From: Denis Jedig (seclistssyneticon.de)
Date: Mon Jul 03 2006 - 18:27:38 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

r r wrote:

> I would like to know what to do if I --hypothetically speaking-- I
> were to retrieve _complete_ databases of a MAJOR us hospital. My
> hypothetical model is not brute force, but rather an 'accidental'
> discovery by trying to retrieve updates from a software vendor.

In my opinion, a public service operated insecurely is a danger to every
single of its customers. Publishing this kind of information (not the
data dump of course, only pointing out the kind of flaws and the
responsible persons or organizations) is a service to current and
potential customers of the public service. You might try to get the
"ordinary" (non-tech, non-security) press, but in my expirience the
sensation index of such incidents is just too low to interest
journalists and they think that the technical stuff is too complicated
anyway. So the second option is to report an offence to the prosecutive
authorities (no idea who handles data security issues in the states -
the FBI maybe?) or supervisory bodies (US Department of Health?). You
could do both, just so you tried, and maybe add some politican known to
be keen on privacy and data security to your list of contacts.

If you expect that there is no chance for the flaw to be fixed correctly
(i.e. without a chance to reoccur in a different flavour within some
days), there is little sense in contacting the involved parties directly.

Denis

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]