Re: *MAJOR SECURITY BREACH AT CCBILL**

From: Robert van der Meulen (rvdm@wiretrip.org)
Date: 12/20/01


Date: Thu, 20 Dec 2001 00:12:50 +0100
From: Robert van der Meulen <rvdm@wiretrip.org>
To: l0rtamus Prime <simon@snosoft.com>


Quoting l0rtamus Prime (simon@snosoft.com):
> The problem with his web site is a simple perl issue that any average
> perl programmer can figure out. Any advice on what I should do? Should
> I post a full disclosure?
> I have tried to contact him, his ISP (verio) and other people but thus
> far have yet to speak to anyone reasonable.
I've got very good experience with sending them a polite email, explaining
the issues, and making clear your intentions are good.
If they don't reply, mail again, Cc-ing the ISP/upstream involved.

Give them time, if they don't reply within a _reasonable_ amount of time,
try calling; try making the 'full disclosure' decision the last thing you
fall back on. I'm ofcourse completely in favour of full disclosure, but
the target you're trying to help might have their own ideas about that. If
you can, try to leave that decision up to them.
I personally never had a bad response, or threats/legal stuff thrown at me.

Greets,
        Robert

-- 
			      Linux Generation
   encrypted mail preferred. finger rvdm@debian.org for my GnuPG/PGP key.
      "Invalid element 'rvdm' in content of 'p'." (WAP emulator error)

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com