Re: You shady bastards.

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

A very good point.
The subject line doesn't always show anything related to personal e-mail message and does the person monitoring 
messages know what is related to his/hers work?

I see adding the word PRIVATE as a part of subject line a good practice.

It's not so easy to accidentally post these e-mails to mailing lists etc.
Related to Maynor's case: If you are reading the e-mail account of former employer and you click a link included to 
message with marked as private you really cross the line.

HDM made a good decision when using a file name maynor.tar.gz.

If you are testing issues like this use very rare file names and it is worth of testing Return Receipt too. And use a 
complicated directory structure (not easy to guess) when generating the test files like maynor.tar.gz.

- Juha-Matti

rlogin () hush ai wrote: 
> The key is *personal* e-mail.  It's not unreasonable for any 
> company to assume their e-mail systems are used primarily for 
> business purposes. The e-mail doesn't indicate it's personal. It 
> doesn't say, "Your Ghonorrhea test results have come back!  Click 
> here for the results."  The e-mail has no contents other than a 
> link and doesn't indicate that the "Zero Day" promise was made 
> after this employee left the company. In fact, the subject "Zero 
> Day" is directly related to SecureWork's business and it's entirely 
> reasonable to expect a security company to investigate the 
> contents. I'm actually surprised someone actually monitors these 
> accounts and took the time to look into it!
>
> On Wed, 06 Jun 2007 20:28:26 -0400 security curmudgeon 
> <jericho () attrition org> wrote:
> > : >>A more ethical company would have sent HDM a polite note 
> > saying that
> > : the person no longer works there before curiosity got the best 
> > of them. 
> > : 
> > : Does your company do this for all former employee e-mail 
> > accounts?
> >
> > No. But they also don't continue to accept mail to those accounts 
> > either.
> >
> > : Let's hope he unsubscribed from all his mailing lists before he 
> > left.
> >
> > If a company is going to continue monitoring a former employee's 
> > mailbox 
> > (intentionally or via a 'catch all'), that is fine. But when they 
> > specifically act on a personal private mail between someone 
> > outside of 
> > their company and the former employee, they are crossing the line 
> > of 
> > ethical behavior I think. As I said, the least they should have 
> > done is 
> > mail HDM and notified him the person no longer works there. If 
> > they didn't 
> > do that, and if you think they shouldn't be required to, then they 
> >
> > shouldn't act on the information in the mail either.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> --
> Click to become a master chef, own a restaurant and make millions
> http://tagline.hushmail.com/fc/CAaCXv1QhbNmqK0ynJatT1qFQMwOiVRg/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/