Full Disclosure mailing list archives
Re: Who Do I Contact?
From: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Date: Sat, 22 Apr 2006 16:58:29 -0500
I can not stress the fact I will not be going public with it since it risks MY information and MY PARENTS' information. Reason I have not given details of the hole other than its implications and will not post the school's name or even state which it resides in until this is fixed and the site has at least been audited. I am a supporter of full disclosure, but when I see in this situation the pros and cons of going FD the cons heavily outweigh any benefit. Yes the school may move faster, or they wont but in the process it would put thousands of student records at risk to misuse and id theft. ID theft is the worst case scenario since without a good credit, etc your life in the modern world is pretty crappy financially. I do not want to put anyone in danger of having their lives ruined by going FD. I just want one thing and that is for this to be fixed so I can rest assured that I do not have to worry that my info could be stolen by someone as they please. I am in the process of contacting people and will also be contacting the Attorney General of the state the school is in. Unfortunately that can only be done on Monday, so school has extra 24 hours to fix hole or I will bring media attention to them to get it done. I don't care for publicity, fame, etc I just don't want my damn information vulnerable period! If I had the choice I would leave the school right now but that would hurt me financially and academically. Thank you so far everyone for the input and helpful suggestions and information on how to deal with this matter. Very much appreciated. Regards, CM
----- Original Message ----- From: "Javor Ninov" <drfrancky () securax org> To: "Don Bailey" <don.bailey () gmail com> Subject: Re: [Full-disclosure] Who Do I Contact? Date: Sun, 23 Apr 2006 00:40:10 +0300 Then what is the meaning of "Full Disclosure" ? -- Javor Ninov aka DrFrancky http://securitydot.net/ Don Bailey wrote:"If the vendor refuses to act upon the news of the vulnerability, then Full Disclosure is in order." (don't release the numbers of course but release a generic statement that "this" universtity is not secure.Is this a joke? Absolutely do *not* implement full disclosure. Doing so will cause unnecessary and probable exposure of private information. First, contact the university's IT department. If that doesn't work, contact a regent of the university. They will put you in touch with an individual that can fix the problem. There is no reason to reveal the university to parties that have no business with said information. Public forums only disclose information to people that have no right to that information. You can not control the actions individuals in the public have. Risking the privacy of innocent students and faculty is not the proper means to solve a problem. Do you want X number of script kids pounding a university causing them more problems?Send a copy of the email to the University. Might want to include their local TV news as well. You'd be surprised how the alumni will react to get that fixed.What are you, a media whore?In order to give them one more shot you may wish to tell them on which date it will be publically released.Ridiculous. Don "north" Bailey_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ << signature.asc >> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Who Do I Contact?, (continued)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? Brian Eaton (Apr 22)
- Re: Who Do I Contact? Don Bailey (Apr 22)
- Re: Who Do I Contact? A . L . M . Buxey (Apr 23)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? Don Bailey (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? Gadi Evron (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? Sol Invictus (Apr 22)
- Re: Who Do I Contact? Valdis . Kletnieks (Apr 22)
- Re: Who Do I Contact? Dave "No, not that one" Korn (Apr 23)
- Re: Re: Who Do I Contact? Paul Schmehl (Apr 23)
- Re: Re: Who Do I Contact? Barrie Dempster (Apr 24)
- Re: Re: Who Do I Contact? Paul Schmehl (Apr 25)
- Re: Re: Who Do I Contact? Barrie Dempster (Apr 25)
- Re: Who Do I Contact? Sol Invictus (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)