----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Major Breach of Privacy
Date: Sat, 16 Jun 2001 22:14:26 GMT
Message-ID: <3b2bd90d.14771464@news.grc.com>
NNTP-Posting-Date: Sat, 16 Jun 2001 22:12:53 +0000 (UTC)


By sheer accident today, I made a _crashing_ discovery about a large
online computer store whose entire database of orders, including full
personal details and credit card numbers for all their customers over
the past year or so, was accessible to anyone on the Net with a browser.

I've reported the fact to the vendor, whose site was immediately taken
offline.

I've also reported it to one of the corporate headquarters of VISA/MC,
where I reached a mid-management executive who promised to pass on the
information for action.

More info to follow, when I feel free to provide it.

pchelp



----------

From: handyman@firstaid.org (Geek)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sat, 16 Jun 2001 23:00:24 GMT
Message-ID: <3b2be4d8.1268146@news.grc.com>
NNTP-Posting-Date: Sat, 16 Jun 2001 22:59:12 +0000 (UTC)

Just out of curiosity,  was it Egghead?  They were hacked not too long
ago.

Geek..

On Sat, 16 Jun 2001 22:14:26 GMT, pchelp@nwi.net (pchelp) wrote:

>
>By sheer accident today, I made a _crashing_ discovery about a large
>online computer store whose entire database of orders, including full
>personal details and credit card numbers for all their customers over
>the past year or so, was accessible to anyone on the Net with a browser.
>
>I've reported the fact to the vendor, whose site was immediately taken
>offline.
>
>I've also reported it to one of the corporate headquarters of VISA/MC,
>where I reached a mid-management executive who promised to pass on the
>information for action.
>
>More info to follow, when I feel free to provide it.
>
>pchelp




----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sat, 16 Jun 2001 23:10:01 GMT
Message-ID: <3b2be5b7.18013999@news.grc.com>
NNTP-Posting-Date: Sat, 16 Jun 2001 23:08:28 +0000 (UTC)

handyman@firstaid.org (Geek) wrote:

>Just out of curiosity,  was it Egghead?  They were hacked not too long
>ago.

Nope.

An online computer sales operation located in Hayward, CA.

I will tell all as soon as I can.

I've specifically asked to be informed of action.

My concern is for the people whose credit and personal information was
compromised.  My intent is to see that they are informed of what
happened.

I have no compunction about naming the company, and I'll willingly
detail how I was able to access their records.  But not until I know
they've got the system secured.  At the moment they're still offline.

And of course I'd like to give the company and the credit card system
their opportunity to get the affected persons informed.

If they do nothing or too little, I'll certainly make a public fuss!

My data indicates 15,153 order records were available.  Offhand I'd
guess something on the order of 10,000 credit cards were compromised.
Those people all have a right to know.

pchelp



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sat, 16 Jun 2001 19:21:26 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.1595b403e44890ab98991d@news.grc.com>
NNTP-Posting-Date: Sat, 16 Jun 2001 23:20:00 +0000 (UTC)

In article <3b2be5b7.18013999@news.grc.com>, pchelp@nwi.net says...

> I have no compunction about naming the company, and I'll willingly
> detail how I was able to access their records.  But not until I know
> they've got the system secured.  At the moment they're still offline.

thanx, as always, for your vigilence. what i'm thinking, though, is if 
they are offline and so no one can now access the records, isn't it safe 
to let people know at least who the company is? so if they've bought from 
them, they will at least be alerted that their info has been compromised. 
by the time the company gets around to notifying everyone, it may be too 
late for some...?

-- 
Graciella!



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sat, 16 Jun 2001 23:32:46 GMT
Message-ID: <3b2beb1d.19396026@news.grc.com>
NNTP-Posting-Date: Sat, 16 Jun 2001 23:31:12 +0000 (UTC)

Graciella <graciella@thisis.invalid> wrote:

>In article <3b2be5b7.18013999@news.grc.com>, pchelp@nwi.net says...

>> I have no compunction about naming the company, and I'll willingly
>> detail how I was able to access their records.  But not until I know
>> they've got the system secured.  At the moment they're still offline.

>thanx, as always, for your vigilence. what i'm thinking, though, is if 
>they are offline and so no one can now access the records, isn't it safe 
>to let people know at least who the company is? so if they've bought from 
>them, they will at least be alerted that their info has been compromised. 

I intend to see to it that those affected are alerted.  If I see any
indication that it isn't going to happen, I will instantly publish a
complete expos.


>by the time the company gets around to notifying everyone, it may be too 
>late for some...?

The information has been exposed to view, I presume, since the date of
the first accessible order -- the 21st of July 2000 -- that is, almost a
year.

Because it was so incredibly easy for me to gain access, I find it
difficult to believe the information wasn't accessed by irresponsible
persons continuously over a lengthy period.

IOW, it's already much too late.  But not too late for the vendor and
those exposed to act on the knowledge, of course.

Be assured I'll stay on top of it.

pchelp



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sat, 16 Jun 2001 19:47:11 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.1595ba07497b1dcd98991e@news.grc.com>
NNTP-Posting-Date: Sat, 16 Jun 2001 23:45:45 +0000 (UTC)

In article <3b2beb1d.19396026@news.grc.com>, pchelp@nwi.net says...

> Be assured I'll stay on top of it.

i AM sure <G>...you are one of the great resources around!

-- 
Graciella!



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 00:18:06 GMT
Message-ID: <3b2bf723.22474357@news.grc.com>
NNTP-Posting-Date: Sun, 17 Jun 2001 00:16:32 +0000 (UTC)

Graciella <graciella@thisis.invalid> wrote:

>In article <3b2beb1d.19396026@news.grc.com>, pchelp@nwi.net says...

>> Be assured I'll stay on top of it.

>i AM sure <G>...you are one of the great resources around!

Thanks, Graciella, for your faith and your very kind words!

pchelp



----------

From: Miss Understanding <miss_understanding@psyon.org>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 14:40:51 +0200
Organization: Coherent Chaos
Message-ID: <MPG.1596c0dd5e8c3f61989682@news.grc.com>
NNTP-Posting-Date: Sun, 17 Jun 2001 12:40:05 +0000 (UTC)

Very interesting.

I'm just curious. Were you poking around looking for vulnerabilities? 
How did you come upon this information? It's not the kind of info that 
usually comes from simply clicking on the exposed links.

I was recently in one of the big chains in my neck of the woods, and 
the guy was filling out a paper receipt by hand. This aroused my 
suspicion. I asked him why he was doing it by hand and not with the 
computer. I was happily surprised by his candor. He said their system 
was hacked. 



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 18:40:01 GMT
Message-ID: <3b2cf2b8.86888850@news.grc.com>
NNTP-Posting-Date: Sun, 17 Jun 2001 18:38:20 +0000 (UTC)

Miss Understanding <miss_understanding@psyon.org> wrote:

>Very interesting.

>I'm just curious. Were you poking around looking for vulnerabilities? 

Yes, and no.


>How did you come upon this information? It's not the kind of info that 
>usually comes from simply clicking on the exposed links.

A client of mine had ordered from this vendor, with my own address as
the shipping destination.

The hard drive that was in the system we ordered had failed, and was
returned for replacement.  We cross-shipped the drives, but they
evidently kept sketchy records at their end; when their RMA department
got the drive I returned, they apparently saw no record of the
replacement already sent, and sent out yet another drive to replace it.

I noticed on the printout of the original order from weeks before, as
well as the order that accompanied the replacement drive, was a URL.
The orders had been printed from a browser, which by default had
included the URL of the page across the bottom of the page.

The URL included a simple form string containing the order number.
Speculatively, I typed into the location input on my browser that URL;
and I found myself looking at the order, complete with all components
purchased, full personal details, creit card number and all.

I then changed the order number to the next in sequence and saw someone
else's order.  I tried another number.  Same story.  I now knew beyond
doubt that I (and anyone else) had complete access to all their orders;
all customer info, what was bought, credit card numbers, expiration
dates, shipping and billing addresses, phone numbers, email addresses,
the works.  All of it.

The only thing I didn't know was the range of order numbers.

That was easily determined.  I tried lower and higher numbers intil I
knew the lowest and highest.

At that point, I could have written a simple script to grab everything;
all 15,000-plus order records could have been mine within an hour or so.

(I'd have been insane to do so of course.  I was working from my own
dialup account.  On the other hand, I presume these people were so
clueless they may never have known.)

What I did then was to phone them.  I asked to talk to their system
admin because they had a serious problem with security.  The puzzled
woman at the other end passed me on to her supervisor, who fortunately
was a good listener.

He explained that a zip code was required to call up the records.  I
explained that it wasn't.  (There was no zip code in the URL on my
order.)  He tried it.  I think I actually heard the blood drain from his
face over the phone.

Why, oh why, would they make those records world-accessible, at all,
ever?  Even if Zip codes were required to access specific records,
wouldn't someone have figured out that 5-digit numbers most certainly do
not make good passwords?

The stupidity of this is beyond belief.  Well, OK, I've been around a
while.  It's not _quite_ beyond belief.


>I was recently in one of the big chains in my neck of the woods, and 
>the guy was filling out a paper receipt by hand. This aroused my 
>suspicion. I asked him why he was doing it by hand and not with the 
>computer. I was happily surprised by his candor. He said their system 
>was hacked. 

I can't begin to claim I hacked anything.  I just paid a degree of
attention to what was before my eyes.

pchelp



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 19:26:23 GMT
Message-ID: <3b2d0411.91331105@news.grc.com>
NNTP-Posting-Date: Sun, 17 Jun 2001 19:24:41 +0000 (UTC)

Well, folks, their site is back up and there is NO CHANGE.

That's right.  Their customers' personal info and credit card numbers
are world-readable.

Right this minute.

pchelp


I wrote:

>
>By sheer accident today, I made a _crashing_ discovery about a large
>online computer store whose entire database of orders, including full
>personal details and credit card numbers for all their customers over
>the past year or so, was accessible to anyone on the Net with a browser.
>
>I've reported the fact to the vendor, whose site was immediately taken
>offline.
>
>I've also reported it to one of the corporate headquarters of VISA/MC,
>where I reached a mid-management executive who promised to pass on the
>information for action.
>
>More info to follow, when I feel free to provide it.
>
>pchelp




----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 16:43:59 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.1596e060e5def917989924@news.grc.com>
NNTP-Posting-Date: Sun, 17 Jun 2001 20:42:34 +0000 (UTC)

In article <3b2d0411.91331105@news.grc.com>, pchelp@nwi.net says...
> Well, folks, their site is back up and there is NO CHANGE.
> That's right.  Their customers' personal info and credit card numbers
> are world-readable.

unbelievable! if it includes either your or your client's info, take 
screen shots, run don't walk to the nearest lawyer, and sue their ass. 
they were warned, ignored it, and now you've got a REAL good case <G>! he 
might consider notifying some of the others' whose info is there so they 
can join a class action suit. 

of course, you might not be too enamored of lawyers <G> but this fiasco 
shouldn't go unpunished. look forward to hearing updates!

-- 
Graciella!



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 21:05:18 GMT
Message-ID: <3b2d1900.96690999@news.grc.com>
NNTP-Posting-Date: Sun, 17 Jun 2001 21:03:36 +0000 (UTC)

Graciella <graciella@thisis.invalid> wrote:

>In article <3b2d0411.91331105@news.grc.com>, pchelp@nwi.net says...
>> Well, folks, their site is back up and there is NO CHANGE.
>> That's right.  Their customers' personal info and credit card numbers
>> are world-readable.

>unbelievable! if it includes either your or your client's info, take 
>screen shots, run don't walk to the nearest lawyer, and sue their ass. 

It does include my client's info.  I've informed her of the issue.

I directed another client to them at one time in the past as well.


>they were warned, ignored it, and now you've got a REAL good case <G>! he 
>might consider notifying some of the others' whose info is there so they 
>can join a class action suit. 

I've been talking to some friends about it.  We quickly discovered that
the problem has to do with Javascript.  Using a Javascript-enabled
browser, the order pages will produce a persistent popup demanding the
zip code of the buyer before it will disply the order.  But the whole
page of order info is also delivered in the same page!  Disabling
Javascript results in a plain display of the whole thing.

I always have Javascript disabled by default, so I was unaware of this
at first.

Evidently the folks at the vendor's place of business are unable to see
the problem.  They try to access the "evil" URL with a script-enabled
browser and it LOOKS like there's nothing to see.  They presumably
checked out my claim that the data was exposed and concluded that it was
not.

This doesn't say much for ther acumen.  And it raises some interesting
questions.  Who set this up like this and why?  Could their web designer
have designs on their data?  Hopefully it will ultimately occur to them
to ask such questions.  Actually, I will prompt them to do so!

Presently they are not answering their phones.  The site is up and
accessible for the time being.

I'm going to look into corporate records and such, and see if I can
locate one of the company's principals at home.


>of course, you might not be too enamored of lawyers <G> but this fiasco 
>shouldn't go unpunished. look forward to hearing updates!

I'm on it.  If it requires a huge public expos, that's what it'll get.
The thousands of people whose info is compromised MUST be informed.

pchelp



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 21:28:26 GMT
Message-ID: <3b2d207d.98607650@news.grc.com>
NNTP-Posting-Date: Sun, 17 Jun 2001 21:26:43 +0000 (UTC)

I wrote:

>I'm going to look into corporate records and such, and see if I can
>locate one of the company's principals at home.

Well, believe it or not, I may have managed it!

Searching corporate records in California as well as domain records, I
found several addresses for the owner of the business.

One of those addresses, entered in a search engine, produced a hit!  The
guy's house is for sale on a real estate agent's site!

I have now spoken with that agent, explained my need to contact the
owner and she is now attempting to reach him.

pchelp



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 23:51:05 GMT
Message-ID: <3b2d40cf.106883645@news.grc.com>
NNTP-Posting-Date: Sun, 17 Jun 2001 23:49:21 +0000 (UTC)

I wrote:

>I have now spoken with that agent, explained my need to contact the
>owner and she is now attempting to reach him.

After some time with no response from the owner, I called the agent
again.

She said she has passed on the message, and she said to me that the
owner considers the problem already has been solved as of this morning!

Which of course is not the case.

She was very kind and polite, but she has no desire to follow up further
on the matter.  I can hardly blame her!

If the business owner chooses not to call me today, I presume I'll have
to contact them tomorrow, Monday, and attempt to follow up.

I have confirmed that their site remains up and that the private data of
their entire customer base is still easily accessible.

What a shame.  The consequences of ignorance are little different from
those of evil.

pchelp


(I don't know if anyone's following this tale.  I'm seeing no responses
on the thread...  Hope it's of interest to y'all!)



----------

From: RedLeg <[redacted]>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 00:04:51 +0000 (UTC)
Organization: This space not for sale nor rent!
Message-ID: <Xns90C3C25F57C3Fmy155mmWorth@RedLegdotFire!!>
NNTP-Posting-Date: Mon, 18 Jun 2001 00:04:51 +0000 (UTC)

On or about, Sun 17 Jun 2001 18:51:05 (Local:), "pchelp" captured our 
attention for a moment with the following message:

> (I don't know if anyone's following this tale.  I'm seeing no responses
> on the thread...  Hope it's of interest to y'all!)
> 
> 

Keith,

We are watching, with interest...we're just a real quiet bunch today <g>
(keep fighting the good fight!;)
-- 
m/s,
RedLeg

"If you don't know where you're going, you'll end up somewhere else."

- Yogi Berra



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 00:22:13 GMT
Message-ID: <3b2d47e5.108697925@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 00:20:29 +0000 (UTC)

RedLeg <[redacted]> wrote:

>We are watching, with interest...we're just a real quiet bunch today <g>
>(keep fighting the good fight!;)

Glad to know it!

Wel, now there is more to tell.

The business owner did call me, and we concluded that conversation just
moments ago.

He's a polite and soft-spoken Asian gentleman, and he showed real
concern.

He was (of course) surprised to learn the problem still existed.  I
explained the simple process: turn off Javascript, enter the same URL
that's displayed on the printed invoices they send to all their
customers, and the record is visible.  That simple.

I emailed him a sample of the "evil" URL so he could verify it from
home.  He said the site would be turned off immediately and the problem
fixed.  (As of this moment, the site is still online, but I presume he's
having to call someone at his IPP or at his place of business in order
to shut it down.)

I pointed out the possibility that the exposure may have been
deliberate.  He soberly agreed it was possible.

He said he'd had no reports of credit card fraud.

He promised to follow up and inform me of the outcome.

pchelp



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 21:14:37 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.159720052b4284f989927@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 01:13:15 +0000 (UTC)

In article <3b2d47e5.108697925@news.grc.com>, pchelp@nwi.net says...

> He promised to follow up and inform me of the outcome.

great news! way to go. sooooo....once the vulnerability is patched and 
things are safe, will you let us in on the company name? <G>...

-- 
Graciella!



----------

From: RedLeg <[redacted]>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 01:33:58 +0000 (UTC)
Organization: This space not for sale nor rent!
Message-ID: <Xns90C3D17B8F460my155mmWorth@RedLegdotFire!!>
NNTP-Posting-Date: Mon, 18 Jun 2001 01:33:58 +0000 (UTC)

On or about, Sun 17 Jun 2001 19:22:13 (Local:), "pchelp" captured our 
attention for a moment with the following message:

> He said he'd had no reports of credit card fraud.
> 
> He promised to follow up and inform me of the outcome.
> 
> 

Good deal, let us know what they come up with. heh, should prove 
interesting if they want to 'sweep it under'. Good lookin out!

-- 
m/s,
RedLeg



----------

From: "Walter B" <walter@antispam.add>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 22:19:47 -0400
Organization: Home User <wav3dlikd55wsfslvatcedlkgsb5lzzs>
Message-ID: <9gjoe7$2vsb$1@news.grc.com>
Content-Type: text/plain;
	charset="iso-8859-1"
NNTP-Posting-Date: Mon, 18 Jun 2001 02:18:47 +0000 (UTC)

Great.  I hope he does follow up quickly.  We've been watching.

--=20

Walter B

_______
"pchelp" <pchelp@nwi.net> wrote in message =
news:3b2d47e5.108697925@news.grc.com...
> RedLeg <[redacted]> wrote:
>=20
> >We are watching, with interest...we're just a real quiet bunch today =
<g>
> >(keep fighting the good fight!;)
>=20
> Glad to know it!
>=20
> Wel, now there is more to tell.
>=20
> The business owner did call me, and we concluded that conversation =
just
> moments ago.
>=20
> He's a polite and soft-spoken Asian gentleman, and he showed real
> concern.
>=20
> He was (of course) surprised to learn the problem still existed.  I
> explained the simple process: turn off Javascript, enter the same URL
> that's displayed on the printed invoices they send to all their
> customers, and the record is visible.  That simple.
>=20
> I emailed him a sample of the "evil" URL so he could verify it from
> home.  He said the site would be turned off immediately and the =
problem
> fixed.  (As of this moment, the site is still online, but I presume =
he's
> having to call someone at his IPP or at his place of business in order
> to shut it down.)
>=20
> I pointed out the possibility that the exposure may have been
> deliberate.  He soberly agreed it was possible.
>=20
> He said he'd had no reports of credit card fraud.
>=20
> He promised to follow up and inform me of the outcome.
>=20
> pchelp




----------

From: handyman@firstaid.org (Geek)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 04:44:13 GMT
Message-ID: <3b2d871a.8109626@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 04:43:08 +0000 (UTC)

PC..

Just read through the whole thread.  I really think it would behoove
you to let us know the name of this company.  Some of us may have done
business with this company.  If that were the case, I would be on the
phone with the CC people and getting my  credit card canceled. (It
pays to be a little pro active.)  Further, the information you
described can lead to identity theft too. Just my too cents worth.

Geek..Maybe we should call you Ministeve?<VBG>

On Mon, 18 Jun 2001 00:22:13 GMT, pchelp@nwi.net (pchelp) wrote:


>He said he'd had no reports of credit card fraud.
>
>He promised to follow up and inform me of the outcome.
>
>pchelp




----------

From: ouroboros@apexmail.com (Q)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 05:49:06 +0000 (UTC)
Organization: this space for sale or rent
Message-ID: <Xns90C481DE71ECitsmeitsQ@127.0.0.1>
NNTP-Posting-Date: Mon, 18 Jun 2001 05:49:06 +0000 (UTC)

Posted by Geek, in article news:3b2d871a.8109626@news.grc.com:

> Just read through the whole thread.  I really think it would behoove
> you to let us know the name of this company.  Some of us may have done
> business with this company.

There may well be people reading this who would love to know what company 
it is so they can drop by the website and grab some CC numbers.  Public 
disclosure has got to be a last resort.  

Q
-- 
In theory, theory and practice are the same. In practice, they are not.
     - L. P. Berra, attributed



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 06:58:28 GMT
Message-ID: <3b2da029.131296679@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 06:56:42 +0000 (UTC)


ouroboros@apexmail.com (Q) wrote:

>Posted by Geek, in article news:3b2d871a.8109626@news.grc.com:

>> Just read through the whole thread.  I really think it would behoove
>> you to let us know the name of this company.  Some of us may have done
>> business with this company.

I agree, all of those involved have a right to know.


>There may well be people reading this who would love to know what company 
>it is so they can drop by the website and grab some CC numbers.  Public 
>disclosure has got to be a last resort.  

That's how I see it presently.

At this point, the site is offline again and I am confident they won't
allow the problem to go unsolved again.  I wouldn't bet on their site
being truly _secure_ (it's on an IIS server after all), but the
particular hole I found will undoubtedly be closed.

But my considerations for withholding the name go beyond the immediate
security of the data.  I believe it would be most fair of me to allow
the company to take its own action (or not) and to _then_ respond
accordingly.

Naming them is not something I'll rush to do.  I can't reverse the
release of such information.  I wish to make that decision only with
great care.

If I know they're contacting their customers to inform them of their
potential exposure, I will refrain from naming the company for the time
being.  If I come to believe they are not going to do so, as I would for
example, if my questions on the matter were to go too long unanswered; I
will immediately name the company publicly and in as non-inflammatory a
manner as possible, for the sake of those uninformed customers.

Exposing the company to broad public displeasure (some of which would
surely result) is to my mind a severe act.  It might arguably be no less
severe than their exposure of their clients, but I believe the breach
was not deliberate, and it is possible, however unlikely, that the
private data didn't fall into hostile hands.

The vendor's affected clients MUST be allowed to know what happened; but
it would be most appropriate to let THEM tell their clients, to present
their apology, to make their request for information about any credit
abuse that may relate, to offer their assurances that the data is now
kept more safely, and so forth.

As far as I know, the vendor is running an honest business.  I think
harsh exposure could be unfair to them, if they act in good faith and in
a reasonable time now that the problem is known.  I intend to allow them
the chance to deal with it as gracefully as possible.

pchelp

(A cc of this news://news.grc.com/grc.privacy post is being emailed to
the business owner and to a journalist.)




----------

From: "Glen Harman" <gharman+gp@erols.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 05:45:41 -0400
Message-ID: <9gkih8$lmj$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 09:44:08 +0000 (UTC)


"pchelp" <pchelp@nwi.net> wrote in message news:3b2da029.131296679@news.grc.com...

> If I know they're contacting their customers to inform them of their
> potential exposure, I will refrain from naming the company for the time
> being.  If I come to believe they are not going to do so, as I would for
> example, if my questions on the matter were to go too long unanswered; I
> will immediately name the company publicly and in as non-inflammatory a
> manner as possible, for the sake of those uninformed customers.

How will you know that they have contacted all their customers?
What form(s) of notification would you consider acceptable?







----------

From: Carlene <l6xso6xcxj5xvlg001@DIEsneakeSPAMMERmail.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 03:17:32 -0700
Message-ID: <MPG.159775005d47305498969a@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 10:16:10 +0000 (UTC)
X-Cecil-ID: <pwmqyfql2xiprbwwlrr2m2rkgcefouhd>
Cecil-ID: <pwmqyfql2xiprbwwlrr2m2rkgcefouhd>

But once answered, will these questions be the last of your demands? Or will the interrogation without comment continue?

In article <9gkih8$lmj$1@news.grc.com>, gharman+gp@erols.com says...
> How will you know that they have contacted all their customers?
> What form(s) of notification would you consider acceptable?
>



----------

From: "Glen Harman" <gharman+gp@erols.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 07:13:12 -0400
Message-ID: <9gknla$qa5$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 11:11:39 +0000 (UTC)


"Carlene" <l6xso6xcxj5xvlg001@DIEsneakeSPAMMERmail.com> wrote in message
news:MPG.159775005d47305498969a@207.71.92.194...
> But once answered, will these questions be the last of your
> demands? Or will the interrogation without comment continue?

No Demands.  No Interrogation.  I'm simply curious if pchelp has
fully considered the two issues I touched upon, and interested in
his thoughts on those matters.  Particularly the latter one, since
what is often the most obvious/convenient method of contacting
net customers... email...  won't work in many instances.  People
use throw-away accounts, time-limited accounts, etc.

Please pardon me for not spelling things out for you.





----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 13:34:45 GMT
Message-ID: <3b2dff47.155650829@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 13:32:56 +0000 (UTC)

"Glen Harman" <gharman+gp@erols.com> wrote:

>"pchelp" <pchelp@nwi.net> wrote in message news:3b2da029.131296679@news.grc.com...

>> If I know they're contacting their customers to inform them of their
>> potential exposure, I will refrain from naming the company for the time
>> being.  If I come to believe they are not going to do so, as I would for
>> example, if my questions on the matter were to go too long unanswered; I
>> will immediately name the company publicly and in as non-inflammatory a
>> manner as possible, for the sake of those uninformed customers.

>How will you know that they have contacted all their customers?

I know two of their customers personally, and I'll know whether those
two were contacted.  But I can never know they contacted everyone
possible.  I didn't download their database.

I suppose I'll have to accept what they tell me.


>What form(s) of notification would you consider acceptable?

I think they should do it by snail-mail.  As you point out, email
addresses can be unreliable, and email is not certain to reach the
intended recipient.  But for all of their credit card orders especially,
there will have been an accurate billing address.  It's the means by
which cards are verified.

pchelp




----------

From: "32123" <32123 @ spamcop . net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 06:17:11 -0500
Message-ID: <9gknsq$qcn$1@news.grc.com>
Reply-To: "32123" <32123 @ spamcop . net>
Content-Type: text/plain;
	charset="Windows-1252"
NNTP-Posting-Date: Mon, 18 Jun 2001 11:15:38 +0000 (UTC)

"pchelp" <pchelp@nwi.net> wrote in message news:3b2da029.131296679@news.grc.com...
> ...
> As far as I know, the vendor is running an honest business.  I think
> harsh exposure could be unfair to them, if they act in good faith and in
> a reasonable time now that the problem is known.  I intend to allow them
> the chance to deal with it as gracefully as possible.
> ...

I hope the business owner, at least, eventually
realizes how fortunate it is that you happened to
discover the security flaw before too many of the
much less scrupulous Internet denizens had managed
to rip it into a business-destroying breach of
customer confidentiality.





----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 13:57:33 GMT
Message-ID: <3b2e0384.156735705@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 13:55:44 +0000 (UTC)

"32123" <32123 @ spamcop . net> wrote:

>"pchelp" <pchelp@nwi.net> wrote in message news:3b2da029.131296679@news.grc.com...
>> ...
>> As far as I know, the vendor is running an honest business.  I think
>> harsh exposure could be unfair to them, if they act in good faith and in
>> a reasonable time now that the problem is known.  I intend to allow them
>> the chance to deal with it as gracefully as possible.
>> ...

>I hope the business owner, at least, eventually
>realizes how fortunate it is that you happened to
>discover the security flaw before too many of the
>much less scrupulous Internet denizens had managed
>to rip it into a business-destroying breach of
>customer confidentiality.

He was polite, receptive and truly concerned.  I could hardly ask more.
He didn't express vast appreciation for my help, but in view of the
sobering news he was receiving, that's no surprise.

As for the severity of the breach, I suppose that remains to be seen.  I
know exactly nothing about whether the information actually got out or
was abused, and unless victims were to contact me I will have no way of
knowing.

Business-destroying?  I doubt that.  Even if it became a media event, I
would expect that a large proportion of past and future customers would
never hear about it.  But it would certainly have an impact.

The business is certainly a going concern.  15,500 orders in 11 months
amounts to 1400 per month; about 48 paying customers placing orders
every day, 7 days a week.  I'm not familiar in detail with that type of
business, but I suspect that's a long way past the break-even line.

If those orders profited just $35 each, that's a half-million dollars of
income for the owner(s).

In my opinion, the owner's worst-case scenario isn't PR problems -- it's
lawsuits.  If real abuses did result, the company (which is a
corporation) might be held liable by litigious victims.  Multiplied by
attorneys, such suits could quickly cost far more than the past year's
profits might cover.

Fear of that should not deter the owner from disclosure, but it may.  If
he's got his wits about him, he will be talking to his attorney today.
I frankly have no idea what advice he'll receive if he does.

I don't envy him.  Well, not much anyway (that house he's selling is
priced at $3/4 of a million).

pchelp



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 10:05:05 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.1597d4a0f7c4323c98992e@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 14:03:47 +0000 (UTC)

In article <3b2e0384.156735705@news.grc.com>, pchelp@nwi.net says...

> In my opinion, the owner's worst-case scenario isn't PR problems -- it's
> lawsuits. 
> Fear of that should not deter the owner from disclosure, but it may.  

see, that's just my concern---that he will try to "cover" for fear of 
lawsuits, which frankly (as i mentioned in my "bad language <G>" earlier 
post) i think is a real and valid possibility. but my "sue his &^%" 
comment was IF he didn't respond immediately once aware of the problem, 
which it seems he is doing. making mistakes is human (though this one is 
less inexcusable, methinks) but ignoring the mistakes, or not owning up 
to them to protect people who may have been comprised, would be liable, 
IMHO.

betcha you get some nice business from them <G>...more power to 'ya. ya 
done good!

-- 
Graciella!



----------

From: Milly <no_sp@m.gov>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 15:28:51 +0100
Organization: Cecil-ID: <d020c222mtx5qgtfib3f1s230alxibzj>
Message-ID: <MPG.15982070eb16bfcc989db8@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 14:27:16 +0000 (UTC)

In article <3b2e0384.156735705@news.grc.com>, pchelp said...
> 15,500 orders in 11 months [...]

That appears to me to be confidential information obtained only by 
exploiting, for the best of reasons, the security loophole. 

Making it public, which you'll now automatically do if you later decide 
to name the company, is a different matter. 

If you later need to consider whether to name the company, I would think 
you'll want to add that aspect to the considerations.

This is just an, almost certainly unnecessary, heads-up. I have no 
opinion of the likely weight of that consideration, let alone the likely 
outcome.

-- 
Milly



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 14:34:48 GMT
Message-ID: <3b2e10be.160122370@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 14:32:58 +0000 (UTC)

Milly <no_sp@m.gov> wrote:

>In article <3b2e0384.156735705@news.grc.com>, pchelp said...
>> 15,500 orders in 11 months [...]

>That appears to me to be confidential information obtained only by 
>exploiting, for the best of reasons, the security loophole. 

One might interpret it as such, but as far as I can see, it is not
itself particularly exploitable information.

I had already mentioned the number of exposed orders and their span of
time in an earlier post.


>Making it public, which you'll now automatically do if you later decide 
>to name the company, is a different matter. 

I think it's a minor consideration, but you're not incorrect.  It is a
valid one.


>If you later need to consider whether to name the company, I would think 
>you'll want to add that aspect to the considerations.

Done.


>This is just an, almost certainly unnecessary, heads-up. I have no 
>opinion of the likely weight of that consideration, let alone the likely 
>outcome.

It's got a lot of ramifications.  I for one don't find it easy to wrap
my mind around it all.  But the core issue is simple.  Those exposed
need to know.

pchelp



----------

From: "David Hansen" <dhansen@NoSpamtransmetrics.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 10:04:47 -0700
Organization: Transmetrics, Inc.
Message-ID: <9glcb2$1gi7$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 17:04:34 +0000 (UTC)

"pchelp" <pchelp@nwi.net> wrote
<much info snipped>
>
> I don't envy him.  Well, not much anyway (that house he's selling is
> priced at $3/4 of a million).
>
> pchelp

Out here, that's a 3 bedroom, 2 bath shack with no garage!

--

-Dave /;^{D>

(Warning: Reply-to address has been changed - Death To Spam!)

PC Help needs Our HELP!!  Lockdown 2000 scam^H^H^H^H Law Suit
http://www.pchelpers.org/          http://www.pc-help.org







----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:14:09 GMT
Message-ID: <3b2e36c3.169856808@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 17:12:19 +0000 (UTC)

"David Hansen" <dhansen@NoSpamtransmetrics.com> wrote:

>"pchelp" <pchelp@nwi.net> wrote
><much info snipped>

>> I don't envy him.  Well, not much anyway (that house he's selling is
>> priced at $3/4 of a million).
>> pchelp

>Out here, that's a 3 bedroom, 2 bath shack with no garage!

Well, he lucked out.  This one has a garage!  Anyone want pictures?

pchelp



----------

From: Milly <no_sp@m.gov>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 15:06:56 +0100
Organization: Cecil-ID: <d020c222mtx5qgtfib3f1s230alxibzj>
Message-ID: <MPG.15981b5b1341cf67989db3@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 14:06:29 +0000 (UTC)

In article <3b2da029.131296679@news.grc.com>, pchelp said...
> [...] I intend to allow them
> the chance to deal with it as gracefully as possible.

I'm late to this, but congratulations on a job well done, in all 
respects.

It'll be interesting to hear, in due course, how the firm deal with the 
opposing interests of proper disclosure to all those potentially 
affected, and the PR disadvantages of not leaving 15,000 potential 
repeat customers in blissful ignorance. I'll bet the CC companies will 
have some views on that too.

By the way, and although it seems very unlikely, did you check that none 
of those confidential pages got spidered and are visible within Google's 
cache?

-- 
Milly



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 15:09:22 GMT
Message-ID: <3b2e18f8.162228545@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 15:07:32 +0000 (UTC)

Milly <no_sp@m.gov> wrote:

>I'm late to this, but congratulations on a job well done, in all 
>respects.

Better save the congrats for a bit.

The site is back up, and the "hole" is open.

I am totally flabbergasted.


>It'll be interesting to hear, in due course, how the firm deal with the 
>opposing interests of proper disclosure to all those potentially 
>affected, and the PR disadvantages of not leaving 15,000 potential 
>repeat customers in blissful ignorance. I'll bet the CC companies will 
>have some views on that too.

I have just lost all confidence in them.


>By the way, and although it seems very unlikely, did you check that none 
>of those confidential pages got spidered and are visible within Google's 
>cache?

I didn't, but it seems very unlikely as they'd be lined from nowhere.

But I'll check.

I just talked to a journalist about it.  The fecal matter is gonna hit
the rotary device, I do believe.

I will hesitate a while yet, but at this point I think I'll be
announcing the business name publicly.

pchelp



----------

From: "Walter B" <walter@antispam.add>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 11:11:58 -0400
Organization: Home User <wav3dlikd55wsfslvatcedlkgsb5lzzs>
Message-ID: <9gl5lt$18ha$1@news.grc.com>
Content-Type: text/plain;
	charset="iso-8859-1"
NNTP-Posting-Date: Mon, 18 Jun 2001 15:10:53 +0000 (UTC)

Wow.  I hope you have a turbo-fan and a herd of sheep or pigs.

--=20
--=20

Walter B

_______
"pchelp" <pchelp@nwi.net> wrote in message =
news:3b2e18f8.162228545@news.grc.com...
> Milly <no_sp@m.gov> wrote:
>=20
> >I'm late to this, but congratulations on a job well done, in all=20
> >respects.
>=20
> Better save the congrats for a bit.
>=20
> The site is back up, and the "hole" is open.
>=20
> I am totally flabbergasted.
>=20
>=20
> >It'll be interesting to hear, in due course, how the firm deal with =
the=20
> >opposing interests of proper disclosure to all those potentially=20
> >affected, and the PR disadvantages of not leaving 15,000 potential=20
> >repeat customers in blissful ignorance. I'll bet the CC companies =
will=20
> >have some views on that too.
>=20
> I have just lost all confidence in them.
>=20
>=20
> >By the way, and although it seems very unlikely, did you check that =
none=20
> >of those confidential pages got spidered and are visible within =
Google's=20
> >cache?
>=20
> I didn't, but it seems very unlikely as they'd be lined from nowhere.
>=20
> But I'll check.
>=20
> I just talked to a journalist about it.  The fecal matter is gonna hit
> the rotary device, I do believe.
>=20
> I will hesitate a while yet, but at this point I think I'll be
> announcing the business name publicly.
>=20
> pchelp




----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 15:15:43 GMT
Message-ID: <3b2e1afd.162746021@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 15:13:53 +0000 (UTC)


I wrote:

>I didn't, but it seems very unlikely as they'd be lined from nowhere.
                                                   ^^^^^
linked.

pchelp



----------

From: Milly <no_sp@m.gov>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 16:19:40 +0100
Organization: Cecil-ID: <d020c222mtx5qgtfib3f1s230alxibzj>
Message-ID: <MPG.15982c62db00e156989db9@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 15:18:05 +0000 (UTC)

In article <3b2e18f8.162228545@news.grc.com>, pchelp said...
> Milly <no_sp@m.gov> wrote:
> 
> >I'm late to this, but congratulations on a job well done, in all 
> >respects.
> 
> Better save the congrats for a bit.
> 
> The site is back up, and the "hole" is open.
> 
> I am totally flabbergasted.

Sheesh - me too. 

> >It'll be interesting to hear, in due course, how the firm deal with the 
> >opposing interests of proper disclosure to all those potentially 
> >affected, and the PR disadvantages of not leaving 15,000 potential 
> >repeat customers in blissful ignorance. I'll bet the CC companies will 
> >have some views on that too.
> 
> I have just lost all confidence in them.

You can lead a horse to water ...

> I just talked to a journalist about it.  The fecal matter is gonna hit
> the rotary device, I do believe.
> 
> I will hesitate a while yet, but at this point I think I'll be
> announcing the business name publicly.

They don't deserve it, but perhaps a warning to the business that that 
will be your action if the hole is still accessible in XX minutes/hours 
(and ever reappears)? (At this stage, in the interests of the CC'holders 
alone - sod the business itself).

-- 
Milly



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 15:28:03 GMT
Message-ID: <3b2e1c8b.163143785@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 15:26:13 +0000 (UTC)

Milly <no_sp@m.gov> wrote:

>They don't deserve it, but perhaps a warning to the business that that 
>will be your action if the hole is still accessible in XX minutes/hours 
>(and ever reappears)? (At this stage, in the interests of the CC'holders 
>alone - sod the business itself).

The journalist in question seems as interested in the victims as I am.
And possibly far less restrained.

It wouldn't surprise me if she contacted some of them herself.

While the site remains exploitable, I have no intention of naming the
company.  But I think it can be relied upon that once they realize
they're a news story, something real is gonna happen to fix it. The time
for screwing up is over.

We could have some fun.  Place bets on how long it'll be till the site
is offline for the third time...

I give it an hour max till they start getting calls from journalists.
Some eyes gonna get real wide down there.

pchelp



----------

From: Milly <no_sp@m.gov>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:31:25 +0100
Organization: Cecil-ID: <d020c222mtx5qgtfib3f1s230alxibzj>
Message-ID: <MPG.15983d3c535408f9989dbc@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 16:29:50 +0000 (UTC)

In article <3b2e1c8b.163143785@news.grc.com>, pchelp said...
> Milly <no_sp@m.gov> wrote:
> We could have some fun.  Place bets on how long it'll be till the site
> is offline for the third time...

30 minutes.

-- 
Milly



----------

From: Milly <no_sp@m.gov>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:32:02 +0100
Organization: Cecil-ID: <d020c222mtx5qgtfib3f1s230alxibzj>
Message-ID: <MPG.15983d61402a8ea2989dbd@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 16:30:26 +0000 (UTC)

In article <MPG.15983d3c535408f9989dbc@207.71.92.194>, Milly said...
> In article <3b2e1c8b.163143785@news.grc.com>, pchelp said...
> > Milly <no_sp@m.gov> wrote:
> > We could have some fun.  Place bets on how long it'll be till the site
> > is offline for the third time...
> 
> 30 minutes.

Do I win? ;)

-- 
Milly



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 16:47:14 GMT
Message-ID: <3b2e3032.168175460@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 16:45:23 +0000 (UTC)

Milly <no_sp@m.gov> wrote:

>In article <MPG.15983d3c535408f9989dbc@207.71.92.194>, Milly said...
>> In article <3b2e1c8b.163143785@news.grc.com>, pchelp said...
>> > Milly <no_sp@m.gov> wrote:
>> > We could have some fun.  Place bets on how long it'll be till the site
>> > is offline for the third time...

>> 30 minutes.
>Do I win? ;)

You nailed it, I'd say!

Now they're up again and the offending script is evidently fixed.

I fear the owner's troubles have just begun.

pchelp



----------

From: Milly <no_sp@m.gov>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:50:10 +0100
Organization: Cecil-ID: <d020c222mtx5qgtfib3f1s230alxibzj>
Message-ID: <MPG.1598417cdebcbc81989dbe@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 16:48:35 +0000 (UTC)

In article <3b2e3032.168175460@news.grc.com>, pchelp said...
> Milly <no_sp@m.gov> wrote:
> >In article <MPG.15983d3c535408f9989dbc@207.71.92.194>, Milly said...
> >> In article <3b2e1c8b.163143785@news.grc.com>, pchelp said...
> >> > Milly <no_sp@m.gov> wrote:
> >> > We could have some fun.  Place bets on how long it'll be till the site
> >> > is offline for the third time...
> 
> >> 30 minutes.
> >Do I win? ;)
> 
> You nailed it, I'd say!

Then I claim my prize. Please email me 1000 Credit Card names and 
addresses.
 
> Now they're up again and the offending script is evidently fixed.
> 
> I fear the owner's troubles have just begun.

Oh yes.

-- 
Milly



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:16:24 GMT
Message-ID: <3b2e36ef.169901255@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 17:14:34 +0000 (UTC)

Milly <no_sp@m.gov> wrote:

>> You nailed it, I'd say!

>Then I claim my prize. Please email me 1000 Credit Card names and 
>addresses.

Damn.  I only harvested 9,993.  Sorry.

<Note to FBI:  that's a JOKE, guys.  Honest.>


>> I fear the owner's troubles have just begun.

>Oh yes.

Indeed.  I just spoke to another journalist.

I guess my site's going to get some hits.  I beter warn the ISP.

pchelp



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:38:01 GMT
Message-ID: <3b2e3c3d.171259480@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 17:36:10 +0000 (UTC)

pchelp@nwi.net (pchelp) wrote:

>Milly <no_sp@m.gov> wrote:

>>Then I claim my prize. Please email me 1000 Credit Card names and 
>>addresses.

>Damn.  I only harvested 9,993.  Sorry.

Whoops.  I added a zero to your number!

Only 1,000?  You must live modestly.

pchelp



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 13:45:44 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.159808534e398309989931@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 17:44:27 +0000 (UTC)

In article <3b2e36ef.169901255@news.grc.com>, pchelp@nwi.net says...

> <Note to FBI:  that's a JOKE, guys.  Honest.>

apparently you have never learned that there is NO joking with those 
guys---they NEVER crack a smile.

> Indeed.  I just spoke to another journalist.
> I guess my site's going to get some hits.  I beter warn the ISP.

hopefully some good publicity for all your efforts, since at this point 
i'll betcha you don't get much business from the company <G>.

this is better than a soap opera.

-- 
Graciella!



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:59:33 GMT
Message-ID: <3b2e40da.172439836@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 17:57:43 +0000 (UTC)

Graciella <graciella@thisis.invalid> wrote:

>> Indeed.  I just spoke to another journalist.
>> I guess my site's going to get some hits.  I beter warn the ISP.

>hopefully some good publicity for all your efforts, 

I haven't much use for publicity, unless perhaps it were to stimulate
some donations to the LDF.  (Which I could really use by the way, my
legal costs have now far exceeded the sum of that generous effort.)

At any rate, the stories (which as far as I know aren't published yet)
will presumably appear on Wired.com and on ZDNet's ExtremeTech.com.


>since at this point 
>i'll betcha you don't get much business from the company <G>.

I'm not counting those chickens!  On the other hand, I've tried to be
friendly and helpful, and I think they recognize that.


>this is better than a soap opera.

It's quite a drama all right.

pchelp




----------

From: Milly <no_sp@m.gov>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 19:13:51 +0100
Organization: Cecil-ID: <d020c222mtx5qgtfib3f1s230alxibzj>
Message-ID: <MPG.15985517b942d9e3989dc3@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 18:12:16 +0000 (UTC)

In article <3b2e40da.172439836@news.grc.com>, pchelp said...
> Graciella <graciella@thisis.invalid> wrote:
> 
> >> Indeed.  I just spoke to another journalist.
> >> I guess my site's going to get some hits.  I beter warn the ISP.
> 
> >hopefully some good publicity for all your efforts, 
> 
> I haven't much use for publicity, unless perhaps it were to stimulate
> some donations to the LDF.  (Which I could really use by the way, my
> legal costs have now far exceeded the sum of that generous effort.)
> 
> At any rate, the stories (which as far as I know aren't published yet)
> will presumably appear on Wired.com and on ZDNet's ExtremeTech.com.

You found and nailed the hole, acting quickly and responsibly in the 
interests of the ordinary punters whose confidential information was 
compromised (yet with patience and compassion for the gormless site 
owner).

This is *EXACTLY* the sort of thing which belongs on your site.

So get the tale written and up on your site, with [Name Withheld] until 
the appropriate time, and ask your press contacts to link and credit you 
accordingly.  

"I haven't much use for publicity" indeed. This is no time to hide your 
light under a bushel. If nothing else you owe it to the people who have 
supported and contributed to your cause so far. 

Now stop pissing about - sheesh.

-- 
Milly



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 18:34:24 GMT
Message-ID: <3b2e4978.174646298@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 18:32:33 +0000 (UTC)

Milly <no_sp@m.gov> wrote:

>This is *EXACTLY* the sort of thing which belongs on your site.

>So get the tale written and up on your site, with [Name Withheld] until 
>the appropriate time, and ask your press contacts to link and credit you 
>accordingly.  

>"I haven't much use for publicity" indeed. This is no time to hide your 
>light under a bushel. If nothing else you owe it to the people who have 
>supported and contributed to your cause so far. 

>Now stop pissing about - sheesh.

Ah, Milly.  You've set me right yet again.

I'll get on it as soon as I've dealt with a couple of needy customers.

pchelp



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 14:21:05 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.15981099889b2e7c989935@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 18:19:48 +0000 (UTC)

In article <3b2e40da.172439836@news.grc.com>, pchelp@nwi.net says...
> At any rate, the stories (which as far as I know aren't published yet)
> will presumably appear on Wired.com and on ZDNet's ExtremeTech.com.

good! we'll watch for it. unfortunately, many of the people whose info is 
at risk are unlikely to read the 'geekier' media <G>. but maybe the 
company will do the right thing and notify users after all. </pollyanna>

-- 
Graciella!



----------

From: El Gato Grande <elgatograndeblue@watertechemail.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 23:39:54 -0500
Organization: <oh2th3aryzge2ch1ex3cla1zycesrqq2>
Message-ID: <jqltitgub6frmrcbcn84l1rtsb9o53rk1a@4ax.com>
Content-Type: text/plain; charset=us-ascii
NNTP-Posting-Date: Tue, 19 Jun 2001 04:38:07 +0000 (UTC)

X-No-archive: yes 
 
 On Mon, 18 Jun 2001 17:59:33 GMT, pchelp@nwi.net (pchelp) wrote:

<snip>
>I've tried to be
>friendly and helpful, and I think they recognize that.
<snip>

No good deed goes unpunished. ;-}

Remove the blue water to reply.

          "I don't think they make any software that 
           will protect you from ignorant managment." 
                              -Robert Wycoff- 



----------

From: "Robert Taylor" <RobertTaylor@SpamCop.net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 18:28:58 -0400
Organization: <dpionfo3kfyuowvumuchwhxpevqm0irk>
Message-ID: <9glv8h$278j$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 22:27:30 +0000 (UTC)


Milly <no_sp@m.gov> wrote in message
news:MPG.15982c62db00e156989db9@207.71.92.194...
| In article <3b2e18f8.162228545@news.grc.com>, pchelp said...
| > Milly <no_sp@m.gov> wrote:
| >
| > >I'm late to this, but congratulations on a job well done, in all
| > >respects.
[]

    I like Milly.

    Robert
[]
| >
| > I will hesitate a while yet, but at this point I think I'll be
| > announcing the business name publicly.
|
| They don't deserve it, but perhaps a warning to the business that that
| will be your action if the hole is still accessible in XX minutes/hours
| (and ever reappears)? (At this stage, in the interests of the CC'holders
| alone - sod the business itself).
|             ^^^^^^^^^^^^^^^^^
| --
| Milly





----------

From: ouroboros@apexmail.com (Q)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 16:46:12 +0000 (UTC)
Organization: this space for sale or rent
Message-ID: <Xns90C4776E8314EitsmeitsQ@127.0.0.1>
NNTP-Posting-Date: Mon, 18 Jun 2001 16:46:12 +0000 (UTC)

Posted by pchelp, in article news:3b2e18f8.162228545@news.grc.com:

>>I'm late to this, but congratulations on a job well done, in all 
>>respects. 
> 
> Better save the congrats for a bit.
> 
> The site is back up, and the "hole" is open.
> 
> I am totally flabbergasted.

!!!!

Does it appear that they tried and failed again to fix things, or that 
they're now acting in bad faith?

Q
-- 
If you're not part of the solution, then you're part of the precipitate.
- S. Wright



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:34:26 GMT
Message-ID: <3b2e37c3.170113109@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 17:32:36 +0000 (UTC)

ouroboros@apexmail.com (Q) wrote:

>Posted by pchelp, in article news:3b2e18f8.162228545@news.grc.com:

>>>I'm late to this, but congratulations on a job well done, in all 
>>>respects. 

>> Better save the congrats for a bit.
>> The site is back up, and the "hole" is open.
>> I am totally flabbergasted.

>!!!!
>Does it appear that they tried and failed again to fix things, or that 
>they're now acting in bad faith?

It was online for at least a couple of hours, this morning, possibly
much longer.  Then it went off, then back on and this time with the
script working more properly.

My guess is, the web server is not located at the place of business.  So
they had it back online while the owner (himself) worked over the
scripting from remote to repair it.

That most certainly wouldn't have been my choice of methods.  But at
least it's fixed now.

pchelp



----------

From: Calvin Crumrine <Calvin_Crumrine@dced.state.ak.us>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 14:19:59 -0800
Organization: Alaska Division of Investments
Message-ID: <3B2E7E8F.84A006D1@dced.state.ak.us>
Content-Type: text/plain; charset=iso-8859-1
NNTP-Posting-Date: Mon, 18 Jun 2001 22:11:06 +0000 (UTC)

pchelp wrote:

> ouroboros@apexmail.com (Q) wrote:
>
> >Posted by pchelp, in article news:3b2e18f8.162228545@news.grc.com:
>
> >>>I'm late to this, but congratulations on a job well done, in all
> >>>respects.
>
> >> Better save the congrats for a bit.
> >> The site is back up, and the "hole" is open.
> >> I am totally flabbergasted.
>
> >!!!!
> >Does it appear that they tried and failed again to fix things, or that
> >they're now acting in bad faith?
>
> It was online for at least a couple of hours, this morning, possibly
> much longer.  Then it went off, then back on and this time with the
> script working more properly.
>
> My guess is, the web server is not located at the place of business.  So
> they had it back online while the owner (himself) worked over the
> scripting from remote to repair it.
>
> That most certainly wouldn't have been my choice of methods.  But at
> least it's fixed now.
>
> pchelp

Or, it could be someone who "didn't get the word" noticing that the server
was down & bringing it back online. There's a story about something like
that happening at a military base-a security audit showed an account that
still had its default password set so the account was disabled. Come shift
change both the account user & the night administator come on & word didn't
get passed along. The user can't log on so he goes to the administrator who
sees that the account is disabled & simply reenables it, default password &
all. So much for security. If you're going to take something offline until
it's fixed then you really need to make sure that it stays offline until
then. Too often people think it's offline 'by accident'.




----------

From: Carlene <l6xso6xcxj5xvlg001@DIEsneakeSPAMMERmail.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 15:24:44 -0700
Message-ID: <MPG.15981f8a89deed6a98969c@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 22:23:24 +0000 (UTC)
X-Cecil-ID: <pwmqyfql2xiprbwwlrr2m2rkgcefouhd>
Cecil-ID: <pwmqyfql2xiprbwwlrr2m2rkgcefouhd>

Good speculating!

But alas, PCHELP's conjecture does in my mind, seem to be the most "likely" scenario. The details of the reality we shall soon see or may never know.


In article <3B2E7E8F.84A006D1@dced.state.ak.us>, Calvin_Crumrine@dced.state.ak.us says...
> Or, it could be someone who "didn't get the word" noticing that the server
> was down & bringing it back online. There's a story about something like
> that happening at a military base-a security audit showed an account that
> still had its default password set so the account was disabled. Come shift
> change both the account user & the night administator come on & word didn't
> get passed along. The user can't log on so he goes to the administrator who
> sees that the account is disabled & simply reenables it, default password &
> all. So much for security. If you're going to take something offline until
> it's fixed then you really need to make sure that it stays offline until
> then. Too often people think it's offline 'by accident'.
> 
> 



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 13:42:43 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.1598079e82bd78b0989930@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 17:41:26 +0000 (UTC)

In article <3b2e18f8.162228545@news.grc.com>, pchelp@nwi.net says...

> I just talked to a journalist about it.  The fecal matter is gonna hit
> the rotary device, I do believe.

absolutely the best move...users are warned (sort of...), the company 
gets much deserved egg (or worse) on its face, you get the good publicity 
you deserve, and the journalist looks good. win-win is how i see it. 

otoh, some tiny voice inside (my little trusting pollyanna) still can't 
imagine there isn't some logical explanation for the site being up, after 
the guy was soooo concerned on the phone. (yeah, graciella, and i've got 
a bridge to sell 'ya <G>). 

-- 
Graciella!



----------

From: RedLeg <[redacted]>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 01:59:12 +0000 (UTC)
Organization: This space not for sale nor rent!
Message-ID: <Xns90C4D5C1DDF4Emy155mmWorth@RedLegdotFire!!>
NNTP-Posting-Date: Tue, 19 Jun 2001 01:59:12 +0000 (UTC)

On or about, Mon 18 Jun 2001 01:58:28 (Local:), "pchelp" captured our 
attention for a moment with the following message:

> But my considerations for withholding the name go beyond the immediate
> security of the data.  I believe it would be most fair of me to allow
> the company to take its own action (or not) and to _then_ respond
> accordingly.
> 
> Naming them is not something I'll rush to do.  I can't reverse the
> release of such information.  I wish to make that decision only with
> great care.
> 

FWIW, I believe this is (was) a very wise course of action. Having read the 
rest of the thread and developements, you did the unquestionably right 
thing Keith. Certainly by saving lots of customers grief, (and hopefully 
acknowledged through a belated thank you) you also saved the company from 
themselves and potential lawsuits.  Hope they can get their head out of 
their second point of contact and show you some appreciation. 

Cheers bro, keep fighting the good fight!

-- 
m/s,
RedLeg

"The secret of a leader lies in the tests he has faced over the whole 
course of his life and the habit of action he develops in meeting those 
tests."  - Gail Sheehy




----------

From: Gryph <gryphonn@austarnet_deleteme_.com.au>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:21:24 +1000
Organization: Gryphonn Design
Message-ID: <MPG.159848f1ec6f8fae989ad9@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 07:24:06 +0000 (UTC)

In article <3b2d47e5.108697925@news.grc.com>, pchelp@nwi.net says...
> RedLeg <[redacted]> wrote:
> 
> >We are watching, with interest...we're just a real quiet bunch today <g>
> >(keep fighting the good fight!;)
> 
> Glad to know it!
> 
> Wel, now there is more to tell.
> 
> The business owner did call me, and we concluded that conversation just
> moments ago.
> 
> He's a polite and soft-spoken Asian gentleman, and he showed real
> concern.
> 
> He was (of course) surprised to learn the problem still existed.  I
> explained the simple process: turn off Javascript, enter the same URL
> that's displayed on the printed invoices they send to all their
> customers, and the record is visible.  That simple.
> 
> I emailed him a sample of the "evil" URL so he could verify it from
> home.  He said the site would be turned off immediately and the problem
> fixed.  (As of this moment, the site is still online, but I presume he's
> having to call someone at his IPP or at his place of business in order
> to shut it down.)
> 
> I pointed out the possibility that the exposure may have been
> deliberate.  He soberly agreed it was possible.
> 
> He said he'd had no reports of credit card fraud.
> 
> He promised to follow up and inform me of the outcome.
> 
> pchelp
> 

Hi pc :o) (reminds me of TC [Top Cat])

I'm reading the thread with great interest. It has the makings of an 
excellent case-study in disclosure.

Cheers,
Gryph


-- 
"My Supersonic Sonar Radar will help me!!"



----------

From: "Hilly" <petmypaw@bellsouth.net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 19:31:06 -0500
Message-ID: <9gji4t$2ov5$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 00:31:25 +0000 (UTC)


"pchelp" <pchelp@nwi.net> wrote in message news:3b2d40cf.106883645@news.grc.com...
<snip>
> (I don't know if anyone's following this tale.  I'm seeing no responses
> on the thread...  Hope it's of interest to y'all!)

I'm interested.  It's outrageous, IMO.

Hilly.





----------

From: "Boris Lav" <boris@accesscomm.ca>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 18:39:39 -0600
Message-ID: <9gjiku$2pip$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 00:39:58 +0000 (UTC)

Yes, watching it here too

Boris, Canada

"Hilly" <petmypaw@bellsouth.net> wrote in message
news:9gji4t$2ov5$1@news.grc.com...
>
> "pchelp" <pchelp@nwi.net> wrote in message
news:3b2d40cf.106883645@news.grc.com...
> <snip>
> > (I don't know if anyone's following this tale.  I'm seeing no responses
> > on the thread...  Hope it's of interest to y'all!)
>
> I'm interested.  It's outrageous, IMO.
>
> Hilly.
>
>





----------

From: "Frank Gingrich" <gingrich@speakeasy.org>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 20:51:41 -0400
Message-ID: <9gjj7u$2q8k$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 00:50:06 +0000 (UTC)

It's fascinating!  Like watching a horror show.  Most of us (I guess)
don't have much to contribute to this tale.  Except, perhaps, our
credit card numbers.  :)

Thanks, pchelp.

Frank

"pchelp" <pchelp@nwi.net> wrote in message
news:3b2d40cf.106883645@news.grc.com...
> I wrote:
>
> >I have now spoken with that agent, explained my need to contact the
> >owner and she is now attempting to reach him.
>
> After some time with no response from the owner, I called the agent
> again.
>
> She said she has passed on the message, and she said to me that the
> owner considers the problem already has been solved as of this
morning!
>
> Which of course is not the case.
>
> She was very kind and polite, but she has no desire to follow up
further
> on the matter.  I can hardly blame her!
>
> If the business owner chooses not to call me today, I presume I'll
have
> to contact them tomorrow, Monday, and attempt to follow up.
>
> I have confirmed that their site remains up and that the private
data of
> their entire customer base is still easily accessible.
>
> What a shame.  The consequences of ignorance are little different
from
> those of evil.
>
> pchelp
>
>
> (I don't know if anyone's following this tale.  I'm seeing no
responses
> on the thread...  Hope it's of interest to y'all!)





----------

From: RedLeg <[redacted]>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 01:34:49 +0000 (UTC)
Organization: This space not for sale nor rent!
Message-ID: <Xns90C3D1A08815my155mmWorth@RedLegdotFire!!>
NNTP-Posting-Date: Mon, 18 Jun 2001 01:34:49 +0000 (UTC)

On or about, Sun 17 Jun 2001 19:51:41 (Local:), "Frank Gingrich" captured 
our attention for a moment with the following message:

> Most of us (I guess)
> don't have much to contribute to this tale.  Except, perhaps, our
> credit card numbers.  :)
> 

ouch <BG>

-- 
m/s,
RedLeg

"If you don't know where you're going, you'll end up somewhere else."

- Yogi Berra



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 01:41:06 GMT
Message-ID: <3b2d5c16.113867101@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 01:39:22 +0000 (UTC)

"Frank Gingrich" <gingrich@speakeasy.org> wrote:

>It's fascinating!  Like watching a horror show.  Most of us (I guess)
>don't have much to contribute to this tale.  Except, perhaps, our
>credit card numbers.  :)

LOL!

Lessee.  Yep, I have yours right here!  ;-)

pchelp



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 21:12:56 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.15971f9f4556b8a3989926@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 01:11:33 +0000 (UTC)

In article <3b2d40cf.106883645@news.grc.com>, pchelp@nwi.net says...

> (I don't know if anyone's following this tale.  I'm seeing no responses
> on the thread...  Hope it's of interest to y'all!)

are you kidding?...this is right up our little paranoid alleys <G>. 
you've certainly gone the extra mile to try to help their sorry butts...i 
for one think you should contact the sympathetic media. at first i 
wondered why you weren't naming the company even now, but i realize that 
that would be making the info accessible to 'baddies' as well. keep us 
posted.

-- 
Graciella!



----------

From: Michael A. Wood <coldmoon@wave-offspam.net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 21:44:13 -0400
Message-ID: <20010617214411.E2AC.COLDMOON@wave-offspam.net>
 <3b2d0411.91331105@news.grc.com>
 <MPG.1596e060e5def917989924@news.grc.com>
 <3b2d1900.96690999@news.grc.com>
 <3b2d207d.98607650@news.grc.com>
 <3b2d40cf.106883645@news.grc.com>
Content-Type: text/plain; charset="US-ASCII"
NNTP-Posting-Date: Mon, 18 Jun 2001 01:39:43 +0000 (UTC)

Go man GO! I'm on the edge of my seat <g> God I'm glad I don't have a
credit card!
-- 
Michael A. Wood <coldmoon@wave-offspam.net>
coldmoon over darkwater ...




----------

From: "airratt" <airratt@tampabay.rr.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 10:50:49 -0400
Message-ID: <9gl4dg$16v5$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 14:49:20 +0000 (UTC)

I am watching also.I am very curious who the company is.


"pchelp" <pchelp@nwi.net> wrote in message
news:3b2d40cf.106883645@news.grc.com...
> I wrote:
>
> >I have now spoken with that agent, explained my need to contact the
> >owner and she is now attempting to reach him.
>
> After some time with no response from the owner, I called the agent
> again.
>
> She said she has passed on the message, and she said to me that the
> owner considers the problem already has been solved as of this morning!
>
> Which of course is not the case.
>
> She was very kind and polite, but she has no desire to follow up further
> on the matter.  I can hardly blame her!
>
> If the business owner chooses not to call me today, I presume I'll have
> to contact them tomorrow, Monday, and attempt to follow up.
>
> I have confirmed that their site remains up and that the private data of
> their entire customer base is still easily accessible.
>
> What a shame.  The consequences of ignorance are little different from
> those of evil.
>
> pchelp
>
>
> (I don't know if anyone's following this tale.  I'm seeing no responses
> on the thread...  Hope it's of interest to y'all!)





----------

From: Paul Rupe <prupe@nc.rr.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 21:12:18 -0400
Message-ID: <9gjkf9$2rct$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 01:11:06 +0000 (UTC)

pchelp@nwi.net (pchelp) wrote in news:3b2d1900.96690999@news.grc.com:

> I've been talking to some friends about it.  We quickly discovered that
> the problem has to do with Javascript.  Using a Javascript-enabled
> browser, the order pages will produce a persistent popup demanding the
> zip code of the buyer before it will disply the order.  But the whole
> page of order info is also delivered in the same page!  Disabling
> Javascript results in a plain display of the whole thing.

Not nearly as bad as this case, but I found a site that could be hacked 
without even trying.  Their order form used Javascript to compute the price 
of an order, which worked real well when I had it disabled.  So all I had 
to do was strip out the READONLY attribute on the <INPUT> fields with 
Proxomitron and I could "name my own price", heh.  The server just blindly 
accepted whatever value for order_total the client sent.  I was too nice to 
order 10 of everything for $0, but it would have happily let me.  I sent an 
e-mail to their webmaster a month ago and it's still not fixed.

> Evidently the folks at the vendor's place of business are unable to see
> the problem.  They try to access the "evil" URL with a script-enabled
> browser and it LOOKS like there's nothing to see.  They presumably
> checked out my claim that the data was exposed and concluded that it
> was not.

How much do you want to bet they'll "fix" it with something like
  <noscript>
  You must enable Javascript to view this page.
  </noscript>

It amazes me how many web designers don't understand basic concepts like 
"don't assume ANYTHING about the guy on the other end of the socket".


-- 
Paul Rupe                                        "She smiled, in the end."
p r u p e @ n c . r r . c o m



----------

From: Carlene <l6xso6xcxj5xvlg001@DIEsneakeSPAMMERmail.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 02:29:38 -0700
Message-ID: <MPG.159769d938f424ee989699@207.71.92.194>
NNTP-Posting-Date: Mon, 18 Jun 2001 09:28:17 +0000 (UTC)
X-Cecil-ID: <pwmqyfql2xiprbwwlrr2m2rkgcefouhd>
Cecil-ID: <pwmqyfql2xiprbwwlrr2m2rkgcefouhd>

In article <9gjkf9$2rct$1@news.grc.com>, prupe@nc.rr.invalid says...
> Not nearly as bad as this case, but I found a site that could be hacked 
> without even trying.  Their order form used Javascript to compute the price 
> of an order, which worked real well when I had it disabled.  So all I had 
> to do was strip out the READONLY attribute on the <INPUT> fields with 
> Proxomitron and I could "name my own price", heh.  The server just blindly 
> accepted whatever value for order_total the client sent.  I was too nice to 
> order 10 of everything for $0, but it would have happily let me.  I sent an 
> e-mail to their webmaster a month ago and it's still not fixed.
> 
raaaaaa haw haw haw haw haw haw haw

Irresistable. I'll bet that's common!


> > Evidently the folks at the vendor's place of business are unable to see
> > the problem.  They try to access the "evil" URL with a script-enabled
> > browser and it LOOKS like there's nothing to see.  They presumably
> > checked out my claim that the data was exposed and concluded that it
> > was not.
> 
> How much do you want to bet they'll "fix" it with something like
>   <noscript>
>   You must enable Javascript to view this page.
>   </noscript>
> 
> It amazes me how many web designers don't understand basic concepts like 
> "don't assume ANYTHING about the guy on the other end of the socket".
> 
"How Many" indeed! My point above!



----------

From: "Robert Taylor" <RobertTaylor@SpamCop.net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Sun, 17 Jun 2001 21:59:06 -0400
Organization: <dpionfo3kfyuowvumuchwhxpevqm0irk>
Message-ID: <9gjn6k$2u7m$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 01:57:41 +0000 (UTC)


Graciella <graciella@thisis.invalid> wrote in message
news:MPG.1596e060e5def917989924@news.grc.com...
| In article <3b2d0411.91331105@news.grc.com>, pchelp@nwi.net says...
| > Well, folks, their site is back up and there is NO CHANGE.
| > That's right.  Their customers' personal info and credit card numbers
| > are world-readable.

[]

| unbelievable! if it includes either your or your client's info, take
| screen shots, run don't walk to the nearest lawyer, and sue their ass.

[]

Why Miss Graciella, you astonish me... My, my,  I do declayhya.  Such language
!  ;~)

    Regards,

    Robert

( P.S.  For the literal-minded out there:   * Just Kidding !! *  )

P.P.S.   PCHELP:  I am also watching this thread with interest, as are, I'm
sure, many others.

|
| --
| Graciella!





----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 09:18:56 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.1597c9c85fa3ccbf98992b@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 13:17:37 +0000 (UTC)

In article <9gjn6k$2u7m$1@news.grc.com>, RobertTaylor@SpamCop.net says...

> Why Miss Graciella, you astonish me... My, my,  I do declayhya.  Such language
> !  ;~)

heck, you shoulda seen what i wrote first...us classy dames sure can 
swear when we're riled up <G>...

-- 
Graciella!



----------

From: "Robert Taylor" <RobertTaylor@SpamCop.net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 18:07:21 -0400
Organization: <dpionfo3kfyuowvumuchwhxpevqm0irk>
Message-ID: <9glu00$25sj$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 22:05:53 +0000 (UTC)


Graciella <graciella@thisis.invalid> wrote in message
news:MPG.1597c9c85fa3ccbf98992b@news.grc.com...
| In article <9gjn6k$2u7m$1@news.grc.com>, RobertTaylor@SpamCop.net says...
|
| > Why Miss Graciella, you astonish me... My, my,  I do declayhya.  Such
language
| > !  ;~)
|
| heck, you shoulda seen what i wrote first...us classy dames sure can
| swear when we're riled up <G>...
|

[]        Good !  ;~)

| --
| Graciella!





----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 15:59:40 GMT
Message-ID: <3b2e254d.165386358@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 15:57:50 +0000 (UTC)


OK, the site is down again.

And oh, things are happening.  That journalist is a fireball.

pchelp



----------

From: "Walter B" <walter@antispam.add>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 12:28:14 -0400
Organization: Home User <wav3dlikd55wsfslvatcedlkgsb5lzzs>
Message-ID: <9gla53$1dq9$1@news.grc.com>
Content-Type: text/plain;
	charset="iso-8859-1"
NNTP-Posting-Date: Mon, 18 Jun 2001 16:27:16 +0000 (UTC)

The power of the press!

--=20
--=20
Walter B
_______
"pchelp" <pchelp@nwi.net> wrote in message =
news:3b2e254d.165386358@news.grc.com...
>=20
> OK, the site is down again.
>=20
> And oh, things are happening.  That journalist is a fireball.
>=20
> pchelp




----------

From: ouroboros@apexmail.com (Q)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 16:46:17 +0000 (UTC)
Organization: this space for sale or rent
Message-ID: <Xns90C477B41F3BDitsmeitsQ@127.0.0.1>
NNTP-Posting-Date: Mon, 18 Jun 2001 16:46:17 +0000 (UTC)

Posted by pchelp, in article news:3b2e254d.165386358@news.grc.com:

> OK, the site is down again.
> 
> And oh, things are happening.  That journalist is a fireball.

Good.  I think it's about time they fly you in and pay you to throughly 
fix things.

Q
-- 
If you're not part of the solution, then you're part of the precipitate.
- S. Wright



----------

From: NCaylor <ncaylor@theriver.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 09:17:28 -0700
Message-ID: <3B2E2998.46E649A3@theriver.com>
Content-Type: text/plain; charset=us-ascii
NNTP-Posting-Date: Mon, 18 Jun 2001 16:15:14 +0000 (UTC)

Great job, pchelp!!  You've done this company one humongous favor.  Too
bad they haven't yet cleaned up their act.

Before making any public disclosures, it might be wise for you to run
all this by your own attorney.  In this sue-happy society of ours its
best to keep your own backside as well covered as possible.

Norman



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 16:42:17 GMT
Message-ID: <3b2e2a41.166654094@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 16:40:27 +0000 (UTC)

NCaylor <ncaylor@theriver.com> wrote:

>Great job, pchelp!!  You've done this company one humongous favor.  Too
>bad they haven't yet cleaned up their act.

Thanks.

I've just received an email from the owner, who asked me to try the
"exploit" again.  He has evidently repaired the script so no data gets
out.

I added a few bits of advice in my response.


>Before making any public disclosures, it might be wise for you to run
>all this by your own attorney.  In this sue-happy society of ours its
>best to keep your own backside as well covered as possible.

At this point the cat is out of the bag.  At least one journalist knows
all.

pchelp



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 19:50:56 GMT
Message-ID: <3b2e5b94.179283245@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 19:49:04 +0000 (UTC)


http://www.wired.com/news/ebiz/0,1272,44613,00.html

pchelp



----------

From: paddybythesea@myrealbox.com
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 20:23:46 GMT
Organization: <2qos020mgaxpom5nbnx0sfnlqrpyd0bz>
Message-ID: <3b2e621b.27450166@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 20:23:31 +0000 (UTC)

On Mon, 18 Jun 2001 19:50:56 GMT, pchelp@nwi.net (pchelp) wrote:

>
>http://www.wired.com/news/ebiz/0,1272,44613,00.html
>
>pchelp

Hmm......Reminds me of a well known song.

Cheers Paddy.

"Send lawyers guns and money,the sh*t has hit the fan".
Warren Zevon



----------

From: ouroboros@apexmail.com (Q)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 21:06:58 +0000 (UTC)
Organization: this space for sale or rent
Message-ID: <Xns90C4A21CE8CCAitsmeitsQ@127.0.0.1>
NNTP-Posting-Date: Mon, 18 Jun 2001 21:06:58 +0000 (UTC)

Posted by pchelp, in article news:3b2e5b94.179283245@news.grc.com:

> http://www.wired.com/news/ebiz/0,1272,44613,00.html

Wow.  And those guys have a pretty good reputation.

Um, had.  That site should *never* have gone back online until everyone, 
including the owner, was *sure* that it was secure.  They deserve any 
losses this causes for them, imo.

Keith, I've got a lot of respect for your discretion in handling all this, 
and for your eventual unpleasant but necessary decision to take it to the 
press.

Q
-- 
If you're not part of the solution, then you're part of the precipitate.
- S. Wright



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 21:16:04 GMT
Message-ID: <3b2e6ebd.184188837@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 21:14:11 +0000 (UTC)

ouroboros@apexmail.com (Q) wrote:

>Posted by pchelp, in article news:3b2e5b94.179283245@news.grc.com:

>> http://www.wired.com/news/ebiz/0,1272,44613,00.html

>Wow.  And those guys have a pretty good reputation.

>Um, had.

Yeah, that's the part I don't like.  It's pretty tough.


>That site should *never* have gone back online until everyone, 
>including the owner, was *sure* that it was secure.  They deserve any 
>losses this causes for them, imo.

Even if the backlash is to a great degree "deserved" for their betrayal
of their clients, I believe it wasn't intentional.


>Keith, I've got a lot of respect for your discretion in handling all this, 
>and for your eventual unpleasant but necessary decision to take it to the 
>press.

Thanks, Q.  I sleep well at night, and I think that won't change.

pchelp



----------

From: ouroboros@apexmail.com (Q)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 23:08:59 +0000 (UTC)
Organization: this space for sale or rent
Message-ID: <Xns90C4B7E1B55A0itsmeitsQ@127.0.0.1>
NNTP-Posting-Date: Mon, 18 Jun 2001 23:08:59 +0000 (UTC)

Posted by pchelp, in article news:3b2e6ebd.184188837@news.grc.com:

>>That site should *never* have gone back online until everyone, 
>>including the owner, was *sure* that it was secure.  They deserve any 
>>losses this causes for them, imo. 
> 
> Even if the backlash is to a great degree "deserved" for their
> betrayal of their clients, I believe it wasn't intentional.

I was too harsh - I'm sure there are a lot of good people there who do
not deserve the loss of income and employment that may ensue.  If they
stay afloat, I'll consider them next time I need hardware - over the
next few weeks and months, I think it will be difficult to find a firm 
that will be more concerned about security than they will! 

A greater good may be served by the fallout if other e-businesses become
more concerned about making *sure* their sites are secure.  If I were
starting an online retail operation, one of the first things I would do
would be to hire an independent security consultant (know any good 
ones? ;-), and I'd bring him back for a look every time any changes were 
made to the ordering system.  I'd feel a great deal better about buying
things online if this were SOP for e-tailers. 

Q
-- 
If you're not part of the solution, then you're part of the precipitate.
- S. Wright



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 23:23:00 GMT
Message-ID: <3b2e8b16.191446688@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 23:21:07 +0000 (UTC)

ouroboros@apexmail.com (Q) wrote:

>Posted by pchelp, in article news:3b2e6ebd.184188837@news.grc.com:

>>>That site should *never* have gone back online until everyone, 
>>>including the owner, was *sure* that it was secure.  They deserve any 
>>>losses this causes for them, imo. 

>> Even if the backlash is to a great degree "deserved" for their
>> betrayal of their clients, I believe it wasn't intentional.

>I was too harsh - I'm sure there are a lot of good people there who do
>not deserve the loss of income and employment that may ensue.  If they
>stay afloat, I'll consider them next time I need hardware - over the
>next few weeks and months, I think it will be difficult to find a firm 
>that will be more concerned about security than they will! 

I'm not so sure now.  Michelle Delio of Wired has sent me a copy of a
mass of pure bullshit they wrote in response.

They're implying I did something illegal, and acted improperly in
disclosing the exploit to Wired -- although I only communicated with her
_after_ they had shut down the server for the second time and I believed
the hole could not possibly be allowed to open again.  They've falsely
claimed the ASP page was only briefly and erroneously available to the
Net at large, described the access as a "hack" and said that I used some
sort of "workaround" after the (apparently nonexistent) fix they claim
was done done on Saturday.

I have an urgent appointment at this moment, no time to post it.  I'll
do so later on, at which time there may also be more to report.

I've been inclined to cut them a lot of slack, but these folks are doing
nothing now to justify my forebearance; and a lot to confirm that abject
irresponsibility must lie behind the whole affair.


>A greater good may be served by the fallout if other e-businesses become
>more concerned about making *sure* their sites are secure.  If I were
>starting an online retail operation, one of the first things I would do
>would be to hire an independent security consultant (know any good 
>ones? ;-), and I'd bring him back for a look every time any changes were 
>made to the ordering system.  I'd feel a great deal better about buying
>things online if this were SOP for e-tailers. 

Me, too.

For the record, I'm selling no such service.  I'm sure there are plenty
of people with better skills than mine for that particular purpose.

pchelp



----------

From: Carlene <l6xso6xcxj5xvlg001@DIEsneakeSPAMMERmail.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:50:58 -0700
Message-ID: <MPG.159841aed05f28ca98969d@207.71.92.194>
NNTP-Posting-Date: Tue, 19 Jun 2001 00:49:37 +0000 (UTC)
X-Cecil-ID: <pwmqyfql2xiprbwwlrr2m2rkgcefouhd>
Cecil-ID: <pwmqyfql2xiprbwwlrr2m2rkgcefouhd>

Well SO FAR, all postings here have demonstrated your inarguable integrity in the handling of this matter, but I suspect it will not be long until the ignorant begin to post that you are slime/scum -- a hacker who should be prosecuted.

It's at that point I would think you to have been harmed, your reputation, and even your ability attract new clients and make a living. We all know what recourse is available from there.

For the record, I see NO irony or similarity between your existing situation with paris, and the potential offense you could mount should your name be smeared over this, even if just in these forums.


In article <3b2e8b16.191446688@news.grc.com>, pchelp@nwi.net says...
> I'm not so sure now.  Michelle Delio of Wired has sent me a copy of a
> mass of pure bullshit they wrote in response.
> 
> They're implying I did something illegal, and acted improperly in
> disclosing the exploit to Wired -- although I only communicated with her
> _after_ they had shut down the server for the second time and I believed
> the hole could not possibly be allowed to open again.  They've falsely
> claimed the ASP page was only briefly and erroneously available to the
> Net at large, described the access as a "hack" and said that I used some
> sort of "workaround" after the (apparently nonexistent) fix they claim
> was done done on Saturday.
> 
> I have an urgent appointment at this moment, no time to post it.  I'll
> do so later on, at which time there may also be more to report.
> 
> I've been inclined to cut them a lot of slack, but these folks are doing
> nothing now to justify my forebearance; and a lot to confirm that abject
> irresponsibility must lie behind the whole affair.
<snip>
> 
> pchelp
> 



----------

From: ouroboros@apexmail.com (Q)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 01:42:48 +0000 (UTC)
Organization: this space for sale or rent
Message-ID: <Xns90C4D2307CB94itsmeitsQ@127.0.0.1>
NNTP-Posting-Date: Tue, 19 Jun 2001 01:42:48 +0000 (UTC)

Posted by Carlene, in article
news:MPG.159841aed05f28ca98969d@207.71.92.194: 

> Well SO FAR, all postings here have demonstrated your inarguable
> integrity in the handling of this matter 

Not only that, Keith's play-by-play postings have time-stamps and are in 
the hands of a third-party archiver (Steve) who will keep them forever.  I 
thought pchelp was just giving us a great story, but he was also creating 
a verifiable log of his actions.  This is an example of Smart Thinking.

Q
-- 
If you're not part of the solution, then you're part of the precipitate.
- S. Wright



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 05:44:00 GMT
Message-ID: <3b2ee5e1.295732@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 05:42:35 +0000 (UTC)

ouroboros@apexmail.com (Q) wrote:

>Posted by Carlene, in article
>news:MPG.159841aed05f28ca98969d@207.71.92.194: 

>> Well SO FAR, all postings here have demonstrated your inarguable
>> integrity in the handling of this matter 

>Not only that, Keith's play-by-play postings have time-stamps and are in 
>the hands of a third-party archiver (Steve) who will keep them forever.  I 
>thought pchelp was just giving us a great story, but he was also creating 
>a verifiable log of his actions.  This is an example of Smart Thinking.

For that I will take credit.  I was aware, as mentioned, that I had
stepped into a position of potential liability; not because I was doing
the wrong thing but because the potential would exist for accusations by
those "irresponsible."

Even so, I am surprised they ever moved in that direction.

pchelp




----------

From: ouroboros@apexmail.com (Q)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 01:58:08 +0000 (UTC)
Organization: this space for sale or rent
Message-ID: <Xns90C4D3D1BFBD8itsmeitsQ@127.0.0.1>
NNTP-Posting-Date: Tue, 19 Jun 2001 01:58:08 +0000 (UTC)

Posted by pchelp, in article news:3b2e8b16.191446688@news.grc.com:

> Michelle Delio of Wired has sent me a copy of a
> mass of pure bullshit they wrote in response.
> 
> They're implying I did something illegal, and acted improperly in
> disclosing the exploit to Wired -- although I only communicated with her
> _after_ they had shut down the server for the second time and I believed
> the hole could not possibly be allowed to open again.  They've falsely
> claimed the ASP page was only briefly and erroneously available to the
> Net at large, described the access as a "hack" and said that I used some
> sort of "workaround" after the (apparently nonexistent) fix they claim
> was done done on Saturday.

>:(

<sigh>  

I'm sure there are some very upset people at HQ, and I wouldn't expect 
them to have a good attitude about things at the moment.  Unfortunately, 
now that they've issued a press-release e-mail, it may be very difficult 
for them to back off this fscked-up stance.  I'm not optimistic about them 
changing their spin, but I hope they'll not attack you with legal action.  
They don't have a toenail to stand on, let alone a leg.  (Ianal, btw.)

Q
-- 
If you're not part of the solution, then you're part of the precipitate.
- S. Wright



----------

From: "Ron" <noneed@itsanewsgroup.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 23:20:32 -0400
Message-ID: <9gmgbn$2rrn$1@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 03:19:19 +0000 (UTC)


> Posted by pchelp, in article news:3b2e8b16.191446688@news.grc.com:

> > Michelle Delio of Wired has sent me a copy of a
> > mass of pure bullshit they wrote in response.

> > They're implying I did something illegal, and acted improperly in
> > disclosing the exploit to Wired -- although I only communicated
with her
> > _after_ they had shut down the server for the second time and I
believed
> > the hole could not possibly be allowed to open again.  They've
falsely
> > claimed the ASP page was only briefly and erroneously available to
the
> > Net at large, described the access as a "hack" and said that I used
some
> > sort of "workaround" after the (apparently nonexistent) fix they
claim
> > was done done on Saturday.

Yeah, right. They got caught by the short hairs- LUCKILY BY YOU. This
could have easily been a thread on a warez site. In today's climate of
(somewhat :)) more security aware surfers, I'm sure more than one
person punched in that URL with java disabled. Workaround my @ss. Since
I'm yelling out loud now, I better stop. Good job bud!

R





----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 06:00:33 GMT
Message-ID: <3b2ee6b9.512244@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 05:59:08 +0000 (UTC)

ouroboros@apexmail.com (Q) wrote:

>I'm sure there are some very upset people at HQ, and I wouldn't expect 
>them to have a good attitude about things at the moment.

I said something like that to Michelle.  But the more I think about it
the less sympathetic I feel.

I made a genuine effort to save a lot of people's bacon, including that
of ComputerHQ, and I did it without any vaguest desire or expectation of
personal gain, in fact I was arguably at personal RISK.

These people had better start using their damned heads.  Quickly.

They had damned well better back off their ass-covering PR bullshit and
make peace with me.


>Unfortunately, 
>now that they've issued a press-release e-mail, it may be very difficult 
>for them to back off this fscked-up stance.

You echo my thoughts again.


>I'm not optimistic about them 
>changing their spin, but I hope they'll not attack you with legal action.  
>They don't have a toenail to stand on, let alone a leg.  (Ianal, btw.)

I intend to write up the matter for publication on my website, and make
a very public response to their statements.

I presume they are following this thread, Mr. Chen's email to me
referenced these Message-IDs in its header:  

<3b2bd90d.14771464@news.grc.com>
<3b2d0411.91331105@news.grc.com> 
<MPG.1596e060e5def917989924@news.grc.com>
<3b2d1900.96690999@news.grc.com>
<3b2d207d.98607650@news.grc.com>
<3b2d40cf.106883645@news.grc.com> 
<Xns90C3C25F57C3Fmy155mmWorth@RedLegdotFire!!> 
<3b2d47e5.108697925@news.grc.com> 
<3b2d871a.8109626@news.grc.com> 
<Xns90C481DE71ECitsmeitsQ@127.0.0.1> 
<3b2da029.131296679@news.grc.com>

To ComputerHQ: be advised you ARE free to contact me.  I don't wish to
malign you but I'm going to make public statements that refute your
press release in an uncompromising manner.  At this point I intend to
withhold absolutely nothing.

Attacking me for this was a very, very big mistake.

pchelp

copy emailed to Ted Chen



----------

From: "Hilly" <petmypaw@bellsouth.net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 01:10:58 -0500
Message-ID: <9gmqe8$42a$1@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 06:11:20 +0000 (UTC)


"pchelp" <pchelp@nwi.net> wrote in message news:3b2ee6b9.512244@news.grc.com...
<snip>
> Attacking me for this was a very, very big mistake.
<snip>

Heh, someone might want to tell them to at least _stop_ digging the hole.  <g>

Hilly.





----------

From: "Ray F. Jones" <rfjones@oakcrest.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 01:15:56 -0500
Organization: Oak Crest Concepts <uo44b4bynbnpq5pubud3erahvna2mpe0>
Message-ID: <9gmqkr$45e$1@news.grc.com>
Content-Type: text/plain;
	charset="Windows-1252"
NNTP-Posting-Date: Tue, 19 Jun 2001 06:14:51 +0000 (UTC)


"pchelp" <pchelp@nwi.net> wrote in message
news:3b2ee6b9.512244@news.grc.com...
> ouroboros@apexmail.com (Q) wrote:
>
<snip>
>
> To ComputerHQ: be advised you ARE free to contact me.  I don't wish to
> malign you but I'm going to make public statements that refute your
> press release in an uncompromising manner.  At this point I intend to
> withhold absolutely nothing.
>
> Attacking me for this was a very, very big mistake.
>
> pchelp
>
> copy emailed to Ted Chen

pchelp,

If my input on my (pre-public) involvement in this debacle will help,
let me know.

Ray






----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 06:19:31 GMT
Message-ID: <3b2eeead.2547801@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 06:18:06 +0000 (UTC)

"Ray F. Jones" <rfjones@oakcrest.com> wrote:

>"pchelp" <pchelp@nwi.net> wrote in message
>news:3b2ee6b9.512244@news.grc.com...
>> ouroboros@apexmail.com (Q) wrote:

>> Attacking me for this was a very, very big mistake.

>If my input on my (pre-public) involvement in this debacle will help,
>let me know.

Please feel free to say whatever you like, Ray.

pchelp



----------

From: "Ray F. Jones" <rfjones@oakcrest.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 01:33:03 -0500
Organization: Oak Crest Concepts <uo44b4bynbnpq5pubud3erahvna2mpe0>
Message-ID: <9gmrl9$57t$1@news.grc.com>
Content-Type: text/plain;
	charset="Windows-1252"
NNTP-Posting-Date: Tue, 19 Jun 2001 06:32:10 +0000 (UTC)


"pchelp" <pchelp@nwi.net> wrote in message
news:3b2eeead.2547801@news.grc.com...
> "Ray F. Jones" <rfjones@oakcrest.com> wrote:
>
> >"pchelp" <pchelp@nwi.net> wrote in message
> >news:3b2ee6b9.512244@news.grc.com...
> >> ouroboros@apexmail.com (Q) wrote:
>
> >> Attacking me for this was a very, very big mistake.
>
> >If my input on my (pre-public) involvement in this debacle will help,
> >let me know.
>
> Please feel free to say whatever you like, Ray.
>

pchelp,

You're doing fine! <g> Just wanted to assure  you, and let them know,
that you have people who can corroborate the steps (prior to your posts
here) you took to correct THEIR mistakes.

Ray





----------

From: "Hilly" <petmypaw@bellsouth.net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 01:24:42 -0500
Message-ID: <9gmr7v$4o9$1@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 06:25:04 +0000 (UTC)


"pchelp" <pchelp@nwi.net> wrote in message news:3b2e8b16.191446688@news.grc.com...
<snip>
Michelle Delio of Wired has sent me a copy of a mass of pure bullshit they wrote in response.
<snip>

Is this public?  Link?  Copy and paste <g>?

Hilly.





----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 07:08:14 GMT
Message-ID: <3b2ef635.4476560@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 07:06:49 +0000 (UTC)

"Hilly" <petmypaw@bellsouth.net> wrote:

>"pchelp" <pchelp@nwi.net> wrote in message news:3b2e8b16.191446688@news.grc.com...
><snip>

>Michelle Delio of Wired has sent me a copy of a mass of pure bullshit they wrote in response.
><snip>

>Is this public?  Link?  Copy and paste <g>?

Oh, sorry about that!  Here it is:


From: Joe [mailto:joe@ljsystems.com]
Sent: Monday, June 18, 2001 5:54 PM
To: mdelio@nyc.rr.com
Subject: security issues


We're trying to find out what and when it happened. Our web development
firm has been looking into it, and it seems like it may have been an
error by a local sysadmin removing the login requirement for a folder
when moving the site to a new server.

This was, by the way, not in a part of the site where somebody could get
to it unintentionally. A "hack", which is illegal, would have been
necessary in order to access it.

While we certainly want our site to be secure, and appreciate the work
of pchelp, we don't feel that this is much different from Microsoft
having a security issue with internet printing a few weeks back.
Microsoft is notified about it and then issues a fix. Something we do
not appreciate is any forwarding of confidential information from a hack
to anybody else before the security hole is closed. This is *at best*
irresponsible. We were in contact with pchelp and he knew we were
working on it. The reason you were able to hack into it this morning was
that the fix was in place at approximately 8am Pacific Time, and since
the programmers were working from a remote location all Sunday night the
site would from time to time be accessible - but only for those that
knew about the hack - we would not expect a web security firm to release
that information to anybody, so I hope you don't put in your article
that you got the information on how to hack our site from a web security
firm - that would sound very strange to me.

The security hole is plugged at this time, and the programmers are
looking at all options and ways the site can be hacked - including
issues with IIS 5.0, ASP and Windows 2000 itself. Issues like these
actually makes us lean more towards ISAPI DLLs, which we have never had
any reports of breakins through - not even through MS Security holes. We
generally use Delphi for making the ISAPI DLLs, if that is of interest
to you.

If you have any other questions, please feel free to email me:
mailto:joe@ljsystems.com

Thank You.
Joe



pchelp



----------

From: "Solo11" <Solo11@UNCLE.gov>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 15:15:40 -0600
Message-ID: <9glqmp$229m$1@news.grc.com>
Reply-To: "Solo11" <Solo11@UNCLE.gov>
NNTP-Posting-Date: Mon, 18 Jun 2001 21:09:45 +0000 (UTC)

Hi Keith,
Great work!
There is nowhere else were we can get drama, and suspense like this, well
maybe at Steve's site!

Solo11


"pchelp" <pchelp@nwi.net> wrote in message
news:3b2e5b94.179283245@news.grc.com...
>
> http://www.wired.com/news/ebiz/0,1272,44613,00.html
>
> pchelp





----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 21:19:22 GMT
Message-ID: <3b2e6f97.184407448@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 21:17:30 +0000 (UTC)

"Solo11" <Solo11@UNCLE.gov> wrote:

>Hi Keith,
>Great work!
>There is nowhere else were we can get drama, and suspense like this, well
>maybe at Steve's site!

Steve certainly has me far outdone!  I just trail along and put on the
occasional brief event.

Funny, I don't make a point of doing anything newsworthy.  It just seems
to happen every six months or so.

pchelp



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:37:30 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.15983ea07277a180989937@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 21:36:13 +0000 (UTC)

In article <3b2e6f97.184407448@news.grc.com>, pchelp@nwi.net says...

> Funny, I don't make a point of doing anything newsworthy.  It just seems
> to happen every six months or so.

<G> inevitable for those of us who just can't seem to myob when it comes 
to WRONGS, i guess. keep it up!

-- 
Graciella!



----------

From: Graciella <graciella@thisis.invalid>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:35:39 -0400
Organization: <z4r451ss1o4qrq3444ohubgmthltysoj>
Message-ID: <MPG.15983e3256501558989936@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 21:34:22 +0000 (UTC)

In article <3b2e5b94.179283245@news.grc.com>, pchelp@nwi.net says...
> 
> http://www.wired.com/news/ebiz/0,1272,44613,00.html

fantastic writeup, glad you saw it through! one little typo (albeit maybe 
important since it means the opposite of what you meant):

"Little explained that any Web browser with JavaScripting enabled was 
able to view the records without entering the zip code."

should be 'disabled' instead of 'enabled'. clear from the rest of the 
story though. 

gonna go back to the thread to see if you've posted the really fun part--
-what kind of response have you gotten NOW from the company??? <G>

-- 
Graciella!



----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 21:53:08 GMT
Message-ID: <3b2e763f.186111652@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 21:51:16 +0000 (UTC)

Graciella <graciella@thisis.invalid> wrote:

>In article <3b2e5b94.179283245@news.grc.com>, pchelp@nwi.net says...
>> http://www.wired.com/news/ebiz/0,1272,44613,00.html

>fantastic writeup, glad you saw it through!

Thanks!  It's gratifying, although it's been a terrific distraction.


>one little typo (albeit maybe 
>important since it means the opposite of what you meant):

>"Little explained that any Web browser with JavaScripting enabled was 
>able to view the records without entering the zip code."

>should be 'disabled' instead of 'enabled'. clear from the rest of the 
>story though. 

Quite so.

I wish she had also written up my track-down of Mr. Chen.  I thought
that was a nifty part of the story.


>gonna go back to the thread to see if you've posted the really fun part--
>-what kind of response have you gotten NOW from the company??? <G>

I've seen nothing from them since Mr. Chen emailed me earlier today to
report the script fixed.

It's my understanding that the ZDNet/ExtremeTech journalist had lined up
an interview with the company's President -- who, it turns out, is a Mr.
Lee -- not the same guy as Ted Chen, whom I tracked down yesterday.

So my characterization of him as "owner" was evidently incorrect.  Ted
is listed as the Registered Agent for ComputerHQ.Com, Inc., and his name
is on the domain record for computerhq.com.  But I wasn't able to get a
listing of the corporate officers via the CA State Dept website.  That
requires a phone order and is sent by snail-mail.

pchelp



----------

From: "David Hansen" <dhansen@NoSpamtransmetrics.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 14:56:59 -0700
Organization: Transmetrics, Inc.
Message-ID: <9gltf2$2595$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 21:56:50 +0000 (UTC)

"pchelp" <pchelp@nwi.net> wrote in message
news:3b2e5b94.179283245@news.grc.com...
>
> http://www.wired.com/news/ebiz/0,1272,44613,00.html
>
You try to help some people....

"You hacked into the site, didn't you? How else could you see all this
information? If you didn't hack into it, then someone else did and you're as
bad as them for looking at my information. You should have just turned the
computer off and walked away," said Tom Bellflour, a ComputerHQ client, who
said he ordered products using his girlfriend's credit card.


--

-Dave /;^{D>

(Warning: Reply-to address has been changed - Death To Spam!)

PC Help needs Our HELP!!  Lockdown 2000 scam^H^H^H^H Law Suit
http://www.pchelpers.org/          http://www.pc-help.org







----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 22:02:55 GMT
Message-ID: <3b2e79e8.187048645@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 22:01:03 +0000 (UTC)

"David Hansen" <dhansen@NoSpamtransmetrics.com> wrote:

>"pchelp" <pchelp@nwi.net> wrote in message
>news:3b2e5b94.179283245@news.grc.com...

>> http://www.wired.com/news/ebiz/0,1272,44613,00.html

>You try to help some people....

>"You hacked into the site, didn't you? How else could you see all this
>information? If you didn't hack into it, then someone else did and you're as
>bad as them for looking at my information. You should have just turned the
>computer off and walked away," said Tom Bellflour, a ComputerHQ client, who
>said he ordered products using his girlfriend's credit card.

Yeah, there's a guy who couldn't see the forest.

People get very jumpy about these things.  So does the law, for that
matter.

ComputerHQ could have reacted badly too, and put me on the defensive.
Fact is, I knew I was playing with fire when I saw the first record (the
only one it was really OK for me to see) come up on my browser.  But
there was nothing to do but deal with it.  I thought of all those
people...

pchelp



----------

From: "Robert Taylor" <RobertTaylor@SpamCop.net>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 19:23:04 -0400
Organization: <dpionfo3kfyuowvumuchwhxpevqm0irk>
Message-ID: <9gm2dv$2av2$1@news.grc.com>
NNTP-Posting-Date: Mon, 18 Jun 2001 23:21:36 +0000 (UTC)


pchelp <pchelp@nwi.net> wrote in message
news:3b2e79e8.187048645@news.grc.com...
| "David Hansen" <dhansen@NoSpamtransmetrics.com> wrote:
|
| >"pchelp" <pchelp@nwi.net> wrote in message
| >news:3b2e5b94.179283245@news.grc.com...
|
| >> http://www.wired.com/news/ebiz/0,1272,44613,00.html
|
| >You try to help some people....
|
| >"You hacked into the site, didn't you?
<snip>
|
| Yeah, there's a guy who couldn't see the forest.
|
| People get very jumpy about these things.  So does the law, for that
| matter.
|
| ComputerHQ could have reacted badly too, and put me on the defensive.
| Fact is, I knew I was playing with fire when I saw the first record (the
| only one it was really OK for me to see) come up on my browser.  But
| there was nothing to do but deal with it.  I thought of all those
| people...
|
| pchelp

[]

Hello PC,

    For what it's worth, I think you handled an extremely complicated matter
very well indeed.  Such problems are, I believe, not susceptible to a single
"correct" answer (and there are many of them:  for just one, extreme example,
"Sophie's Choice", q.v.).
     Though I admire most of Plato's Dialogues, one characteristic attributed
by him to Socrates was to lay a trap for an adversary in a debate in which he
demanded that his opponent prove a negative proposition--which of course is
impossible, as the Platonic Socrates knew very well.  In the Dialogues, this
strategy never failed.
    Such a dilemma could be cited in this case, where you could conceivably be
asked to prove that you "did not" D/L 14- or 15,000 private data records, but
only observed the nature, the extent and the cause of the problem, whereupon
you behaved in an ethically exemplary manner by notifying the appropriate
persons as to what you had found, and the implicit dangers there.
    I believe I understand your thinking, and I admire you for having the
cajones to follow it to its logical conclusions, as far as anyone would have
been able to do.  As Russell and Whitehead (whom I often refer to on these
boards) showed, a hundred years ago, ethical judgements are, for the most
part, not susceptible of logical proof.  In this arena, then, we are "on our
own", if we understand the question.

    The result:  tough decisions, often misunderstood, and occasionally with
unpredictable consequences.  Perhaps Plato's Socrates may be turned
upside-down in this instance.  I for one will support your actions.

    Best regards,

    Robert

--
Email:       RobertTaylor@SpamCop.net
Web-Site:  http://www.nh.ultranet.com/~robertt/Web-SitePg1.htm




----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 01:02:33 GMT
Message-ID: <3b2ea435.197879497@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 01:00:39 +0000 (UTC)


Thanks, Robert, for an insightful and scholarly analysis!

I appreciate your support.  And I think we could all do with a bit more
classical reading.

pchelp


"Robert Taylor" <RobertTaylor@SpamCop.net> wrote:


>    For what it's worth, I think you handled an extremely complicated matter
>very well indeed.  Such problems are, I believe, not susceptible to a single
>"correct" answer (and there are many of them:  for just one, extreme example,
>"Sophie's Choice", q.v.).
>     Though I admire most of Plato's Dialogues, one characteristic attributed
>by him to Socrates was to lay a trap for an adversary in a debate in which he
>demanded that his opponent prove a negative proposition--which of course is
>impossible, as the Platonic Socrates knew very well.  In the Dialogues, this
>strategy never failed.
>    Such a dilemma could be cited in this case, where you could conceivably be
>asked to prove that you "did not" D/L 14- or 15,000 private data records, but
>only observed the nature, the extent and the cause of the problem, whereupon
>you behaved in an ethically exemplary manner by notifying the appropriate
>persons as to what you had found, and the implicit dangers there.
>    I believe I understand your thinking, and I admire you for having the
>cajones to follow it to its logical conclusions, as far as anyone would have
>been able to do.  As Russell and Whitehead (whom I often refer to on these
>boards) showed, a hundred years ago, ethical judgements are, for the most
>part, not susceptible of logical proof.  In this arena, then, we are "on our
>own", if we understand the question.

>    The result:  tough decisions, often misunderstood, and occasionally with
>unpredictable consequences.  Perhaps Plato's Socrates may be turned
>upside-down in this instance.  I for one will support your actions.
>
>    Best regards,
>    Robert




----------

From: "David Hansen" <dhansen@NoSpamtransmetrics.com>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 17:14:13 -0700
Organization: Transmetrics, Inc.
Message-ID: <9gm5gr$2e6p$1@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 00:14:19 +0000 (UTC)

"pchelp" <pchelp@nwi.net> wrote
> "David Hansen" <dhansen@NoSpamtransmetrics.com> wrote:
> >
> >You try to help some people....
>
>
> Yeah, there's a guy who couldn't see the forest.
>
> People get very jumpy about these things.  So does the law, for that
> matter.
>
> ComputerHQ could have reacted badly too, and put me on the defensive.
> Fact is, I knew I was playing with fire when I saw the first record (the
> only one it was really OK for me to see) come up on my browser.  But
> there was nothing to do but deal with it.  I thought of all those
> people...
>
> pchelp

Just a thought - will this look "good" or "bad" in NH's court?

PRO:  Detected a security hole and arraigned it to be "fixed"

CON: Was looking at security holes, "making trouble"


--

-Dave /;^{D>

(Warning: Reply-to address has been changed - Death To Spam!)

PC Help needs Our HELP!!  Lockdown 2000 scam^H^H^H^H Law Suit
http://www.pchelpers.org/          http://www.pc-help.org








----------

From: pchelp@nwi.net (pchelp)
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Tue, 19 Jun 2001 00:35:43 GMT
Message-ID: <3b2e9de7.196265055@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 00:33:50 +0000 (UTC)

"David Hansen" <dhansen@NoSpamtransmetrics.com> wrote:

>Just a thought - will this look "good" or "bad" in NH's court?

>PRO:  Detected a security hole and arraigned it to be "fixed"

Hmm.  Might be worth a try as a character-related item of evidence.  I'm
not sure.


>CON: Was looking at security holes, "making trouble"

LOL!  One need only redirect the jury's attention to the thousands of
people whose records were exposed...  I think I'd win this argument.

pchelp



----------

From: "Boris Lav" <boris@accesscomm.ca>
Newsgroups: grc.privacy
Subject: Re: Major Breach of Privacy
Date: Mon, 18 Jun 2001 20:58:36 -0600
Message-ID: <9gmf5e$2qgh$1@news.grc.com>
NNTP-Posting-Date: Tue, 19 Jun 2001 02:58:55 +0000 (UTC)


This has got to be one of the longest and most interesting tread that I have
seen.

Cheers,
Boris