ISP Security Flaw (Wanadoo) - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: ISP Security Flaw (Wanadoo)

  1. #11
    Junior Member
    Join Date
    May 2006
    Posts
    7
    Ok, first of all thanks to Highlander for the link, I found it intresting reading and it definately demonstrates typical behaviour of a company when confronted with a problem like this.

    As for the views regarding full-disclosure, I agree on all but the smaller details. I feel its nessacary to highlight the action I have taken before making this post as it would seem alot of people presume that I have jumped straight in at the deep end and just thrown it out there without any kind of consideration before hand.

    I had sent them 2 emails with a good spacing of time between them (2-3 weeks), neither of which yielded a response, I then more recently tried to contact a more neutral party whom i have previously mentioned, they also ignored me.

    Now either everybodies spam filter is turned on or someone thinks im joking or they simply don't care. The way I see it im trying to do them a favour and they're making it very difficult, I've even heard from a 3rd party that he phoned them and had a conversation with someone who claimed they were in the server room, however from the details elaborated it would seem that who ever it was, was more concerned about customers finding out than patching. Infact even as i write this the problem still exists and I find myself inclined to send yet another email just to try see if I can get any form of response.

    As you correctly noted I do have a somewhat negative opinion of them, but this is more a result of how they've handled this situation than a motive for how it came about.

    Thanks for the Feedback

    -Gammarays

  2. #12
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    If you find yourself completely ignored *and* you have a fix then I'd say disclosing the details is just fine. In extreme cases, I also do this but *only* if I can provide a fix and only if I publish the details of my contact attempts with the vendor.

    When you dump the details of an exploit out on a public list when there is no fix available, you haven't helped anyone other than the bad guys.

    Thank you for posting.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #13
    Junior Member
    Join Date
    May 2006
    Posts
    7
    Well I've just got the good news, They've fixed It!

    It may have taken a while but I think the increased volume of complaints regarding the subject had finally come to their notice. Thanks to everyone who emailed them or submitted a complaint form, it makes the difference.

    -Gammarays

  4. #14
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Well, it's been covered in the press too. Check it out:
    http://www.theregister.co.uk/2006/05...security_flap/

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  5. #15
    Junior Member
    Join Date
    May 2006
    Posts
    21
    In a statement, the ISP said: "Wanadoo can confirm that a small number of links to files containing customer details have been posted on the internet. Wanadoo would like to reassure customers that this was an isolated incident and as soon as we were made aware of the problem, the information was removed from the public domain.

    But according to Gammarays, they knew about the problem long before the posting of the links. So what they're really saying is, "We knew we had a problem, and as soon as we realized a whole bunch of other people knew we had a problem, we finally decided to fix it."

    Which makes me wonder, is the biggest security problem on the internet technical or cultural?

  6. #16
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Which makes me wonder, is the biggest security problem on the internet technical or cultural?
    Excellent point.....

    You will find the biggest security hole is always going to be users.....then lazy admins with the attitude...if it aint broke ...dont fix it.

    Also...upper management....really doesnt seem to care about security...unless its gonna affect the bottom line....(I try and use the words "lawsuit" and "fine", "privacy act" alot in those types of meetings)....

    "There are no technical solutions to administrative problems"

    Hey I was just at a seminar on computer\network security...and heard a story how easy it was to social engineer into a banks system........physical access........all the passwords, routers and firewalls in the world aint gonna help out when someone walks out the door with your server.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •