From owner-freebsd-questions@FreeBSD.ORG Thu Dec 25 23:42:35 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C808D1065673 for ; Thu, 25 Dec 2008 23:42:35 +0000 (UTC) (envelope-from sahil@tandon.net) Received: from aegis.hamla.org (aegis.hamla.org [206.251.255.39]) by mx1.freebsd.org (Postfix) with ESMTP id A509B8FC14 for ; Thu, 25 Dec 2008 23:42:30 +0000 (UTC) (envelope-from sahil@tandon.net) Received: from localhost (localhost [127.0.0.1]) by aegis.hamla.org (Postfix) with ESMTP id 4CC735C1B for ; Thu, 25 Dec 2008 18:44:20 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tandon.net; h= x-virus-scanned:in-reply-to:content-disposition:content-type :mime-version:references:reply-to:message-id:subject:from:date: received; s=aegis; t=1230248660; bh=oMsvGfIDa+g4ZKbJg6Fz87LYZtND L3kyXR+SP4q+Uco=; b=AZBPdZI85hNFsd+2gaxsr+7fojHNaPuSu1Uuk8DYHKX0 ukx25Ph/DROZ85Qs2qELlzmeVl4DQ+MeiEVUgMIxxHwhwrNv6kzAQ9lTDSYJTi8V 4OTGBD2T6qp6q4GYAAhG2iQP6H+5CogVeq0HIkbQJYCy57/CRe4zRnW+r/0wFsA= Received: from aegis.hamla.org ([127.0.0.1]) by localhost (aegis.hamla.org [127.0.0.1]) (amavisd-new, port 10027) with LMTP id TDLsXH1bGsMj for ; Thu, 25 Dec 2008 18:44:20 -0500 (EST) Date: Thu, 25 Dec 2008 18:42:28 -0500 From: Sahil Tandon To: freebsd-questions@freebsd.org Message-ID: <20081225234227.GA174@shepherd> References: <64c038660812251339r71c0a47dy8cb069a322555eda@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <64c038660812251339r71c0a47dy8cb069a322555eda@mail.gmail.com> X-Virus-Scanned: ClamAV version 0.94, clamav-milter version 0.94 on aegis.hamla.org X-Virus-Status: Clean Subject: Re: Security Exploits...to report, or not to report? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "freebsd-questions@freebsd.org" List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Dec 2008 23:42:35 -0000 Modulok wrote: > I was given an FTP account on a server for company X. Being a UNIX > guy, I did some poking around and discovered a security flaw in how > they set their web server up, which would permit anyone at the company > with an FTP account, to intercept ANY data that passed through the > company website. > > Question: > Do I tell them about it? On the one hand I want to do the 'right > thing' and tell them about it and how to fix it. On the other, I don't > want to be criminally prosecuted for finding the flaw. I'm not > implying that they would do such a thing, but in order to find said > flaw, I had to be poking around. Report it. If you are afraid of prosecution, and do not wish to be contacted by anyone, create a gmail (yahoo, or whatever) account to send the message and do so from a location that can not be traced to you. -- Sahil Tandon