Before you think of being a do-gooder...
david thornton
david-FkEgs2FKm2NvBvnq28/GKQ at public.gmane.org
Wed May 24 22:36:34 UTC 2006
Walter Dnes wrote:
> Something that's more likely to happen to us geeks than Joe-Sixpack...
>an article that discusses the pitfalls of disclosing vulnerabilities
>*EVEN TO THE SITE ADMINS*...
>http://www.cerias.purdue.edu/weblogs/pmeunier/policies-law/post-38/
>And don't think that it can't happen here in Canada...
> - Police and courts here can be just as stupid as in the USA
>
> - I'm also quoting a case that happened in Britain
>
> - Many websites we deal with here are actually hosted in the US, so
> extradition is a possibility
>
> His recommendations...
> - don't ask, don't tell. Don't tell *ANYBODY* even about your
> suspicions
>
> - do *NOT* "investigate further" if you have suspicions. See...
> http://www.securityfocus.com/news/11341
>
>
>>On December 31, 2004, Cuthbert, using an Apple laptop and Safari
>>browser, became concerned that a website collecting credit card
>>details for donations to the Tsunami appeal could be a phishing
>>site. After making a donation, and not seeing a final confirmation
>>or thank-you page, Cuthbert put ../../../ into the address line. If
>>the site had been unprotected this would have allowed him to move
>>up three directories.
>>
>>After running the two tests, at between 15.12 and 15.15 on New Year's
>>Eve, Cuthbert took no further action.
>>
>>
> *HE WAS CONVICTED*
>
> - If you *REALLY* *REALLY* *REALLY* know what you're doing, an
> anonymizer might work. The vast majority will eventually keel in
> to search warrants and subpeonas
>
> - If you feel that that your personal info is at risk...
> - *DON'T* "investigate further"
> - see a lawyer and tell him of your suspicions
> - ask the lawyer to write a cease-&-desist letter, with implications
> of a possible lawsuit, asking the site to stop potentially
> exposing your personal info. (The best defence is a good offence)
>
>
>
a very interesting story indeed
at first glance my question would be: who do I call / write to get this
act scrutinized (i'm a Canadian UK citizen, working in IT).
however:
http://www.emergentchaos.com/archives/2005/10/daniel_cuthbert.html
The lesson here is: ask first.
Which goes against my nature .If I see a hole; I prove it's a hole
first, then I tell someone. I would look pretty silly screaming "the sky
is falling" if it was not.
So what do you think the conversation would be with a dumb bi
uisiness ( with thrid party clueless web desgin group):
(I'm not bitter)
David: Hullo, I saw your site and think there maybe a gapping hole in
it. Can I test it out?
Bussiness man: What? Who are you and why are you hacking my web site.
David: I'm not I haven't. I'd like to help you. I think I see a
vulnerablity but the law forbids me from investigating on my own without
your consent. Would you like to me investigate?
If yes: get it in writing.
Oh and: i'm not a lawyer so get professional advice if you really want
to do this.
My biggest problem is I'm allergic to paperwork so I would start
sneazing and coughing as soon as the fax wit hthe consent came in.
And I had ADH -- oh look my belly button.
David
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list