From owner-freebsd-questions@FreeBSD.ORG Thu Dec 25 21:43:02 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BAE21065670 for ; Thu, 25 Dec 2008 21:43:02 +0000 (UTC) (envelope-from apseudoutopia@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.170]) by mx1.freebsd.org (Postfix) with ESMTP id 3830A8FC20 for ; Thu, 25 Dec 2008 21:43:01 +0000 (UTC) (envelope-from apseudoutopia@gmail.com) Received: by wf-out-1314.google.com with SMTP id 24so5525617wfg.7 for ; Thu, 25 Dec 2008 13:43:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=hfTq2pgIx7O1zhTzPQAJTsmqNbMLCyiTIGUahgh+YNs=; b=eYoEHZ+FuED6CRKCEh9pous2F2KvZKDxI+iydEHDhdvjkHXYemoZfS5h2g+olLuSyk ewTPHVIkBqB2kcDhrdxzLkhAgIshiQqi21zIkjLUfLvme+IJrv8AsdG+2IF5zhqp1/he jXr80AUDlFOx5SwphvBvmEzJfVXuTnIgHMRYA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=BFSU3hpuvrz9WdqqdBtlVq2ASI/B/WexFsUJjeaKFgxg5zZz0MUi8BvoiNacs0BPij nVcpZI9Xg3Vh4w8sHJdXmBsvKVU7hvoeujAJZtoQpN9VskVKwR9xTTHc796XRXHx9UCB GBJOBhCi579avUcPO6jcZ8c71o3G6FzWNKZ9M= Received: by 10.142.237.20 with SMTP id k20mr4147186wfh.218.1230241381633; Thu, 25 Dec 2008 13:43:01 -0800 (PST) Received: by 10.143.109.6 with HTTP; Thu, 25 Dec 2008 13:43:01 -0800 (PST) Message-ID: <27ade5280812251343sa35bbfxeb3219fcd5e3ff5c@mail.gmail.com> Date: Thu, 25 Dec 2008 16:43:01 -0500 From: APseudoUtopia To: Modulok In-Reply-To: <64c038660812251339r71c0a47dy8cb069a322555eda@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64c038660812251339r71c0a47dy8cb069a322555eda@mail.gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Security Exploits...to report, or not to report? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Dec 2008 21:43:02 -0000 On Thu, Dec 25, 2008 at 4:39 PM, Modulok wrote: > List, > > This isn't really FreeBSD related, but I have no one else to consult: > > I was given an FTP account on a server for company X. Being a UNIX > guy, I did some poking around and discovered a security flaw in how > they set their web server up, which would permit anyone at the company > with an FTP account, to intercept ANY data that passed through the > company website. > > Question: > Do I tell them about it? On the one hand I want to do the 'right > thing' and tell them about it and how to fix it. On the other, I don't > want to be criminally prosecuted for finding the flaw. I'm not > implying that they would do such a thing, but in order to find said > flaw, I had to be poking around. > > Suggestions? > -Modulok- Personally, I'd tell them.