mailing list archives
the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards
From: Brian Rea <brian () brianrea org>
Date: Wed, 27 Feb 2002 23:03:14 -0500
eventhough this is political in nature, i chose to forward it along since it
relates DIRECTLY to full disclosure and reporting parties being attacked
financially and legally for doing the right and responsible thing.
----- Original Message -----
From: "Declan McCullagh" <declan () well com>
To: <politech () politechbot com>
Sent: Wednesday, February 27, 2002 21:29
Subject: FC: French site Kitetoa.com fined for expose of security hole
| Here's an article about Kitetoa.com's expose of Doubleclick:
| This is another good reason to publish sensitive information untraceably.
| Establish a persistent pseudonymous identity -- standard procedure would
| to generate a private-public keypair and sign your reports with it. You
| also received messages encrypted to your public key (so only you can
| decipher them) and dropped in a public place such as a Usenet newsgroup or
| popular mailing list. Eventually, if the legal threat disappears, you can
| reveal your truename and receive credit for your earlier work.
| Naturally it'll be difficult for you to get paid under this scenario, but
| doesn't everyone do this for the love of the craft? :)
| Date: Thu, 28 Feb 2002 02:43:06 +0100
| From: Solveig <solveig () transfert net>
| Organization: transfert
| To: declan () well com
| CC: "Kitetoa at Kitetoa . com" <kitetoa () kitetoa com>
| Subject: Kitetoa in danger
| Hello declan,
| Sorry for my bad English, but I think this story should be told...
| Sadly, there's only French links until now. But American media have
| already written some articles about Kitetoa, who disclosed some
| security flaws in DoubleClick last year, and recently, in Choicepoint...
| The webmaster of Kitetoa, a French group of security enthusiasts with a
| passion for
| showing how badly protected our personal data is, has been sentenced
| by a French court to a 1000 euros fine. Using nothing more than
| Netscape Navigator's features, he could access to Tati's (a
| clothes' discounter)file directory, and then to all consumers
| profiles. He had warned the webmaster of Tati one year before about
| the problem, but no
| effort was made to secure the server. So he disclosed the breach of
| security in an article on
| www.kitetoa.com. Tati did nothing until the news was republished by an
| offline mag called Newbiz - too much publicity for Tati, let's sue
| those disturbers. Notice that Newbiz wasn't targeted, only the small
| investigative website. Although the judge couldn't identify precisely
| the nature of the "computer fraud" Kitetoa was fined for, this
| sentence creates a dangerous precedent. It is likely to lead to some
| more lawsuits. Kitetoa will probably have to stop its activities.
| It reminds us, in France, of the story of Altern, an independent and
| non-profit Internet provider who hosted 40 000 websites. Altern had
| to close because it was held responsible for a nude picture of a
| top-model, was fined, and then was subject to a true rain
| of legal procedures coming from all the people who don't like free
| speech on the Web.
| Now, full disclosure is in danger.
| Kitetoa's file about Kitetoa vs Tati
| Some articles in French
| About Choicepoint in English :
| About DoubleClick in English :
| Best regards,
| Solveig Godeluck mailto:solveig () transfert net
| POLITECH -- Declan McCullagh's politics and technology mailing list
| You may redistribute this message freely if you include this notice.
| Declan McCullagh's photographs are at http://www.mccullagh.org/
| To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
| This message is archived at http://www.politechbot.com/
- the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards Brian Rea (Mar 01)