:Anonymously report it to that company...either through untraceable email or usps...preferably usps as you're guaranteed it won't be sent back through you. Your only concern is that your old boss knows you mentioned it so that's the only way it's traceable to you (that and bugtraq mail is googled...a quick search on there and there's viable evidence of what you may do in the future for your old boss to accuse you of whatever he may feel plausible...i.e. if someone uses the exploit well then that certainly sucks for you if you mention it). if other people have mentioned it to him then that's another story. do it anonymously if you do decide to do it...your concern shouldn't be getting public recognition. adam ---------------------------------------------------- Adam Newhard Microstrain, Inc. If vegetarians eat vegetables, watch out for humanitarians ----- Original Message -----From: "Mike Taylor" <mtaylor () ablenology com>To: <security-basics () securityfocus com> Sent: Wednesday, August 20, 2003 10:54 PM Subject: Ethics QuestionHello all Question I have is do I tell a company that I did work for that a system they have is not secure. Background I worked for Company X(left thembecauseI could not get paid regularly) they have a contract to support and keep secure Company Y. I noticed on an audit that the machine that is used for finances is VERY insecure. It is a terminal server machine that is set upsothat 2 people can get to it from the outside. When you remote to this machine it bypass's login and gives you a blank desktop with the finance package login. To bypass all you have to do is send a ctrl-shit-esc getthetask manager and file run -explorer and you have a machine that can browse the whole network. I had brought this to my then boss's attention he said don't mention it we will fix it later. The hole is still there. What would you do ? Thanks, Mike ------------------------------------------------------------------------ --- > ---------------------------------------------------------------------- >---- --
- -- Sebastian Schneider straightLiners IT Consulting & Services Metzer Str. 12 13595 Berlin Germany Fon: +49-30-3510-6168 Fax: +49-30-3510-6169 www.straightliners.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/RWRZQ7mOWZBxbPcRAn+UAKCf0gu5YsuUpTFhqPXvh/7L2yGbygCZAVvj Ivslt7lSXQu0GtQ18AViui0= =DHsH -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Purging Blaster.worm, (continued)
- RE: Purging Blaster.worm Alexander Suhovey (Aug 16)
- RE: Purging Blaster.worm TheFueley (Aug 15)
- Re: Purging Blaster.worm Meritt James (Aug 15)
- RE: Purging Blaster.worm Stuart (Aug 16)
- Re: Purging Blaster.worm Meritt James (Aug 14)
- Re: Purging Blaster.worm Meritt James (Aug 19)
- RE: Purging Blaster.worm David Gillett (Aug 19)
- Ethics Question Mike Taylor (Aug 21)
- Re: Ethics Question Adam Newhard (Aug 21)
- Re: Ethics Question Suzanne Rodday (Aug 21)
- Re: Ethics Question Sebastian Schneider (Aug 22)
- Re: Ethics Question Michael Thornhill (Aug 21)
- Re: Ethics Question Schneider Sebastian (Aug 21)
- Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Rory (Aug 13)