Re: Apple's worst security breach: 114, 000 iPad owners exposed

[Jeffrey Walton <noloader () gmail com>]

> Sometimes it's very interesting to note that an address
> given only to A turns up in B's hands...or B's,
> C's, D's, E's, etc. hands in some instances.
> ...
> For instance, United Airlines has been observed leaking
> addresses to Brazilian spammers.
HP is notoriously bad about selling and sharing. Proof by example:
call support, and verify the email you supply will *only* be used for
support reasons (the call center folks will state it without asking).
Then wait about two weeks. Question: since I called and authorized one
business unit (support), and support stated the data was not
authorized for use in other departments, does that mean an internal
breach occurred because a second business unit (marketing) obtained
and abused the data?

On Sun, Jun 27, 2010 at 2:28 PM, Rich Kulawiec <rsk () gsp org> wrote:
> On Sun, Jun 13, 2010 at 11:19:16AM +1200, Nick FitzGerald wrote:
> > Most security professionals I've either asked directly about this or
> > with whom it's come up some way or other in conversation (admittedly
> > not a large proportion of all such folk I know), _do_ exactly that.
> > And at least some "more normal" folk I know (i.e. not security
> > professionals) do this too.  There are a number of reasons, but
> > commonly having a single "well protected" (by the privacy policies of
> > those companies they trust to share the address with) address is the
> > reason (the other one is tracking who sell, etc addresses and these
> > folk use a separate address for each company/entity that they share
> > contact details with).
>
> I've done this for a very long time.  Sometimes the individually-supplied
> addresses are rather obviously mine; sometimes they're not.  And I keep
> very careful records of which addresses were given to whom.  I've also
> trained some other people to do the same.  Sometimes it's very interesting
> to note that an address given only to A turns up in B's hands...or B's,
> C's, D's, E's, etc. hands in some instances.  There have been any number
> of fascinating little case studies demonstrating that data is either
> being sold or stolen or otherwise leaked from numerous operations (some
> of which predictably claim that this is impossible and that those reporting
> same must be mistaken, incompetent, senile or lying).  For instance,
> United Airlines has been observed leaking addresses to Brazilian spammers.
>
> ---Rsk

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.