Before you think of being a do-gooder...

Wed May 24 22:36:34 UTC 2006

Walter Dnes wrote:

>  Something that's more likely to happen to us geeks than Joe-Sixpack...
>an article that discusses the pitfalls of disclosing vulnerabilities
>*EVEN TO THE SITE ADMINS*...
>http://www.cerias.purdue.edu/weblogs/pmeunier/policies-law/post-38/
>And don't think that it can't happen here in Canada...
>  - Police and courts here can be just as stupid as in the USA
>
>  - I'm also quoting a case that happened in Britain
>
>  - Many websites we deal with here are actually hosted in the US, so
>    extradition is a possibility
>
>  His recommendations...
>  - don't ask, don't tell.  Don't tell *ANYBODY* even about your
>    suspicions
>
>  - do *NOT* "investigate further" if you have suspicions.  See...
>    http://www.securityfocus.com/news/11341
>  
>
>>On December 31, 2004, Cuthbert, using an Apple laptop and Safari
>>browser, became concerned that a website collecting credit card
>>details for donations to the Tsunami appeal could be a phishing
>>site. After making a donation, and not seeing a final confirmation
>>or thank-you page, Cuthbert put ../../../ into the address line. If
>>the site had been unprotected this would have allowed him to move
>>up three directories.
>>
>>After running the two tests, at between 15.12 and 15.15 on New Year's
>>Eve, Cuthbert took no further action.
>>    
>>
>    *HE WAS CONVICTED*
>
>  - If you *REALLY* *REALLY* *REALLY* know what you're doing, an
>    anonymizer might work.  The vast majority will eventually keel in
>    to search warrants and subpeonas
>
>  - If you feel that that your personal info is at risk...
>    - *DON'T* "investigate further"
>    - see a lawyer and tell him of your suspicions
>    - ask the lawyer to write a cease-&-desist letter, with implications
>      of a possible lawsuit, asking the site to stop potentially
>      exposing your personal info.  (The best defence is a good offence)
>
>  
>
a very interesting story indeed

at first glance my question would be: who do I call / write to get this 
act scrutinized (i'm a Canadian UK citizen, working in IT).

however:
http://www.emergentchaos.com/archives/2005/10/daniel_cuthbert.html

The lesson here is: ask first.

Which goes against my nature .If I see a hole; I prove it's a hole 
first, then I tell someone. I would look pretty silly screaming "the sky 
is falling" if it was not.

So what do you think the conversation would be with a dumb bi
uisiness ( with thrid party clueless web desgin group):
(I'm not bitter)

David: Hullo, I saw your site and think there maybe a gapping hole in 
it. Can I test it out?
Bussiness man: What? Who are you and why are you hacking my web site.
David: I'm not I haven't. I'd like to help you. I think I see a 
vulnerablity but the law forbids me from investigating on my own without 
your consent. Would you like to me investigate?

If yes: get it in writing.

Oh and: i'm not a lawyer so get professional advice if you really want 
to do this.

My biggest problem is I'm allergic to paperwork so I would start 
sneazing and coughing as soon as the fax wit hthe consent came in.

And I had ADH -- oh look my belly button.

David

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml