|
-
February 5th, 2005, 05:11 AM
#1
Member
 Breaking the news: Your Vulnerable!
I've noticed that there are lots of posts about people wondering whether or not to tell sys admins that they have security holes. For those of us who decide to spill the beans, does anyone have any advice on how to format the letter? Maybe someone who is good at writing could provide us with a template so those of us who are less skilled dont seem unprofessional?
-
February 5th, 2005, 05:20 AM
#2
Use correct grammer, correct technical terms and spell check it.
Be like,
Dear SysAdmin (if you dont know the name).
I recently found a hole in your network. This is the way i found it....blah blah blah....This is how you can fix it...blah blah blah.....i would suggest you dont use your ISP's email account or something, cuz some admins can get pissed and report you as a bad guy, use proxies if possible etc.
-
February 5th, 2005, 06:03 AM
#3
Yea, you may think that you are doing a good deed, but some sys admins (especially those who feel self important) get pissed becasue you make them look like asses if you find bunches of holes in their network, so be sure to cover your own ass. If possibel make the letter anonomous, and try to make it sound the least condecending as possible. Also besure to include the ifx if you know it, becasue that will ease there mind a little. Try to do it as descreley as possible, that way they dont look like idots ot their colleges.
-
February 5th, 2005, 06:21 AM
#4
I've really been pondering lately about adding wireless security to my business-services... going out on a wardrive, and dropping notes in all mailboxes that are in the neighborhood of an unsecure one. I was thinking about something like "Y0! I hax0red your wireless stuff! But there's good news, too! I can secure it for $99! Call me!"
You didn't mention if the sys admin works for the same company you work for, and if yes: is he higher-ranked than you are? That might be important 
-
February 5th, 2005, 07:45 PM
#5
Member
This brings to mind a story from a couple of years ago on Cnet News.com. --HERE'S THE LINK-- You may want to read this before you display any good intentions. After all, no good deed goes unpunished.
Always happens, I get all worked up to say somthing profound and bam!!!  uh... whut were we talkin bout?
-
February 6th, 2005, 01:03 AM
#6
About the article: That company only got in trouble because one of their l33t h4x0r employees posted a vulnerability to the public.
What I don't understand about the article is that HP did fix all the flaws, so why would it matter if the vulnerability was public or not?
Now that I think of it, I guess to protect people who didn't get a patch yet...
-
February 6th, 2005, 01:11 AM
#7
Depends on the flaw, depends on the way again..
I do often send friendly warning mails, both private and at the office (customers)..
Most admins I've come accross are as happy as can be..
Especialy if not only you tell them about the problem, but just add a litle info (and links to more info) on the ways to fix, wile you are at it..
Cheers..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
February 6th, 2005, 01:50 AM
#8
I to have sent friendly warning emails in the past, something I commonly use for this sort of task is: http://anonymouse.ws/anonemail.html (anonymous emailing), and call me paranoid, but I also connect to this site from a proxy as well...
Just thought I'd share it with you all, if you all don't know of it already  .
-
February 6th, 2005, 04:18 AM
#9
Hey,
I would hope they would eagerly accept the help before they were sent seeking other employment because of something they could have prevented. Regardless of any poor 'tude' they may possess, I'd be quite frank and not candy-coat the turd.
Seems to me a simple format of a greeting, telling them what’s wrong and the consequences if it’s not corrected, how you found out about it, and then how to fix it or at least lead them to the water. Maybe something like:
Good Day,
I’m writing this letter to inform you that your computer network suffers from several critical vulnerabilities. The most noted and dangerous to your accounts is the WXYZ vulnerability. This one in particular if exploited will allow a cracker to access your financial data base and acquire the credit card numbers of your patrons. I would imagine that you would like to know how I am aware of the weakness in your security. While I was driving past your facility I happened to have my laptop on. Much to my surprise your wireless network was broadcasting its SSID. Therefore, I was able to gain unfettered access to your network. To prove my point, your SSID is “4im1337”. Additionally I noticed that you did not have the latest version of the Xyz-Data. To resolve this situation you will need to download and install the latest version of Xyz-Data and do not broadcast your SSID unless absolutely necessary. Click here to visit the Website for specific information about the WXYZ vulnerability.
Concerned
Connection refused, try again later.
-
February 6th, 2005, 04:54 AM
#10
Member
Thanks for all the posts everyone, this really helps 
Negative: I dont work for the company that has the problem. Maybe vulnerable wasnt the right word to use. There is a webserver that has some tools that I dont think they thought people would find, if that isnt worded too awkwardely. But everything is public, so i didnt have to break into anything to get there.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
