Full Disclosure mailing list archives
Re: Who Do I Contact?
From: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Date: Sat, 22 Apr 2006 15:13:40 -0500
I have not viewed anyones SSNs not even one. I just know the hole is there and that someone can view mine which makes it possible for anyone to view anyone's. I have been careful not to overstep my bounds by accessing anything not already accesible legally. I just wish for this to be fixed so I can sleep at night, but instead knowing that I may already have had my SSN stolen. Who knows. I'm just very frustrated at the school's lack of concern and speed.
----- Original Message ----- From: "Brian Eaton" <eaton.lists () gmail com> To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Who Do I Contact? Date: Sat, 22 Apr 2006 15:59:25 -0400 On 4/22/06, CrYpTiC MauleR <crypticmauler () linuxmail org> wrote:I'm sorry I don't plan on going public with the details of the hole except with school staff and/or law enforcement. Main reason being dont want to put my info and my parents info in any great danger than it already is in. As you know identity theft is one of the fastest growing crimes so I feel that releasing the news before the holes is fixed will do more damage than good.Understood. I would have the same concerns if I were in your position. For what it's worth, I was not suggesting you go public with details. I was thinking the process would go more like this: - you talk to the editor of the paper, explain the impact of the hole, and make sure they understand that if they were to publish too much information about the problem it could lead to several thousand SSNs getting stolen. - the paper could visit the VP of IT and interview them, get them to confirm the problem and explain what is being done to resolve the issue. - hopefully that pushes the IT department to move a little more quickly to either fix the problem, or at least take steps to reduce the risk of it being exploited. - If the problem gets fixed, great. The paper gets a scoop by publishing the story, the info doesn't get stolen, everybody sleeps better at night. - If the problem doesn't get fixed, the paper gets to release a little bit of information about the hole, hopefully not too much. The VP of IT starts getting pressure from students, parents, and alumni to resolve the issue. Almost nobody sleeps better at night, but hopefully there will be quicker progress once there is more pressure. I do suggest you be careful. You (apparently) have exploited this hole to view at least a few SSNs. Though I'm sure you had only good intentions, you were probably breaking the law when you did that. Also, people don't tend to react well when threatened. It's better to play nice and keep lines of communication open. Best of luck to you. Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Who Do I Contact?, (continued)
- Re: Who Do I Contact? Gadi Evron (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? Brian Eaton (Apr 22)
- Re: Who Do I Contact? Don Bailey (Apr 22)
- Re: Who Do I Contact? A . L . M . Buxey (Apr 23)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? Don Bailey (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? Gadi Evron (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? Sol Invictus (Apr 22)
- Re: Who Do I Contact? Valdis . Kletnieks (Apr 22)
- Re: Who Do I Contact? Dave "No, not that one" Korn (Apr 23)
- Re: Re: Who Do I Contact? Paul Schmehl (Apr 23)
- Re: Re: Who Do I Contact? Barrie Dempster (Apr 24)
- Re: Re: Who Do I Contact? Paul Schmehl (Apr 25)
- Re: Re: Who Do I Contact? Barrie Dempster (Apr 25)
- Re: Who Do I Contact? Sol Invictus (Apr 22)