Full Disclosure mailing list archives

Re: Who Do I Contact?

From: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Date: Sat, 22 Apr 2006 16:58:29 -0500

I can not stress the fact I will not be going public with it since it risks MY information and MY PARENTS' information.
Reason I have not given details of the hole other than its implications and will not post the school's name or even
state which it resides in until this is fixed and the site has at least been audited. I am a supporter of full
disclosure, but when I see in this situation the pros and cons of going FD the cons heavily outweigh any benefit. Yes
the school may move faster, or they wont but in the process it would put thousands of student records at risk to misuse
and id theft. ID theft is the worst case scenario since without a good credit, etc your life in the modern world is
pretty crappy financially. I do not want to put anyone in danger of having their lives ruined by going FD. I just want
one thing and that is for this to be fixed so I can rest assured that I do not have to worry that my info could be
stolen by someone as they please. I am in the process of contacting people and will also be contacting the Attorney
General of the state the school is in. Unfortunately that can only be done on Monday, so school has extra 24 hours to
fix hole or I will bring media attention to them to get it done. I don't care for publicity, fame, etc I just don't
want my damn information vulnerable period! If I had the choice I would leave the school right now but that would hurt
me financially and academically. Thank you so far everyone for the input and helpful suggestions and information on how
to deal with this matter. Very much appreciated.

Regards,
CM

----- Original Message -----
From: "Javor Ninov" <drfrancky () securax org>
To: "Don Bailey" <don.bailey () gmail com>
Subject: Re: [Full-disclosure] Who Do I Contact?
Date: Sun, 23 Apr 2006 00:40:10 +0300


Then what is the meaning of "Full Disclosure" ?

--
Javor Ninov aka DrFrancky
http://securitydot.net/

Don Bailey wrote:

"If the vendor refuses to act upon the news of the 
vulnerability, then Full Disclosure is in order."  (don't 
release the numbers of course but release a generic statement 
that "this" universtity is not secure.


Is this a joke? Absolutely do *not* implement full disclosure. Doing
so will cause unnecessary and probable exposure of private
information.

First, contact the university's IT department. If that doesn't work,
contact a regent of the university. They will put you in touch
with an individual that can fix the problem. There is no reason
to reveal the university to parties that have no business with
said information. Public forums only disclose information to
people that have no right to that information. You can not
control the actions individuals in the public have.

Risking the privacy of innocent students and faculty is not
the proper means to solve a problem.

Do you want X number of script kids pounding a university
causing them more problems?

Send a copy of the email to the University.  Might want to 
include their local TV news as well.  You'd be surprised how 
the alumni will react to get that fixed.


What are you, a media whore?

In order to give them one more shot you may wish to tell them 
on which date it will be publically released.


Ridiculous.

Don "north" Bailey


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
<< signature.asc >>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Who Do I Contact?, (continued)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
  - Re: Who Do I Contact? Brian Eaton (Apr 22)
  - Re: Who Do I Contact? Don Bailey (Apr 22)
  - Re: Who Do I Contact? A . L . M . Buxey (Apr 23)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
  - Re: Who Do I Contact? Don Bailey (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
  - Re: Who Do I Contact? Gadi Evron (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
  - Re: Who Do I Contact? Sol Invictus (Apr 22)
    - Re: Who Do I Contact? Valdis . Kletnieks (Apr 22)
    - Re: Who Do I Contact? Dave "No, not that one" Korn (Apr 23)
    - Re: Re: Who Do I Contact? Paul Schmehl (Apr 23)
    - Re: Re: Who Do I Contact? Barrie Dempster (Apr 24)
    - Re: Re: Who Do I Contact? Paul Schmehl (Apr 25)
    - Re: Re: Who Do I Contact? Barrie Dempster (Apr 25)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Re: Who Do I Contact? CrYpTiC MauleR (Apr 22)
- Re: Who Do I Contact? CrYpTiC MauleR (Apr 23)

(Thread continues...)