[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Hash
From: "secure poon" <suckure () gmail ! com>
Date: 2007-07-27 18:21:33
Message-ID: 61f54f4f0707271121i92b5c04uf6f15165d07779a9 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
fucktard morons, (now write me a 10 paragraph response, im waiting!)
On 7/27/07, Tremaine Lea <tremaine@gmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 27-Jul-07, at 7:49 AM, Valdis.Kletnieks@vt.edu wrote:
>
> > On Thu, 26 Jul 2007 18:23:37 MDT, Tremaine Lea said:
> >
> >> Apparently you've never heard of a mail administrator tagging
> >> outbound email for all users. It's pretty common. Of course, you may
> >> lack the experience of dealing with large companies.
> >
> > The fact a large company does it doesn't make it any less stupid.
> > And you
> > think a large company could afford their own mailserver rather than
> > making their
> > people use Gmail (now wrap your head around the concept of
> > "confidential mail
> > anywhere *near* a Google-owned server"... ;)
>
> I was as amused by that as you.
>
>
> >
> > To pick up on a part of the sig that Nick didn't rip into publicly:
> >
> >> "and delete it from your system"
> >
> > Presumably, Tremaine, in his self-claimed role as "Security
> > Consultant"
> > *and* "Paranoia for hire", realizes that it quite likely sat on my
> > site's main
> > mail server for anywhere from several seconds to several hours (in
> > fact, there
> > are probably copies on *3* different servers in our mail cluster) -
> > and that
> > until some *other* piece of mail happens to land on those same
> > blocks of storage,
> > the text is quite easy to recover by any decent computer forensics
> > practitioner.
>
> Yes, I do realize this. Duh.
>
>
> >
> > On the other hand, actually going in and overwriting the affected
> > block(s) is
> > quite challenging, especially when it's a 10 terabyte mailstore
> > handling
> > several million messages a day for 100K users. We'll be happy to
> > do it - *IF*
> > Tremaine's company is willing to indemnify us for the downtime.
>
> Why would I (or the company I contract to) be interested in what you
> do to delete Sergio's email?
>
>
> >
> > So there's 2 possible outcomes here:
> >
> > 1) The request has zero legal standing, and Tremaine's company is
> > relying on
> > the kindness of strangers rather than using PGP or S/MIME to
> > actually secure
> > their mail. This sort of thing is usually called "lack of due
> > diligence",
> > and I don't think any company wants to be flaunting it.
>
> Speaking of due diligence... I'm pretty sure literacy and following
> a trail of information is basic to this field. As you've clearly
> missed, Sergio has nothing to do with me, the company I work with,
> or ... hell, who knows. I don't know the guy from Adam. Or you.
>
>
> >
> > 2) The request *does* have legal standing - in which case
> > Tremaine's company
> > may indeed have some liability to pick up any and all associated
> > costs.
>
>
> Again with the not being able to follow the bouncing ball.
>
> >
> > Particularly interesting is the legal question of what happens when a
> > "please delete all copies" request is attached to something that's
> > sent to
> > a company that is required to retain copies of *everything* for
> > regulatory
> > compliance (as is true for some financial-sector companies).....
>
> That's the only really interesting thing you've contributed, and it's
> a good question. Any one know of any court cases on this?
>
> - ---
> Tremaine Lea
> Network Security Consultant
> Intrepid ACL
> "Paranoia for hire"
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iQEcBAEBAgAGBQJGqgm0AAoJEKGa22zRy9WCEvgIALax083+iHxWUphyIh+aXg7+
> d9oqyw8CRe6iZ5Fe6GKYh1RHXO07PrJAx3kttMUyzvsIEupwsVmQdFtdzyGm7wPu
> U1MRBPMFV9pIMhr6BF5Q96mYLmNf8dRvmMCIAoEoo1HmXRp3KocKzliLd3RqNJ6G
> 7Rsp+WOtpZJHnX4O+2Hn2EVAjIZTP3kZ7wko7FNVUTQcTe703/Cx9h82eGDgVmVZ
> zaasGUsEX2Y9hgvPPFYdNebnX8EihkFZ1FjaLKpyXzl2aLBTGsmFKtoK0KdbS93Y
> YwgMPiDByvXKNqTCR1Ehzl9c/Y6KVUMgR34jyFs9OQCr8/Cr2ePKZ5WGdT+YCxk=
> =bgWU
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
[Attachment #5 (text/html)]
<div>fucktard morons, (now write me a 10 paragraph response, im waiting!)</div>
<div><br> </div>
<div><span class="gmail_quote">On 7/27/07, <b class="gmail_sendername">Tremaine Lea</b> <<a \
href="mailto:tremaine@gmail.com">tremaine@gmail.com</a>> wrote:</span> <blockquote \
class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px \
solid">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>On 27-Jul-07, at 7:49 AM, <a \
href="mailto:Valdis.Kletnieks@vt.edu"> Valdis.Kletnieks@vt.edu</a> wrote:<br><br>> On Thu, \
26 Jul 2007 18:23:37 MDT, Tremaine Lea said:<br>><br>>> Apparently you've never \
heard of a mail administrator tagging<br>>> outbound email for all users. It's pretty \
common. Of course, you may <br>>> lack the experience of dealing with large \
companies.<br>><br>> The fact a large company does it doesn't make it any less \
stupid.<br>> And you<br>> think a large company could afford their own mailserver rather \
than <br>> making their<br>> people use Gmail (now wrap your head around the concept \
of<br>> "confidential mail<br>> anywhere *near* a Google-owned server"... \
;)<br><br>I was as amused by that as you.<br> <br><br>><br>> To pick up on a part of the \
sig that Nick didn't rip into publicly:<br>><br>>> "and delete it from your \
system"<br>><br>> Presumably, Tremaine, in his self-claimed role as "Security \
<br>> Consultant"<br>> *and* "Paranoia for hire", realizes that it quite \
likely sat on my<br>> site's main<br>> mail server for anywhere from several seconds \
to several hours (in<br>> fact, there <br>> are probably copies on *3* different servers \
in our mail cluster) -<br>> and that<br>> until some *other* piece of mail happens to \
land on those same<br>> blocks of storage,<br>> the text is quite easy to recover by any \
decent computer forensics <br>> practitioner.<br><br>Yes, I do realize \
this. Duh.<br><br><br>><br>> On the other hand, actually going in and \
overwriting the affected<br>> block(s) is<br>> quite challenging, especially when \
it's a 10 terabyte mailstore <br>> handling<br>> several million messages a day for \
100K users. We'll be happy to<br>> do it - *IF*<br>> Tremaine's \
company is willing to indemnify us for the downtime.<br><br>Why would I (or the company I \
contract to) be interested in what you <br>do to delete Sergio's \
email?<br><br><br>><br>> So there's 2 possible outcomes here:<br>><br>> 1) The \
request has zero legal standing, and Tremaine's company is<br>> relying on<br>> the \
kindness of strangers rather than using PGP or S/MIME to <br>> actually secure<br>> their \
mail. This sort of thing is usually called "lack of due<br>> \
diligence",<br>> and I don't think any company wants to be flaunting \
it.<br><br>Speaking of due diligence... I'm pretty sure literacy and following \
<br>a trail of information is basic to this field. As you've clearly<br>missed, \
Sergio has nothing to do with me, the company I work with,<br>or ... hell, who \
knows. I don't know the guy from Adam. Or you.<br><br> \
<br>><br>> 2) The request *does* have legal standing - in which case<br>> \
Tremaine's company<br>> may indeed have some liability to pick up any and all \
associated<br>> costs.<br><br><br>Again with the not being able to follow the bouncing ball. \
<br><br>><br>> Particularly interesting is the legal question of what happens when \
a<br>> "please delete all copies" request is attached to something \
that's<br>> sent to<br>> a company that is required to retain copies of *everything* \
for <br>> regulatory<br>> compliance (as is true for some financial-sector \
companies).....<br><br>That's the only really interesting thing you've contributed, and \
it's<br>a good question. Any one know of any court cases on this? <br><br>- \
---<br>Tremaine Lea<br>Network Security Consultant<br>Intrepid ACL<br>"Paranoia for \
hire"<br><br><br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.7 \
(Darwin)<br><br>iQEcBAEBAgAGBQJGqgm0AAoJEKGa22zRy9WCEvgIALax083+iHxWUphyIh+aXg7+ \
<br>d9oqyw8CRe6iZ5Fe6GKYh1RHXO07PrJAx3kttMUyzvsIEupwsVmQdFtdzyGm7wPu<br>U1MRBPMFV9pIMhr6BF5Q96mY \
LmNf8dRvmMCIAoEoo1HmXRp3KocKzliLd3RqNJ6G<br>7Rsp+WOtpZJHnX4O+2Hn2EVAjIZTP3kZ7wko7FNVUTQcTe703/Cx9h82eGDgVmVZ<br>zaasGUsEX2Y9hgvPPFYdNebnX8EihkFZ1FjaLKpyXzl2aLBTGsmFKtoK0KdbS93Y
<br>YwgMPiDByvXKNqTCR1Ehzl9c/Y6KVUMgR34jyFs9OQCr8/Cr2ePKZ5WGdT+YCxk=<br>=bgWU<br>-----END PGP \
SIGNATURE-----<br><br>_______________________________________________<br>Full-Disclosure - We \
believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html"> \
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - \
<a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic