Before you think of being a do-gooder...

Walter Dnes waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org
Wed May 24 04:48:10 UTC 2006 

  Something that's more likely to happen to us geeks than Joe-Sixpack...
an article that discusses the pitfalls of disclosing vulnerabilities
*EVEN TO THE SITE ADMINS*...
http://www.cerias.purdue.edu/weblogs/pmeunier/policies-law/post-38/
And don't think that it can't happen here in Canada...
  - Police and courts here can be just as stupid as in the USA

  - I'm also quoting a case that happened in Britain

  - Many websites we deal with here are actually hosted in the US, so
    extradition is a possibility

  His recommendations...
  - don't ask, don't tell.  Don't tell *ANYBODY* even about your
    suspicions

  - do *NOT* "investigate further" if you have suspicions.  See...
    http://www.securityfocus.com/news/11341
> On December 31, 2004, Cuthbert, using an Apple laptop and Safari
> browser, became concerned that a website collecting credit card
> details for donations to the Tsunami appeal could be a phishing
> site. After making a donation, and not seeing a final confirmation
> or thank-you page, Cuthbert put ../../../ into the address line. If
> the site had been unprotected this would have allowed him to move
> up three directories.
> 
> After running the two tests, at between 15.12 and 15.15 on New Year's
> Eve, Cuthbert took no further action.
    *HE WAS CONVICTED*

  - If you *REALLY* *REALLY* *REALLY* know what you're doing, an
    anonymizer might work.  The vast majority will eventually keel in
    to search warrants and subpeonas

  - If you feel that that your personal info is at risk...
    - *DON'T* "investigate further"
    - see a lawyer and tell him of your suspicions
    - ask the lawyer to write a cease-&-desist letter, with implications
      of a possible lawsuit, asking the site to stop potentially
      exposing your personal info.  (The best defence is a good offence)

-- 
Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list