[funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
(h/t to Nadim Kobeissi) Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250,000 students personal data http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-25-students-personal-data/ Same old story, complete with the customary vacuous denial-by-assertion: "We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information." Riiight, so you weren't good enough to avoid creating the vulnerability in the first place, yet you are somehow omniscient enough to know that nobody, that's right, NOBODY, exploited the hole before you fixed it. ---rsk ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 10:26 AM, Rich Kulawiec wrote: > (h/t to Nadim Kobeissi) > > Youth expelled from Montreal college after finding "sloppy coding" > that compromised security of 250,000 students personal data > > http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-25-students-personal-data/ > > Same old story, complete with the customary vacuous denial-by-assertion: > > "We acted immediately to fix the problem, and were able to do > so before anyone could use it to access private information." > > Riiight, so you weren't good enough to avoid creating the vulnerability > in the first place, yet you are somehow omniscient enough to know that > nobody, that's right, NOBODY, exploited the hole before you fixed it. Citizens and users need legislative relief. Waiting for an organization "do the right thing" does not work. A long history has demonstrated that by example. Its too bad politicians are so easily bought and sold like trading cards. If the politicians actually looked out for the interests of their constituents, the citizens and users would likely already have it in the US. The legislation would upset the risk equations, and compel an organization to act. Instead, the 'X' of the risk analysis equation is basically sending out a 50 cent letter. How does that compare when 'Y' is millions and billions of dollars? I'm not an economist, but I would venture to say the 50 cent letter is always chosen when muli-million dollar reven streams are involved. Who is more danderous to the general populace? Bin Laden and friends, or a US corporation and thier purchased representatives? Jeff ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 10:26 AM, Rich Kulawiec wrote: > (h/t to Nadim Kobeissi) > > Youth expelled from Montreal college after finding "sloppy coding" > that compromised security of 250,000 students personal data > > http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-25-students-personal-data/ > > ... Does anyone know if CA law has provisions for Security Testing and Evaluations (ST&E) or Reverse Engineering (RE)? Jeff ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
Bad example to set for others - these companies really need to think before they reach for the lawyer. Next time some student discovers a flaw in a piece of software what's he more likely to do now... A : Report it and get threatened/kicked out of college/arrested or B : Sell the exploit on the underground anonymously and make some cash. Corporate behavior like this is damaging both to the corporation and to society, the sooner that lesson is learned the better for everyone. Jim. On 21/01/2013 3:26 PM, Rich Kulawiec wrote: (h/t to Nadim Kobeissi) Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250,000 students personal data http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-25-students-personal-data/ Same old story, complete with the customary vacuous denial-by-assertion: "We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information." Riiight, so you weren't good enough to avoid creating the vulnerability in the first place, yet you are somehow omniscient enough to know that nobody, that's right, NOBODY, exploited the hole before you fixed it. ---rsk ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
On Tue, Jan 22, 2013 at 11:05:39AM +, Jim Murray wrote: > Bad example to set for others - these companies really need to think > before they reach for the lawyer. Yep. Add to this the appallingly stupid non-concept of "responsible disclosure" and it becomes clear that companies are 100% concerned about profits and 0% concerned about security. One of the most galling things about that story is that this statement from the company CEO (Edouard Taza): "We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information." was not challenged by the article's author, since it is of course an obvious fabrication. ---rsk ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
http://www.cbc.ca/news/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
On Tue, 22 Jan 2013 08:14:34 -0500, Rich Kulawiec said: > about that story is that this statement from the company CEO (Edouard Taza): > > "We acted immediately to fix the problem, and were able to do > so before anyone could use it to access private information." > > was not challenged by the article's author, since it is of course an > obvious fabrication. Yeah, I liked how they didn't know they had gotten probed till the kid *told* them, but were immediately able to verify that they didn't have any other un-noticed exploits of the hole. (Sure, you can easily grep for the scanning tool's footprint, but it takes a lot longer to verify there's no disguised attacks with a different footprint). pgpgk0X7RrGGW.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
On Tue, Jan 22, 2013 at 01:50:10PM -0500, valdis.kletni...@vt.edu wrote: > Yeah, I liked how they didn't know they had gotten probed till the kid > *told* them, but were immediately able to verify that they didn't have > any other un-noticed exploits of the hole. (Sure, you can easily grep > for the scanning tool's footprint, but it takes a lot longer to verify > there's no disguised attacks with a different footprint). "In a world where owning a radio was strictly forbidden, one man found a way to bring good news to his people. He made it up." Security holes usually don't travel alone. ---rsk ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Youth expelled from Montreal college after finding "sloppy coding" that compromised security of 250, 000 students personal data
Oh, this story just keeps getting better: http://o.canada.com/2013/01/22/dawson-student-expelled-while-college-website-remains-hacked-16-months-later/ Excerpt: This, despite the fact that a primary Dawson College public domain may remain compromised following a 2011 incursion by an unknown hacker named "iskorpitx". That hacker appears to have successfully uploaded a 'Shell' to the domain, leaving a public 'f** file' alerting administrators of the site that a successful incursion had taken place. As of midnight Monday, the Dawson College server still returned the file using any web browser, despite credible Twitter alerts about the compromise to @mydawsoncollege earlier that evening from multiple sources. Apparently the incompetent lying morons at Dawson College are far more worried about a student who is arguably brighter than they are than they are over exposing the information of their faculty/staff/students. ---rsk ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
