Full Disclosure mailing list archives
Re: You shady bastards.
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Sat, 9 Jun 2007 23:55:58 +0300 (EEST)
A very good point. The subject line doesn't always show anything related to personal e-mail message and does the person monitoring messages know what is related to his/hers work? I see adding the word PRIVATE as a part of subject line a good practice. It's not so easy to accidentally post these e-mails to mailing lists etc. Related to Maynor's case: If you are reading the e-mail account of former employer and you click a link included to message with marked as private you really cross the line. HDM made a good decision when using a file name maynor.tar.gz. If you are testing issues like this use very rare file names and it is worth of testing Return Receipt too. And use a complicated directory structure (not easy to guess) when generating the test files like maynor.tar.gz. - Juha-Matti rlogin () hush ai wrote:
The key is *personal* e-mail. It's not unreasonable for any company to assume their e-mail systems are used primarily for business purposes. The e-mail doesn't indicate it's personal. It doesn't say, "Your Ghonorrhea test results have come back! Click here for the results." The e-mail has no contents other than a link and doesn't indicate that the "Zero Day" promise was made after this employee left the company. In fact, the subject "Zero Day" is directly related to SecureWork's business and it's entirely reasonable to expect a security company to investigate the contents. I'm actually surprised someone actually monitors these accounts and took the time to look into it! On Wed, 06 Jun 2007 20:28:26 -0400 security curmudgeon <jericho () attrition org> wrote:: >>A more ethical company would have sent HDM a polite note saying that : the person no longer works there before curiosity got the best of them. : : Does your company do this for all former employee e-mail accounts? No. But they also don't continue to accept mail to those accounts either. : Let's hope he unsubscribed from all his mailing lists before he left. If a company is going to continue monitoring a former employee's mailbox (intentionally or via a 'catch all'), that is fine. But when they specifically act on a personal private mail between someone outside of their company and the former employee, they are crossing the line of ethical behavior I think. As I said, the least they should have done is mail HDM and notified him the person no longer works there. If they didn't do that, and if you think they shouldn't be required to, then they shouldn't act on the information in the mail either. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Click to become a master chef, own a restaurant and make millions http://tagline.hushmail.com/fc/CAaCXv1QhbNmqK0ynJatT1qFQMwOiVRg/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: You shady bastards., (continued)
- Re: You shady bastards. Thierry Zoller (Jun 08)
- Re: You shady bastards. - CONFIDENTIAL Larry Seltzer (Jun 08)
- Shady bastards - CONFIDENTIAL (Terms of Services) J. Oquendo (Jun 08)
- Re: You shady bastards. Kradorex Xeron (Jun 08)
- Re: You shady bastards. Thierry Zoller (Jun 08)
- Re: You shady bastards. Kradorex Xeron (Jun 08)
- Re: You shady bastards. Dude VanWinkle (Jun 08)