Received: by butch.nwinternet.com (mbox pchelp) (with Cubic Circle's cucipop (v1.31 1998/05/13) Mon Jun 18 23:04:39 2001) X-From_: joe@ljsystems.com Mon Jun 18 20:31:59 2001 Return-Path: Received: from mailserv.ljsystems.com (lj-pdc.ljsystems.com [207.181.248.115]) by butch.nwinternet.com (8.9.3/8.9.3) with ESMTP id UAA23072 for ; Mon, 18 Jun 2001 20:31:58 -0700 Received: from home (c119234-a.frmt1.sfba.home.com [65.3.204.67]) by mailserv.ljsystems.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id NFD676Y6; Mon, 18 Jun 2001 20:29:58 -0700 Reply-To: From: "Joe" To: , Cc: , , , Subject: RE: security issues Date: Mon, 18 Jun 2001 20:31:49 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-reply-to: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 While I have no problem with your exposing security flaws in websites, I would like you to consider the following: I was just discussing the release of confidential information with an attorney friend tonight, and he indicated that it would be illegal to forward the confidential information to someone, or use it for something. He also said that the fact that a door is open doesn't mean you are allowed to enter - and certainly not take something. I haven't read the article in wired yet, but if at any point PChelp OR Wired USED any of the confidential information, or FORWARDED to someone that used it, this would be a criminal offense. This would include calling customers with the confidential information on our site. I repeat again, the fact that you could get to it does not make it less confidential. While the site had a security problem for maybe a day (and during the update process over the weekend), where hackers that knew how to get it - could potentially get it - that does NOT justify stealing confidential information; whether it was for journalistic or even more sinister purposes. At this point we have made no decision as to suing PChelp or Wired Magazine. I feel, however, that the integrity of both PCHelp and Wired is seriously hurt. What PCHelp did in forwarding the confidential information was irresponsible at best - and Wired Magazine actually admitting to using the confidential information to contact customers, well, that seems just plain stupid. While I have 50 programmers, one of which apparently made a mistake when transfering the website to a new machine, I at least fixed the problem quickly - you discovered it on the 16th and it was fixed in the morning of the 18th, with the site being down 90% of the time in between - for PCHelp and Wired to retrieve confidential information and then use it, I find that inexcusible. You could just as easy have explained the situation - no need to make use of information that is clearly not yours - which is what I assumed was the reason you contacted us about the security flaw in the first place. Again, I appreciate that you expose security flaws in general, but feel that you handled it the wrong way this time. If either of you have any decency you print this is a follow up to your articles. Thank You. Joe J.