Full Disclosure mailing list archives
Re: Undisclosed breach at major US facility
From: Denis Jedig <seclists () syneticon de>
Date: Tue, 04 Jul 2006 01:27:38 +0200
r r wrote:
I would like to know what to do if I --hypothetically speaking-- I were to retrieve _complete_ databases of a MAJOR us hospital. My hypothetical model is not brute force, but rather an 'accidental' discovery by trying to retrieve updates from a software vendor.
In my opinion, a public service operated insecurely is a danger to every single of its customers. Publishing this kind of information (not the data dump of course, only pointing out the kind of flaws and the responsible persons or organizations) is a service to current and potential customers of the public service. You might try to get the "ordinary" (non-tech, non-security) press, but in my expirience the sensation index of such incidents is just too low to interest journalists and they think that the technical stuff is too complicated anyway. So the second option is to report an offence to the prosecutive authorities (no idea who handles data security issues in the states - the FBI maybe?) or supervisory bodies (US Department of Health?). You could do both, just so you tried, and maybe add some politican known to be keen on privacy and data security to your list of contacts.
If you expect that there is no chance for the flaw to be fixed correctly (i.e. without a chance to reoccur in a different flavour within some days), there is little sense in contacting the involved parties directly.
Denis _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Undisclosed breach at major US facility r r (Jul 03)
- Re: Undisclosed breach at major US facility mikeiscool (Jul 03)
- Re: Undisclosed breach at major US facility Denis Jedig (Jul 03)
- Re: Undisclosed breach at major US facility Stack Smasher (Jul 03)
- Re: Undisclosed breach at major US facility Valdis . Kletnieks (Jul 04)
- Re: Undisclosed breach at major US facility Brian Eaton (Jul 04)
- Re: Undisclosed breach at major US facility Eric Ericson (Jul 04)
- Re: Undisclosed breach at major US facility Stack Smasher (Jul 04)
- Re: Undisclosed breach at major US facility nobody Wuss (Jul 04)
- Re: Undisclosed breach at major US facility Eric Ericson (Jul 04)
- Re: Undisclosed breach at major US facility Eric Ericson (Jul 04)
- Re: Undisclosed breach at major US facility pauls (Jul 04)
- Re: Undisclosed breach at major US facility Stack Smasher (Jul 04)
- Re: Undisclosed breach at major US facility Stack Smasher (Jul 04)