Full Disclosure mailing list archives
Re: Who should i contact?
From: <screwedbytaxes () hushmail com>
Date: Wed, 5 Jul 2006 07:06:58 -0700
Answers to clarify the situation: # It's not H&R Block. # I have checked the privacy policy and they explicitly assert that they will never share the email address for **any** reason with **any** party. Email address is to be used ONLY for filing taxes. # The system that was used for taxes was specifically built for that specific tax season, and it was wiped (zeroes) and rebuilt two weeks later. It was not used for any other applications. It never saw ANY other networking or websites than simply filing taxes. Data was burned to disk afterwards and remains stored in a safe. This computer sat behind a firewall in a DMZ blocked even from the rest of the network. IIRC, this was also THREE years ago, and Bagle has only been around about two. # While the addresses are not "random-proof", please explain how else these FOUR email addresses were specifically "randomly" generated and spammed within 72 hours of each other from the same IP address that sent no other spam to any other address on the server. One, sure. Two, big maybe. Three, very very unlikely. Four? Hell no. # As for email, the only email these addresses have ever received were confirmations of the original filing (2 each, from the period of original filing) and then two promotional emails (for the tax service) last year and again this year. Granted, these messages introduce at least the potential for exploitation on my side, but again, JUST the tax-related address? I use over 100 email legitimate addresses, more than 40 of them on a given day, my other email addresses are plastered EVERYWHERE online. But NONE of those addresses were spammed by that IP, and these four, ALL tied to this one tax company, were? No way in hell is that a coincidence. But more importantly, this is NOT about the spam. Sure, I'm upset - companies that pull that suck, but I don't really care about the spam. The spam is just a symptom of data being shared or exposed in violation of their privacy policy (we chose this company with their privacy policy in mind). I *do* care that the /rest/ of my data was likely lifted as well. I want to know if that was the case and if they have any hope or intent of doing anything about it. Frankly, I don't think they care. If they did, they wouldn't put me in a position where I have to drag this into the media or a court just to get a simple answer. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Who should i contact? screwedbytaxes (Jul 05)
- Re: Who should i contact? Cardoso (Jul 05)
- Re: Who should i contact? Joe Stewart (Jul 05)
- Re: Who should i contact? Valdis . Kletnieks (Jul 05)
- Re: Who should i contact? H D Moore (Jul 05)
- <Possible follow-ups>
- Re: Who should i contact? screwedbytaxes (Jul 05)