Breaking the news: Your Vulnerable!
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Breaking the news: Your Vulnerable!

  1. #1

    Question Breaking the news: Your Vulnerable!

    I've noticed that there are lots of posts about people wondering whether or not to tell sys admins that they have security holes. For those of us who decide to spill the beans, does anyone have any advice on how to format the letter? Maybe someone who is good at writing could provide us with a template so those of us who are less skilled dont seem unprofessional?

  2. #2
    Use correct grammer, correct technical terms and spell check it.

    Be like,

    Dear SysAdmin (if you dont know the name).

    I recently found a hole in your network. This is the way i found it....blah blah blah....This is how you can fix it...blah blah blah.....i would suggest you dont use your ISP's email account or something, cuz some admins can get pissed and report you as a bad guy, use proxies if possible etc.
    StreetsCrack.com Join The Best Music Social Network Online. Music downloads, promotions, forums, profile, games etc...

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Yea, you may think that you are doing a good deed, but some sys admins (especially those who feel self important) get pissed becasue you make them look like asses if you find bunches of holes in their network, so be sure to cover your own ass. If possibel make the letter anonomous, and try to make it sound the least condecending as possible. Also besure to include the ifx if you know it, becasue that will ease there mind a little. Try to do it as descreley as possible, that way they dont look like idots ot their colleges.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  4. #4
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    I've really been pondering lately about adding wireless security to my business-services... going out on a wardrive, and dropping notes in all mailboxes that are in the neighborhood of an unsecure one. I was thinking about something like "Y0! I hax0red your wireless stuff! But there's good news, too! I can secure it for $99! Call me!"

    You didn't mention if the sys admin works for the same company you work for, and if yes: is he higher-ranked than you are? That might be important

  5. #5
    Member
    Join Date
    Mar 2003
    Posts
    50
    This brings to mind a story from a couple of years ago on Cnet News.com. --HERE'S THE LINK-- You may want to read this before you display any good intentions. After all, no good deed goes unpunished.
    Always happens, I get all worked up to say somthing profound and bam!!! uh... whut were we talkin bout?

  6. #6
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    About the article: That company only got in trouble because one of their l33t h4x0r employees posted a vulnerability to the public.

    What I don't understand about the article is that HP did fix all the flaws, so why would it matter if the vulnerability was public or not?

    Now that I think of it, I guess to protect people who didn't get a patch yet...
    I am the uber duck!!1
    Proxy Tools

  7. #7
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    Depends on the flaw, depends on the way again..

    I do often send friendly warning mails, both private and at the office (customers)..
    Most admins I've come accross are as happy as can be..
    Especialy if not only you tell them about the problem, but just add a litle info (and links to more info) on the ways to fix, wile you are at it..


    Cheers..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  8. #8
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    I to have sent friendly warning emails in the past, something I commonly use for this sort of task is: http://anonymouse.ws/anonemail.html (anonymous emailing), and call me paranoid, but I also connect to this site from a proxy as well...

    Just thought I'd share it with you all, if you all don't know of it already .
    I am the uber duck!!1
    Proxy Tools

  9. #9
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Hey,

    I would hope they would eagerly accept the help before they were sent seeking other employment because of something they could have prevented. Regardless of any poor 'tude' they may possess, I'd be quite frank and not candy-coat the turd.

    Seems to me a simple format of a greeting, telling them whats wrong and the consequences if its not corrected, how you found out about it, and then how to fix it or at least lead them to the water. Maybe something like:


    Good Day,

    Im writing this letter to inform you that your computer network suffers from several critical vulnerabilities. The most noted and dangerous to your accounts is the WXYZ vulnerability. This one in particular if exploited will allow a cracker to access your financial data base and acquire the credit card numbers of your patrons. I would imagine that you would like to know how I am aware of the weakness in your security. While I was driving past your facility I happened to have my laptop on. Much to my surprise your wireless network was broadcasting its SSID. Therefore, I was able to gain unfettered access to your network. To prove my point, your SSID is 4im1337. Additionally I noticed that you did not have the latest version of the Xyz-Data. To resolve this situation you will need to download and install the latest version of Xyz-Data and do not broadcast your SSID unless absolutely necessary. Click here to visit the Website for specific information about the WXYZ vulnerability.

    Concerned
    Connection refused, try again later.

  10. #10
    Thanks for all the posts everyone, this really helps

    Negative: I dont work for the company that has the problem. Maybe vulnerable wasnt the right word to use. There is a webserver that has some tools that I dont think they thought people would find, if that isnt worded too awkwardely. But everything is public, so i didnt have to break into anything to get there.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •