[H-GEN] who to contact?
rob at rotapile.com
Thu Aug 5 04:02:45 EDT 2004
A customer who is using a popular off the shelf accounting product
recently asked me to upload their company file to an ftp server hosted
by the software vendor in order for the vendor to fix a problem they
have. After logging in with the provided account which was obviously a
generic one they use for every person I noticed the following things.
1. There were a number of other companies accounting files in the same
2. If i wanted to I could have downloaded any of them.
3. Just about anyone could access this ftp server, the username and
password being the same and easily guessable, I quizzed some people on
irc and one guy got it first time, another got it second time.
4. My customer would be rather pissed off if I knowingly put their files
in such a place.
5. I was rather pissed off, after doing my best to ensure my customer
has a safe and secure system, the vendor I warned them against is trying
to undo everything I have worked and they have paid for.
I call their customer service number and ask to be put through to a
suitable person, I get through to some form of tech.
The tech acknowledges they are aware of the situation and it is being
reviewed and to be honest we dont realy have to use it if we dont want
to and there realy isn't an issue, and the files will be deleted as soon
as they have finished being uploaded, and we can secure them with a .zip
password and a pass on the data file, and they are looking into it. (yes
thats basicly how the conversation went, I felt like I was talking to
someone who couldnt care less)
Next I email the privacy officer of this company alerting them to the
situation, a day and a half later still no reply.
It matters nothing to me personaly, however theres plenty of people
using this service with no idea that they are putting their personal and
companies financial records in a completely insecure area.
So please fellow Humbugers, who do I go to next?
More information about the General