Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Should I Be Worried?
From: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Date: Wed, 26 Apr 2006 16:55:09 -0500

I'm just going to give up. I am wasting too much time and jumping through too many loops to get anything done. I will 
just watch my credit report and file a complaint to the Department Of Higher Education and then leave it at that. I 
have better things to do with my time than practically begging on my knees for the school to take concern in protecting 
student information. I just didn't think it would be this hard, I shouldn't have to bend over backwards just to get the 
right thing done, school should do it without any question. This is my last post to FD on this topic, I'm going to get 
back to doing my homework and move on. Thanks for all the insight on the topic guys, take care.

----- Original Message -----
From: "Sol Invictus" <sol () haveyoubeentested org>
To: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Subject: Re: [Full-disclosure] Should I Be Worried?
Date: Wed, 26 Apr 2006 16:16:59 -0400

CrYpTiC MauleR wrote:

Forgot to say that the VP of Software Dev who is in charge of the 
site said he would do an emergency fix in 6 hours to fix the 
problem. As I expected the problem is still there. Either he is a 
moron and didn't understand me or they just tried to give the 
impression they were fixing it. So sad to say site is still vuln, 
reason thinking public spotlight will make them get off their ass 
and actually do something productive to protect student 
information. At this point I can not trust the IT staff because 
on 2 occasions the VPs of 2 departments lied to me about fixing 
the hole. I've contacted the Department Of Higher Education and 
will be filing a complaint against the school. Not only is their 
lack of concern about the problem disturbing, their IT 
administration seems to be unqualified to deal with it either.

----- Original Message -----
From: bkfsec <bkfsec () sdf lonestar org>
To: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Subject: Re: [Full-disclosure] Should I Be Worried?
Date: Wed, 26 Apr 2006 15:04:04 -0400

CrYpTiC MauleR wrote:

After reading http://www.securityfocus.com/news/11389 it made 
me think twice about actually going public with my school's 
security hole by having school notify students, parents and/or 
faculty at risk due to it.

I mean I didnt access any records, just knew that it was 
possible for someone to access my account or anyone elses. I 
did not even exploit the hole to steal, modify etc any records. 
Does this still put me in the same boat at the USC guy? If so I 
am really not wanting to butt heads with the school in case 
they try to turn around and bite the hand that tried to help 
them. Even if my intentions were good, they might even make 
something up saying I accessed entire database or something. I 
have nothing to prove me otherwise since they have access to 
the logs. Already it seems like the school is trying to sweep 
the incident under the rug, so very wary as to what they might 
do if they were pushed into a corner and forced to go public. 
Anyone has any idea what I can do or should I just let this 
slide? I am already putting my credit report and such on fraud 
alert just in case, and definelty do not plan on attending this 
school after my degree or school year is over. A transfer is 
better than having me risk my data.

I think you're probably jumping the gun a little bit here.

From what I gather, you approached people about the issue, you 
got some resolution on it.  Switching schools is not necessarily 
going to help you because, believe me, every institution has 
problems with regard to information leakage.  If it's not 
technical, it's social leakage.  If you're concerned about 
possible problems to yourself, then maybe full disclosure may 
not be appropriate. Think about it for a second.  Holes in both 
software and procedures are fixed daily in any given 
institution. The *vast* majority of it is never reported.  And 
what would we really gain if it was?  School A fixes an XSS bug 
in their web app.  Woopty freaking doooo...  School B patches 
their servers 2 months late, but are now up to date... School C 
fires a registrar for giving out SS numbers over the phone to 
unknown contacts, but not necessarily known to be malicious... 

Without proof of a violation of security or privacy, it doesn't 
really mean much.  Just having a social security number these 
days is grounds for people to be concerned.  This is why it was 
originally against mandate for it to be used as a national ID 

In fact, let's take that one step further and look at the whole 
financial infrastructure.  It's a shambles.  Not secure at all.  
Anyone with the right contract can pull your credit report and 
start adding accounts to your name. Be afraid, be very afraid.  
But, be afraid for the right reasons.  Really, the only reason 
you should be thinking full disclosure now is if they didn't fix 
the bug, which IIRC they did.  If you're really concerned about 
your privacy, that should be where it stops.  Full disclosure 
after fixes works with software components, not necessarily 
organizations.  Society as a whole is not necessarily going to 
learn anything from relatively generic examples of institutions 
having a security issue (which we don't even have proof of any 
exploit of those issues). So best thing to do is back off for a 
bit, lay low... you got a response, why keep putting yourself in 
the spotlight and drawing them to you?  Organizations threaten 
legal action, more often than not, to shut people up.  Just 
consider that if that's what you're concerned about.  Be subtle.


Go FD Young Man!!!!

Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]