Security Basics mailing list archives

Re: Ethics Question

From: "Adam Newhard" <atnewhard () microstrain com>
Date: Thu, 21 Aug 2003 14:04:22 -0400

Anonymously report it to that company...either through untraceable email or
usps...preferably usps as you're guaranteed it won't be sent back through
you.  Your only concern is that your old boss knows you mentioned it so
that's the only way it's traceable to you (that and bugtraq mail is
googled...a quick search on there and there's viable evidence of what you
may do in the future for your old boss to accuse you of whatever he may feel
plausible...i.e. if someone uses the exploit well then that certainly sucks
for you if you mention it).  if other people have mentioned it to him then
that's another story.

do it anonymously if you do decide to do it...your concern shouldn't be
getting public recognition.
adam
----------------------------------------------------
Adam Newhard
Microstrain, Inc.
If vegetarians eat vegetables, watch out for humanitarians

----- Original Message ----- 
From: "Mike Taylor" <mtaylor () ablenology com>
To: <security-basics () securityfocus com>
Sent: Wednesday, August 20, 2003 10:54 PM
Subject: Ethics Question

Hello all

Question I have is do I tell a company that I did work for that a system
they have is not secure. Background I worked for Company X(left them

because

I could not get paid regularly) they have a contract to support and keep
secure Company Y. I noticed on an audit that the machine that is used for
finances is VERY insecure. It is a terminal server machine that is set up

so

that 2 people can get to it from the outside. When you remote to this
machine it bypass's login and gives you a blank desktop with the finance
package login. To bypass all you have to do is send a ctrl-shit-esc get

the

task manager and file run -explorer and you have a machine that can browse
the whole network.

I had brought this to my then boss's attention he said don't mention it we
will fix it later. The hole is still there.

What would you do ?

Thanks,

Mike



--------------------------------------------------------------------------

--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Purging Blaster.worm, (continued)
- - - RE: Purging Blaster.worm Stuart (Aug 14)
    - Re: Purging Blaster.worm Todd (Aug 14)
    - RE: Purging Blaster.worm Alexander Suhovey (Aug 16)
    - RE: Purging Blaster.worm TheFueley (Aug 15)
    - Re: Purging Blaster.worm Meritt James (Aug 15)
    - RE: Purging Blaster.worm Stuart (Aug 16)
    - Re: Purging Blaster.worm Meritt James (Aug 14)
    - Re: Purging Blaster.worm Meritt James (Aug 19)
    - RE: Purging Blaster.worm David Gillett (Aug 19)
    - Ethics Question Mike Taylor (Aug 21)
    - Re: Ethics Question Adam Newhard (Aug 21)
    - Re: Ethics Question Suzanne Rodday (Aug 21)
    - Re: Ethics Question Sebastian Schneider (Aug 22)
    - Re: Ethics Question Michael Thornhill (Aug 21)
    - Re: Ethics Question Schneider Sebastian (Aug 21)
    - Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Martchukov Anton (Aug 13)
  - Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- RE: Purging Blaster.worm Blaxes (Aug 16)
- RE: Purging Blaster.worm Preston, Tony (Aug 13)

(Thread continues...)