Full Disclosure mailing list archives
Re: ACM.ORG data leak still there 4 days after announcing to CEO John White
From: Benji <me () b3nji com>
Date: Mon, 22 Feb 2010 19:52:33 +0000
Not to be a dick or anything, but whether it should be or not is irrelevant, it is a crime. As you seem to be a "security expert" doing "penetration testing and security audits" I'm sure you'd understand that for example, a remote file include is literally just a case of 'modifying one parameter of an url'. You didnt enumerate passwords, well, I guess that makes the crime slightly less serious. Personal info isnt worth that much I've heard. Infact, by publishing data and the fact there is a hole, you could argue that infact you couldve made the situation worse for ACM. Hypothetically, now you've displayed that a hole is there, someone could go and dump the database saving them the time of even looking for a vulnerable site. I'm just wondering what makes you so sure they wont do anything like that? On Mon, Feb 22, 2010 at 7:46 PM, the hacker <info () the-hacker info> wrote:
Hello Benji I did not crack/enumerate any passwords, use buffer overflow with metasploit or whatever other tools... I dont think that by just modifying one parameter of an url you already break a law (or all people that have spelling problems when entering an url would be in jail). Also I have contacted ACM with my REAL name, address, phone number etc. via email. I've even called the CEO twice! So they know my identity because I just wanted to let them know about the problem on their website - but when they did not react for 4 days I extracted some sample data (I could have got much more) from the site to mail it to them. I've extracted enought to show them that its not just 10 addresses, but its far from everything. So I wonder why I should be in trouble for wanting to help them? Do you other guys on the list also think that this is already a crime? By the way, I've sent the mail with the data 2 hours ago but no reaction. Greetings th
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Justin C. Klein Keane (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Justin C. Klein Keane (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Valdis . Kletnieks (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Christian Sciberras (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White James W. Lytle (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Christian Sciberras (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White the hacker (Feb 22)
- Re: ACM.ORG data leak still there 4 days after announcing to CEO John White Benji (Feb 22)