[Dshield] scanning & consent

Rich Weissler Rich.Weissler at mail.wvu.edu
Mon Dec 1 16:11:38 GMT 2003


On Wednesday, 11/26/03 Mr. Hart wrote:
> The real issue is that security flaws cannot necessarily be expressed
as
> open ports or even exploitable software. 

I apologize that this message comes so late in the game, but I'm now
catching up on email after the holiday.  I just wanted to add one small
side-note to the conversation.  You mentioned that this was an Acc-Pak
system.  I believe that makes it an accounting system.  That (in my mind
anyway) makes it one of the more sensitive systems in most
organizations.  There may be HIPPA regulation concerns when you do the
risk assessment (especially SSNs.)  I don't know if it changes anyone
elses concerns recognizing that you are talking about an analysis of a
live accounting, possilby a payroll system. 

In any event, you probably shouldn't do any assessement across insecure
lines.

> In this case, I'm not selling a product or service. In contrast, I'm
> selling a concept. Both of the aforementioned conditions apply. I'd
like
> to make them aware and irritate the hell out of them (actually,
"them"
> in this case is "us") to take action. They are not going to call
someone
> like you until they see the light.

;-)  I would think handing the Board a paper listing of all the
employees with SSN and pay rates should shake someone up.  Even if no
one is shaken up by the potential lawsuits you would be open to, you
might point out that head hunters would love that sort of information.
;-)




More information about the list mailing list