Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: [inbox] Re: [EDU-ops] Who Do I Contact?
From: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Date: Sat, 22 Apr 2006 13:30:59 -0500

I have not compromised it. I have not viewed anyones SSN numbers. I just know the hole is there and that it can lead to 
someome being able to view my infomation thus in turn anyone viewing anyone's I was not born yesterday and know that 
overstepping my bounds and actually exploiting the hole to view other people's info is illegal.


----- Original Message -----
From: Exibar <exibar () thelair com>
To: "CrYpTiC MauleR" <crypticmauler () linuxmail org>, RLVaughn <Randy_Vaughn () baylor edu>
Subject: RE: [inbox] Re: [EDU-ops] [Full-disclosure] Who Do I Contact?
Date: Sat, 22 Apr 2006 14:23:33 -0400


Sounds like you've already compromised this vulnerability ans een data.
You've already stepped over the line, no turning back from here.
   Cut and past a couple lines of what you've seen, "X" out a couple places
in the SSN if it makes you feel better, then send them that information.
Tell them in the e-mail that you will contact their local news stations for
advise on who to contact to get it fixed, as you don't have anywhere else to
turn as all the local authorities have turned you to other authorities.

    Exibar

-----Original Message-----
From: CrYpTiC MauleR [mailto:crypticmauler () linuxmail org]
Sent: Saturday, April 22, 2006 2:15 PM
To: RLVaughn
Cc: full-disclosure () lists grok org uk
Subject: [inbox] Re: [EDU-ops] [Full-disclosure] Who Do I Contact?


Yeah looking at just 'new' students there are potentially 7,000+
socials that can be stolen. This does not include students
already attending. I dont know an exact count of the student
population, but only had a new student registration list posted
on site. So estimates are based on those and the fact that
parents' SSNs can be viewed too because were provided for
financial aid. So a family's identity can be stolen in turn =o/


----- Original Message -----
From: RLVaughn <Randy_Vaughn () baylor edu>
To: "Gadi Evron" <ge () linuxbox org>
Subject: Re: [EDU-ops] [Full-disclosure] Who Do I Contact?
Date: Sat, 22 Apr 2006 11:41:59 -0500


Gadi Evron wrote:
CrYpTiC MauleR wrote:
I am sorry I am not going to say who the school is. Mainly
because so many socials numbers are at risk including mine. I
have contacted the VP of Information Technology and he assured
me he would call the company that makes the website. After 20
days the hole was not fixed, so I called the department heads
and am giving them 48 hours from then which is now currently at
24 hours before I move onto notifying someone else. I was also
thinking about contacting FBI about this seeing they handle
school breaches but not sure.

I will not go full disclosure with the info, collect SSNs and
show school (illegal) and also please don't ask me for the
school's name or the details of the hole. The school has been
careless even with the tech department making a support ticket
about my initial report which I later found out anyone could
view too. They obviously don't know how to do anything right. So
if anyone could provide me with a phone number or place I can
contact would be great. Please do not reply with a name or
number without it being posted on a credited site or be easily
verifiable. I am not going to just randomly call whoever someone
tells me too. Could be some idiot wants to just trick me into
giving the details to him. Thank for the help so far guys!


I will see if someone can contact you.
_______________________________________________
EDU-ops mailing list
EDU-ops () isotf org
http://isotf.org/mailman/listinfo/edu-ops
I am checking on an appropriate contact.  I fully understand
your desire to
establish a credible contact and to protect information at risk.  Given
this is a weekend a contact may not be forthcoming until Monday
or Tuesday.

--
Best Regards,
Randal Vaughn
Professor, Information Systems
Baylor University
(254) 710 4756




--
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/







-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • RE: [inbox] Re: [EDU-ops] Who Do I Contact? CrYpTiC MauleR (Apr 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]