From: "Joe" To: [someone who complained] Date: Mon, 18 Jun 2001 A PC consultant / web security firm called PCHelp (www.pc-help.org) that apparently searches the net for security breaches decided to try to break into a restricted area of our site. While we have no excuse for the security hole, it was an accident caused by moving the site to a new server a few days earlier. When PCHelp notified us we immediately took the site down and applied a fix - the site was down until Monday morning at 8am, with sporadic restarts to test the patch. At 8am Monday the programmers were confident the security hole was fixed and we put the site online. This happened on the 16th, and the site with the fix was put online in the morning the 18th. Now, we would obviously not alert anybody about a security breach before it was fixed - that's the last thing you would do. Furthermore, since the PChelp web security firm notified us about this, we believed they had good intentions, and while we didn't hire them, we did call and ask him how he got into the restricted area of the site. Since the site was moved to the new server on Thursday (and we were down most of the day because of that), and we were notified by a security firm on Friday, we believe that the chances of any compromise of personal info is extremely low. While we apologize for the security breach, I feel that for the web security firm to explain to a magazine HOW TO RETRIEVE confidential information from a site, and they in turn hack into our site and then USE the illegally obtained information, now that is not right. Both the web security firm and Wired magazine should know right from wrong, and as an attorney explained to me tonight, "the fact that a door is open does NOT make it right to enter and take something." I realize that your concern is with your confidential information, but at this point we know of know other breach than PCHelp, Wired Magazine and possibly Ziff-Davis. The PCHelp guy apparently did it as a publicity stunt, and while I have no problem with that part of it, I have a serious problem with him walking through that door and taking information. For Wired Magazine, part of Lycos, to do it, and possibly Ziff-Davis as well, I find even stranger, but realize that they use freelance journalists that are just as interested in making a statement as the PCHelp guy. In case of your card being used without your permission I believe there is a maximum $50 charge for you according to the law, and we will certainly cover that for you if necessary. Also, if your credit card company charges you for replacing your card (not likely), please let me know. I hope you understand our position and accept our apologies - for the short breach of our site, and especially for the behaviour of PCHelp and Wired Magazine. They have the right to report this security breach, but NOT use it to retrieve confidential information, as they apparently did for the Wired story. Thank You. Joe