Received: by butch.nwinternet.com (mbox pchelp) (with Cubic Circle's cucipop (v1.31 1998/05/13) Mon Jun 18 09:07:21 2001) X-From_: tedc@ljsystems.com Mon Jun 18 09:05:05 2001 Return-Path: Received: from mailserv.ljsystems.com (lj-pdc.ljsystems.com [207.181.248.115]) by butch.nwinternet.com (8.9.3/8.9.3) with ESMTP id JAA24117 for ; Mon, 18 Jun 2001 09:05:05 -0700 Received: from server (adsl-64-168-22-135.dsl.snfc21.pacbell.net [64.168.22.135]) by mailserv.ljsystems.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id NFD67628; Mon, 18 Jun 2001 09:03:13 -0700 Message-ID: <00bd01c0f811$c581bb40$0300a8c0@server> From: "Ted Chen" To: "pchelp" References: <3b2bd90d.14771464@news.grc.com> <3b2d0411.91331105@news.grc.com> <3b2d1900.96690999@news.grc.com> <3b2d207d.98607650@news.grc.com> <3b2d40cf.106883645@news.grc.com> <3b2d47e5.108697925@news.grc.com> <3b2d871a.8109626@news.grc.com> <3b2da029.131296679@news.grc.com> Subject: Re: Major Breach of Privacy Date: Mon, 18 Jun 2001 09:14:28 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Hi Keith, can you try it now? they said they fixed it already. Ted Now zipcode stores in session params. I turned off javascript and it works - it shows blank screen if something's wrong. Problems with the card expiration date is also fixed. I'll come at work early tomorrow - email me if something's wrong. ----- Original Message ----- From: "pchelp" Newsgroups: grc.privacy To: ; Sent: Sunday, June 17, 2001 11:58 PM Subject: Re: Major Breach of Privacy > > ouroboros@apexmail.com (»Q«) wrote: > > >Posted by Geek, in article news:3b2d871a.8109626@news.grc.com: > > >> Just read through the whole thread. I really think it would behoove > >> you to let us know the name of this company. Some of us may have done > >> business with this company. > > I agree, all of those involved have a right to know. > > > >There may well be people reading this who would love to know what company > >it is so they can drop by the website and grab some CC numbers. Public > >disclosure has got to be a last resort. > > That's how I see it presently. > > At this point, the site is offline again and I am confident they won't > allow the problem to go unsolved again. I wouldn't bet on their site > being truly _secure_ (it's on an IIS server after all), but the > particular hole I found will undoubtedly be closed. > > But my considerations for withholding the name go beyond the immediate > security of the data. I believe it would be most fair of me to allow > the company to take its own action (or not) and to _then_ respond > accordingly. > > Naming them is not something I'll rush to do. I can't reverse the > release of such information. I wish to make that decision only with > great care. > > If I know they're contacting their customers to inform them of their > potential exposure, I will refrain from naming the company for the time > being. If I come to believe they are not going to do so, as I would for > example, if my questions on the matter were to go too long unanswered; I > will immediately name the company publicly and in as non-inflammatory a > manner as possible, for the sake of those uninformed customers. > > Exposing the company to broad public displeasure (some of which would > surely result) is to my mind a severe act. It might arguably be no less > severe than their exposure of their clients, but I believe the breach > was not deliberate, and it is possible, however unlikely, that the > private data didn't fall into hostile hands. > > The vendor's affected clients MUST be allowed to know what happened; but > it would be most appropriate to let THEM tell their clients, to present > their apology, to make their request for information about any credit > abuse that may relate, to offer their assurances that the data is now > kept more safely, and so forth. > > As far as I know, the vendor is running an honest business. I think > harsh exposure could be unfair to them, if they act in good faith and in > a reasonable time now that the problem is known. I intend to allow them > the chance to deal with it as gracefully as possible. > > pchelp > > (A cc of this news://news.grc.com/grc.privacy post is being emailed to > the business owner and to a journalist.)