Re: Bug report with private info

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Isn't it possible to list all the fields of the sensitive data?
That way it will be easier for the user to see which data is compromised and at the very least the user won't have to go through all the data transmitted just to see that the user name is the only sensitive info that's sent.
It is easier that way to find if the password is there too for example, it's harder to find the needle in the haystack if the data is not organized.

Moshe


On Fri, Aug 16, 2013 at 10:43 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote:
On Thu, 2013-08-15 at 12:09 +0100, Pedro Francisco wrote:
> On Mon, Aug 12, 2013 at 2:39 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote:
> > On Mon, 2013-08-12 at 13:03 +0100, Pedro Francisco wrote:
> >> Hello!
> >> I found a bug report with possible private info on it.
> >>
> >> What should I do?
> >>
> >> 1- Contact bugzilla admin to remove the attachment?
> >> 2- Contact the owner of the bug and warn him of it?
> >> 3- Both?
> >
> > Not quite sure what you mean by 'private info', but definitely do
> > something - you mean it exposes the user's secrets? Definitely do #2 and
> > if it's really urgent do #1 at the same time. Anyone with editbugs
> > privileges can mark a comment as private which at least limits the
> > number of people who could see the secret data, so you can contact
> > anyone you trust who's a package maintainer or has editbugs privs
> > through the old triage group or something (including me, and many others
> > on this list) and ask if they can mark the attachment as private, too.
>
>
> Now that the issue is taken care of, should a bug be open to prevent
> something like this to happen again? I know ABRT has a notice saying
> 'possible private info detected, please review', but usually it's just
> the username...

Perhaps abrt could warn harder if the detected field is something that
may be a password rather than a username. Like you I've gotten rather
blase about that warning since it started showing up for usernames;
classic example of the 'false positive' problem for security
mechanisms...
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net


-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux