Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

• Previous message (by thread): Security reporting response handling [was: Suggestions for the future on your web site]
• Next message (by thread): Question about DOCSIS DHCP vs ARP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 21 Jan 2013 23:23:16 -0500, Jean-Francois Mezei said:
> This article may be of interest:
>
> > http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/
>
> Basically, a Montreal student, developping mobile software to interface
> with schools system found a bug. Reported it. And when he tested to see
> if the bug had been fixed, got caugh and was expelled.
>
> I the context of this thread, they found a vulnerability in the web
> site's archutecture that allowed the to access any student's records.
>
> This is the perfect type of incident you can bring to your boss to
> justify proper architecture/security for your web site. "How would you
> react if it was your company's name in the headline ?"

The interesting part is where the same people who were totally unaware
that they had a major security hole until it was pointed out to them
were also able to issue a very fast blanket denial that any student's
information was in fact compromised.  Sure, you can check your logs for
the footprint of the attack - but apparently this wasn't actually being
done before the student mentioned it to them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 865 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130122/25f72d51/attachment.sig>

• Previous message (by thread): Security reporting response handling [was: Suggestions for the future on your web site]
• Next message (by thread): Question about DOCSIS DHCP vs ARP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]