|
Anonymous email can not be a foolproof solution since it can also be traced.
Now after reading all these replies, I think it will be a waste of my hard earned money to send a international snail mail to a person who can get me sued..
|
|
|
|
|
aspnet_regiis -i wrote: Anonymous email can not be a foolproof solution since it can also be traced.
Rather certain that is not true.
There is of course a difference between annoymous email and just creating an email account and using ficticious registration information.
|
|
|
|
|
well, you could go through a proxy web service to a second proxy then to the web mail....
Beauty is in the eye of the beer-holder
Be careful which toes you step on today, they might be connected to the foot that kicks your butt tomorrow.
You can't scare me, I have children.
|
|
|
|
|
Send an email and alter the MAC Address
Ranjan.D
|
|
|
|
|
Thank you for the advice Ranjan ... But after reading all the replies , I have come to a conclusion that honesty can get me killed... Why take chances? Let other people enjoy the free goods. Since those are digital good, it will never run out-of-stock...
|
|
|
|
|
Tor Mail[^]?
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
You are probably right that you should be careful here.
The webshop owner will forward this to the webshop creator and assuming they'll try anything to avoid a legal consequences themselves, they may try to sue you instead.
A judge may not fully understand the difference between testing a website and "testing" if you could steal a car (even if someone left the keys in the ignition).
So protecting your anonymity is probably advisable in this case.
.
|
|
|
|
|
One option is to send your email via proxy. Not the internet kind but the classic kind. If you have a friend who lives out of state or even better out of the country, better yet a lawyer, just send your message to them and get them to copy and paste it into a new email, to trash the headers. That way your friend can honestly say it wasn't him but he is just informing them on behalf of another concerned friend of his/hers. This way your friend has absolutely no connection with the site, make sure they haven't purchased something from them before, and you are safe because your friend wouldn't tell them who you are ... even when their pulling your friends fingernails out.
This even seems to be a little much because, as it was pointed out before, the website owner/developer will sure be happy someone pointed it out instead of posting the details online and costing them potentially thousands of dollars in lost sales.
Don't comment your code - it was hard to write, it should be hard to read!
|
|
|
|
|
Adam R Harris wrote: That way your friend can honestly say it wasn't him but he is just informing
them on behalf of another concerned friend of his/hers
Bad idea.
At least in the US, if the friend fails to give you up then they are probably going to get a felony conviction.
Adam R Harris wrote: the website owner/developer will sure be happy someone pointed it out
Wrong.
There are many possible outcomes. Some possible ones but not a complete list follow.
1. Company reports it to authorities as hacking
2. Company ignores it
3. Company wants to fix it.
And without any other information about the company one has no idea how they will take the news.
|
|
|
|
|
|
aspnet_regiis -i wrote: Will the website owner charge me with the offense of hacking since the goods I did not pay for
That would be pretty sad if they do. They should consider it damage control cost and be thankful that you saved their a**es.
I wasn't, now I am, then I won't be anymore.
|
|
|
|
|
Here they've probably been wondering why their cheapest piece of 9 year old software is the most popular purchase.
|
|
|
|
|
I saw something similar on a beverage company's website once. You gave them a username and password to log in. Once you did you saw &clientID=123 in the URL. By changing this you could see ANY of their other clients information and place orders for them.
Does Bob in Connecticut need $1200 of french roast? Only one way to find out...
|
|
|
|
|
aspnet_regiis -i wrote: I found that just by changing the query string parameter in the URL I can
download other items that I have not purchased.
Why you’ve done this on a first place? And what the first guy who found the cow milk is drinkable was trying to do?
There is only one Vera Farmiga and Salma Hayek is her prophet!
Advertise here – minimum three posts per day are guaranteed.
|
|
|
|
|
US Postal Service ... no return address.
|
|
|
|
|
RedDK wrote:
US Postal Service ... no return address.
That can be safe but also risky depending on the company and location.
If one does that then minimizing risk can include.
- Do not hand write it.
- Do not use ones own printer
- Do not use a printer from a location that one frequently uses.
- Do not post immediately after printing (to preclude video survellience from location.)
- Do not mail locally (in a larger city driving across town is sufficient.)
- Handle the paper, envelope and stamps with gloves (buy all new from a location not frequented.)
- Do not lick the stamp/envelope.
|
|
|
|
|
aspnet_regiis -i wrote: How can I inform the website owners about this vulnerability?
If you chose to do so then only do it via annoymous email. Naturally make sure that email is in fact annoymous though.
|
|
|
|
|
What a bunch of paranoid pansies posting here
Send me the details & I will check it out and let them know.
Or Just email them & tell them - assuming g you didn't download the entire server contents and that you don't hold the to ransom, the no odys going to sue anyone succesfully.
I look at it like picking up so domes dropped wallet - are you too afraid to return it in case they think you stole it?
Do the right thing!
|
|
|
|
|
_Maxxx_ wrote: What a bunch of paranoid pansies posting here
I am guessing that neither you nor anyone you have known has ever been wrongly accused of a crime.
Nor that you nor anyone you have known has ever been sued by a mid to large company.
Nor read about anyone in similar circumstances.
Of course the above can be less of a problem if one is very wealthy since then fighting the good fight will not bankrupt you. Nor the personal time spent in resolving the matter will not adversely effect ones finances either.
_Maxxx_ wrote: Do the right thing!
As in all things involving humans that is not black and white.
And one might not want to risk destroying their own life and perhaps the life of their family as well simply to protect the financial interests of those one does not even know.
|
|
|
|
|
Well, you are guessing wrong.
In any case, there is precaution and there is paranoia.
Just because something happens on occasion doesn't mean we should change behavior beyond reason.
You say things like the risk of destroying their own life. Come on - how big a risk? Paranoid pansies, the lot of you!
|
|
|
|
|
_Maxxx_ wrote: Come on - how big a risk?
Err...did you read the link that someone else posted about a university student being expelled for cause for reporting a security problem? The way that person was expelled not only limits their options at that university but other universities.
And this is not an isolated instance.
|
|
|
|
|
jschell wrote: did you read the link
Yes I did
jschell wrote: being expelled for cause for reporting a security problem?
Well, if you read it you will see that the case isn't quite as simple - although he discovered and reported the vulnerability he was expelled for scanning the system two days later.
In any case, this is a single event.
jschell wrote: The way that person was expelled not only limits their options at that university but other universities.
He's been offered places and scholarships, so all's well.
jschell wrote: And this is not an isolated instance.
Links? references?
I, personally, have reported a number of security issues at a number of web sites over the years; these range from word documents sent out containing the (deleted) information of other subscribers, including credit card details, site vulnerabilities similar to the one mentioned by the OP and even one where bypassing the password page simply let you into the system. I have never received any negative comeback.
If I have done it I can assume that others have too.
Obviously some at least one have done it and found trouble.
What's the difference between those that find trouble and those that don't? Those that do get publicity. There could be millions of unreported, unremarkable incidents going on, with one or two having bad results for the perp - who knows?
|
|
|
|
|
_Maxxx_ wrote: Well, if you read it you will see that the case isn't quite as simple - although he discovered and reported the vulnerability he was expelled for scanning the system two days later.
So the university claims.
_Maxxx_ wrote: In any case, this is a single event.
Hardly. It is a recent and well publicized event. There are others with varying degrees of problems.
_Maxxx_ wrote: He's been offered places and scholarships, so all's well.
Hindsight is a wonderful thing but hardly relevant. It doesn't negate what happened.
_Maxxx_ wrote: Links? references?
I don't believe it is either my job nor my moral duty to educate you. I found the following after less then 5 minutes of searching and these are NOT ones that I am already familiar with.
http://www.wpbf.com/Employees-Fired-After-Reporting-Security-Breach/-/8789538/5096936/-/ykd8l4z/-/index.html[^]
http://www.splc.org/news/newsflash.asp?id=1621[^]
_Maxxx_ wrote:
I, personally, have reported a number of security issues at a number of web sites over the year
And prosecutors, law enforcement and officers of an institution all can use their discretion in determining which actionable cases they pursue along with how they react. The fact that they have chosen a outcome that did not harm you doesn't mean the one single negative case would not have severely impacted you.
_Maxxx_ wrote: What's the difference between those that find trouble and those that don't? Those that do get publicity.
Wrong. Again it is not my job to educate you. The difference is only that finding out about the publicized cases is easy and those cases are more likely to result in a positive outcome for the individual accused. It is more likely that there are many negative cases that are not reported.
_Maxxx_ wrote: There could be millions of unreported, unremarkable incidents going on, with one or two having bad results for the perp - who knows?
Which would be a meaningful statement if the impact on an individual when it went wrong was a minor affair. People have their access restricted, privileges revoked, have been expelled, fired and prosecuted. And excluding those that are very well off fighting back is impossible. The individual is the one that suffers.
|
|
|
|
|
You have checked your credit card wasn't debited for l the downloads, have you?
|
|
|
|
|
I wonder if anyone commenting here, is actually one of the developers of the site.
|
|
|
|