From: Micro Kluge (microkluge@hotmail.com)
Date: Fri Oct 06 2006 - 07:30:35 EDT
And what would you expect the store owner to do if someone comes by to
"practice" picking the locks on his store?
>From: Wolf Halton <saphil@yahoo.com>
>To: Andreas Putzo <putzoa@gmx.de>, pen-test@securityfocus.com
>Subject: Re: Informing Companies about security vulnerabilities...
>Date: Wed, 4 Oct 2006 18:14:02 -0700 (PDT)
>
>
>
>sla.ckers.com has lists of sites that might have various
>vulnerabilities. On a similar note, does knowing that most kwickset
>door locks can be picked by a professional in about 20 seconds make you
>have to pick all of them that you see? That is almost as fast as the
>owner of the key can turn the lock, but knowing it (even knowing how to
>do it) doesn't make you a criminal. I think we need a much stronger
>professional association to legitimize our use of our minds and
>skill-sets. I hate the idea of state-sanctioned anything, but state
>licensing based upon passing some set of certificates might be very
>useful to avoid these knee-jerk witch-hunting parties.
>
>
>
>
>
>--- Andreas Putzo <putzoa@gmx.de> wrote:
>
> > On Oct 04, Joseph McCray wrote:
> > > Usually when we do this we only find a few simple things (XXS for
> > > example) - no big deal right. With this particular website we just
> > kept
> > > finding another, after another and on and on. Over 600 instances of
> > XXS,
> > > over 200 SQL Injection - this was bad. After a while it started to
> > get
> > > boring there was so many....
> > >
> > > So I drafted a letter to the editor as well as several other
> > prominent
> > > people at the newspaper. It detailed my finding and recommended
> > some
> > > possible mitigation strategies. After emailing this I didn't hear
> > > anything for a few days, so I emailed it again and followed up with
> > a
> > > phone call. After getting no response to the second email and then
> > > having been bounced around from department to department when I
> > called I
> > > just said forget it.
> >
> > You can try to set them an ultimatum pretending to disclose the holes
> > to the public. Perhaps they are more willing to react if they are
> > forced to do so.
> > Depending on the information you can get through the website
> > (customer data anywhere?) and the laws in your country (IANAL, btw.)
> > you may go to the intrigued publicity, indeed. They gotta have to do
> > something if someone defaced their website actually.
> >
> >
> > --
> > regards,
> > Andreas Putzo
> >
>
>
>--
>Summer Special - Make Money on Your Phone Bill Arrowstars.com
>Computer support network:
>http://tech.groups.yahoo.com/group/Tech_Answers/?yguid=11909323
>Eggs from Happy Chickens! Catwood Farms - 1960 Hightower Trail, Conyers GA
>30012-1822 - 678-384-4930
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>------------------------------------------------------------------------
>This List Sponsored by: Cenzic
>
>Need to secure your web apps?
>Cenzic Hailstorm finds vulnerabilities fast.
>Click the link to buy it, try it or download Hailstorm for FREE.
>http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>------------------------------------------------------------------------
>
_________________________________________________________________
Find a local pizza place, music store, museum and more…then map the best
route! http://local.live.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT