[Owasp-singapore] [security-77] Re: Poll on whether to disclose identities of organisations who leaks info

Wong Onn Chee ocwong at usa.net
Thu Apr 16 01:18:53 EDT 2009


Hi Darren,

A simple question - what is the basis of suing?


Now, the not-so-simple points.

Firstly, when Websense recently reported that Fiat Singapore website was
hacked and users were at risk of infection when they visited the site,
was Websense sued? Websense did inform Fiat Singapore first. Just like
us - we do inform the organisations or their parent authority about the
leakages first.

Secondly, we did not perform any activities that violates Computer
Misuse Act as we did not compromise their computers.
A simple HTTP GET or POST will get you these results.
Last I check, such actions do not violate Computer Misuse Act.

Thirdly, ST also reported the identities of the guilty organisations.
If reporting such identities is illegal, should SPH be sued too?
SPH will have done their homework to know there is no libel element in
reporting real facts.
(Bet after the NKF case, no one in Singapore has the guts to do so anyway.)

Lastly, we disclose the identities of the responsible organisations, not
the private information (by blanking out such info in the images).
Can't see how this has anything violates privacy laws even if there is one.


So, the issue is not so much about legal risks (I believe).
The question is what we choose to do so as a group.

The upsides of disclosing are as follow:

a) allow the affected parties to identify whether their information is
leaked (through partial NRIC and partial DOB, if any). They can then
decide what to do.
This is about empowerment.

b) raise awareness about the importance of protecting private info
entrusted to the organisations by their clients, customers or even staff.

c) modelled after "better practices" in the US where data breaches are
required by law to be disclosed.

d) "persuade" the organisations to take effective actions to prevent
future occurrences.


The downside of not disclosing is this - organisations take a bo-chap
attitude and only take some nominal actions to remove current
occurrences, but not prevent future occurrences.
Trust me - most organisations, not just the disclosed ones, are guilty
of this.
To them, lesser things to do, the better.

I hope that with the disclosures, they can clean up their act and make
the online world a safer place.

The above points explain why we went for full disclosure.
Nevertheless, we will accord to the wishes of the public/community (PS:
We are still "democratic" though I know Frenky will disagree)
Hence, we are conducting this poll.

Do submit your vote if you want your views to be effective.
Thanks!

Regards
Onn Chee

Ray Foo wrote:
> In Singapore there's no privacy laws, so they probably can try to hook
> onto CMA at best, heh.  Is that right?
>
> Ray.
>
> On Thu, Apr 16, 2009 at 10:56 AM, Darren Cerasi
> <darren.cerasi at i-analysis.com.sg
> <mailto:darren.cerasi at i-analysis.com.sg>> wrote:
>
>     I can guarantee that someone will sue!
>
>      
>
>      
>
>      
>
>     I-Analysis Signature Logo
>
>      
>
>     I-Analysis Pte Ltd
>
>     171 Tras Street
>
>     #07-177 Union Building
>
>     Singapore 079025
>
>      
>
>     T:  +65 6224 4120
>
>     F:  +65 6224 4130
>
>     M: +65 9066 9464
>
>     www.i-analysis.com.sg <http://www.i-analysis.com.sg/>
>
>      
>
>     *Disclaimer*: This message is privileged and confidential and is
>     intended solely for the named recipient(s). If you are not the
>     intended recipient(s), you are hereby notified that any
>     dissemination or copying of this communication is strictly
>     prohibited. If this e-mail has reached you in error, please delete
>     the e-mail immediately and inform us of the error by sending an
>     e-mail to info at i-analysis.com.sg <http://[email protected]>.
>     Though internet communications cannot be guaranteed to be secure
>     or error-free as information could be intercepted, corrupted,
>     lost, delayed or may contain viruses; this message has been
>     scanned by Kaspersky Anti-Virus. Thank you.
>
>      
>
>
>
>
>
>     --
>     Please Note: If you hit "*REPLY*", your message will be sent to
>     *everyone* on this mailing list (security-77 at meetup.com
>     <mailto:security-77 at meetup.com>)
>     This message was sent by Darren Cerasi
>     (darren.cerasi at i-analysis.com.sg
>     <mailto:darren.cerasi at i-analysis.com.sg>) from The Singapore
>     Security Meetup Group <http://security.meetup.com/77/>.
>     To learn more about Darren Cerasi, visit his/her member profile
>     <http://security.meetup.com/77/members/6094238/>
>
>     To unsubscribe or to update your mailing list settings, click here
>     <http://www.meetup.com/account/comm/>
>
>     Meetup Support: support at meetup.com <mailto:support at meetup.com>
>     632 Broadway, New York, NY 10012 USA
>
>
>
>
>
>
> --
> Please Note: If you hit "*REPLY*", your message will be sent to
> *everyone* on this mailing list (security-77 at meetup.com
> <mailto:security-77 at meetup.com>)
> This message was sent by Ray Foo (gunblad3 at gmail.com) from The
> Singapore Security Meetup Group <http://security.meetup.com/77/>.
> To learn more about Ray Foo, visit his/her member profile
> <http://security.meetup.com/77/members/5643827/>
> To unsubscribe or to update your mailing list settings, click here
> <http://www.meetup.com/account/comm/>
>
> Meetup Support: support at meetup.com
> 632 Broadway, New York, NY 10012 USA 



More information about the Owasp-singapore mailing list