eventhough this is political in nature, i chose to forward it along since it relates DIRECTLY to full disclosure and reporting parties being attacked financially and legally for doing the right and responsible thing. - Brian ----- Original Message ----- From: "Declan McCullagh" <declan@well.com> To: <politech@politechbot.com> Sent: Wednesday, February 27, 2002 21:29 Subject: FC: French site Kitetoa.com fined for expose of security hole | Here's an article about Kitetoa.com's expose of Doubleclick: | http://www.ecommercetimes.com/perl/story/8505.html | | This is another good reason to publish sensitive information untraceably. | Establish a persistent pseudonymous identity -- standard procedure would be | to generate a private-public keypair and sign your reports with it. You can | also received messages encrypted to your public key (so only you can | decipher them) and dropped in a public place such as a Usenet newsgroup or | popular mailing list. Eventually, if the legal threat disappears, you can | reveal your truename and receive credit for your earlier work. | | Naturally it'll be difficult for you to get paid under this scenario, but | doesn't everyone do this for the love of the craft? :) | | -Declan | | --- | | Date: Thu, 28 Feb 2002 02:43:06 +0100 | From: Solveig <solveig@transfert.net> | Organization: transfert | To: declan@well.com | CC: "Kitetoa at Kitetoa . com" <kitetoa@kitetoa.com> | Subject: Kitetoa in danger | | Hello declan, | | Sorry for my bad English, but I think this story should be told... | Sadly, there's only French links until now. But American media have | already written some articles about Kitetoa, who disclosed some | security flaws in DoubleClick last year, and recently, in Choicepoint... | | The webmaster of Kitetoa, a French group of security enthusiasts with a | passion for | showing how badly protected our personal data is, has been sentenced | by a French court to a 1000 euros fine. Using nothing more than | Netscape Navigator's features, he could access to Tati's (a | clothes' discounter)file directory, and then to all consumers | profiles. He had warned the webmaster of Tati one year before about | the problem, but no | effort was made to secure the server. So he disclosed the breach of | security in an article on | www.kitetoa.com. Tati did nothing until the news was republished by an | offline mag called Newbiz - too much publicity for Tati, let's sue | those disturbers. Notice that Newbiz wasn't targeted, only the small | investigative website. Although the judge couldn't identify precisely | the nature of the "computer fraud" Kitetoa was fined for, this | sentence creates a dangerous precedent. It is likely to lead to some | more lawsuits. Kitetoa will probably have to stop its activities. | | It reminds us, in France, of the story of Altern, an independent and | non-profit Internet provider who hosted 40 000 websites. Altern had | to close because it was held responsible for a nude picture of a | top-model, was fined, and then was subject to a true rain | of legal procedures coming from all the people who don't like free | speech on the Web. | | Now, full disclosure is in danger. | | Kitetoa's file about Kitetoa vs Tati | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Tativersus_Kitetoa/index.sh tml | | Some articles in French | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Tati_versus_Kitetoa/papiers .txt | | About Choicepoint in English : | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin7/choicepoint-s uite-english.shtml | | About DoubleClick in English : | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-e nglish.shtml | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-r ound2-english.shtml | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-r ound3-english.shtml | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-r ound4-english.shtml | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-r ound5-english.shtml | | -- | Best regards, | Solveig Godeluck mailto:solveig@transfert.net | | | | | ------------------------------------------------------------------------- | POLITECH -- Declan McCullagh's politics and technology mailing list | You may redistribute this message freely if you include this notice. | Declan McCullagh's photographs are at http://www.mccullagh.org/ | To subscribe to Politech: http://www.politechbot.com/info/subscribe.html | This message is archived at http://www.politechbot.com/ | ------------------------------------------------------------------------- | |
