[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Keep smiling only - i dont expect any answer



This is a financial institution that manages inter-bank payment systems
in South Korea.

I think when they said *trial* they meant *attempt*, which means the
attack did not succeed. But a trial could also be a successful attack
that was meant to test whether they could get in before the real fun starts.

So I'm not sure if the attack was successful or not, but assuming it was
a successful attack...

Tell them to report it. Tell them it would be a gross violation of their
due diligence, and most likely legal responsibility to not report it.

Tell them not to rely on other people to ensure their network is
protected from all of the widely and freely available attack vectors.

Tell them you run a Tor relay, and as such you have no control over who
does what, and provide relevant links. Point them to your Tor Exit
Notice that is easily and readily available for anyone to see.


Now, if the attack wasn't successful, tell the Network Security Manager
that as an inter-banking payment system provider they should expect
attacks of varying degrees, but that you still have no way of
controlling who does what on the Tor network.


Either way, tell them FCKeditor_Vul is easy to fix, but is entirely
their responsibility. Their WYSIWYG editor has a vulnerability - how is
that your fault?



Regards,

Matt
Speak Freely
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays