A CMB Post (UPDATED, CLOSED)
Note: This post has been carried forward to Saturday, February 18 pending final resolution.
________________________
CMB means Cover My Butt. The first entries are from Saturday, February 11.
This Morning, I inadvertently became aware of an issue relating to Bob McEwen’s congressional campaign.
At 1:40 this afternoon, I sent out an e-mail to his communications coordinator and another member of his campaign requesting that the first person to see the message call me, without identifying the problem, which requires detailed explanation, and which is why I requested that the return communication be by phone.
As of this moment (2:00 PM), I am awaiting a response.
At 5:20 PM, I received a call from the communications coordinator, and explained the situation until it was understood. He promised that the situation would be remedied so that no one else can have the capability of taking advantage of the things I inadvertently stumbled into.
So I consider the matter resolved.
If there is some other attempt to recharacterize the nature of my communication, well, that’s why I have done this CMB post.
Update, Feb. 17: So this is how the folks at the McEwen blog handled things (I am user hughhewitt):
1. MKH210 Says:
February 11th, 2006 at 7:32 pm
Tom Blumer was trying to hack the McEwen Blog.
2. Webmaster Says:
February 11th, 2006 at 7:53 pm
I don’t see what he is talking about. My guess is that he thought this was a private blog or something.
3. hughhewitt Says:
February 16th, 2006 at 10:31 pm
Tom Blumer found a weakness in the McEwen blog and reported it immediately to Mike Harlow as documented here:
http://www.bizzyblog.com/?p=1437
Any representation to the contrary is false:
4. Webmaster Says:
February 16th, 2006 at 10:47 pm
Any claim that there is a security flaw on this site is false. If there is, you have the webmaster’s permission to exploit it for demonstration purposes only…
Thanks Tom.
Webmaster
In response, early AM on November 17, I sent this e-mail to the Communications Coordinator, as I could not find an e-mail addy for the webmaster:
I was unable to find an e-mail address for your webmaster, so I have to send this to you.
I did not want to post it as a comment because someone else might see it as a roadmap to go further than I know how.
(next three paragraphs removed due to compromising info)
Please call and verify that you have received this message and are addressing its substance.
Tom Blumer
BizzyBlog.comPS. I updated my BizzyBlog post for this information but redacted everything that could be construed as compromising info.
+++++++++++++++++
Body of message intended for webmaster (with potentially compromising information removed):
Webmaster, I have now been able to xxxxxxxxxxxx, not just xxxxxxxxx, using a xxxxxx. xxxxxxxxxxxxxx
I appear to be unable to xxxxx, so in that sense it’s not a security flaw, but the fact that I can xxxxxxx.
Actually that’s not true. I can xxxxxxx, and I have.
None of this will be visible to site visitors who don’t register, but it still seems like a weakness for xxxxxxxxxxxxxx to be able to xxxxxxxxxxxxx.
By contrast, I have attempted to do the same at xxxxxxxxx and am unable to do so, because I have no visibility to the xxxxxxxxx (and I do here).
Now, let’s go one step further. I can xxxxxxxxxxxxxxxx.
I could go on, but I hope I’ve made at least a teeny tiny point. I’m assuming you are able to xxxxxxxxx.
I have no interest whatsoever in exploiting anything, I am simply concerned about what I found, and hope you take this message in that spirit.
NEXT: Called Communications Coordinator briefly on the afternoon of Feb. 17. Said he hasn’t seen e-mail message yet. He promised to pass on to webmaster.
UPDATE, 12:30 AM, Feb. 18: The Webmaster in a comment at the draft post essentially assured me that what I was concerned about was a feature and not a security concern. Okay, I’m not sure I totally agree, but it’s his responsibility.
My specific final comment was (without revealing substance of concerns):
Webmaster, if it doesn’t bother you it doesn’t bother me. This is a xxxxxxxxxxxxx and it seems to have potential for xxxxxxxxxxxx.
I tend to be overcareful with these types of things.
So I’ll leave it be and hope you all don’t experience any difficulties.
Regards,
Tom
BizzyBlog.com
