Collecting consumer contact information to alert individuals in case of data breach for B2B companies

If you are a B2B company [US], you may collect data on your clients as well as your clients’ customers. For example, let’s say the only thing you need to collect is your clients’ customers’ names.

In the case that your company has a data leak and the individuals’ names are shared with an unauthorized third party, (I believe) you have an obligation to inform someone.

What is the standard practice? Do you directly email the individual and say their information was leaked? Or do you give your client (a business) a list of the client’s whose data was impacted and let them reach out to the impacted clients.

In the case of emailing the impacted clients directly, what if you do not collect their contact information, and have no way to contact them?


Real world example: my personal data was leaked by a B2B software company that I had never heard of. I was contacted by the software company directly as well as their client who I had used the services of. Was it the responsibility of the B2B software company to collect my email in case they needed to contact me directly?

Interaction between Subtle Spell, Iniciative and Alert Feat

I’m running a game and I’m trying to gank a few of my players with a Sorcerer with Subtle Metamagic. However, one of the players has the Alert feat which states he cannot be surprised.

My question here is: can I cast subtle hold person with the sorcerer without any interference from the player with the Alert feat? Or does that person has the opportunity do so something about it since he cannot be surprised? Let’s say the Sorcerer is hiding in his hand his arcane focus (a small pearl).

Can I do this without asking my players to roll for initiative?

Thanks!

FTP server and chroot: SSL3 alert write: fatal: protocol version

When i enable "chroot_local_user=YES" in my FTP server config /etc/vsftpd/vsftpd.conf
then the FTP client (WinSCP) says:

when it is commented out and "service vsftpd restart" , it login OK, but allows browsing system directories in the /.
This is CentOS 7 Linux.

These are…

FTP server and chroot: SSL3 alert write: fatal: protocol version

Surprising an alert character

My character with alert feat was attacked and received damage pre-combat. Specifically, our party was walking through dark cave, and on the ceiling there was a swarm of insects (that none of the PCs noticed). Suddenly, DM describes that a swarm of insects lunges at my character and immediately attacks him dealing x damage. I asked him why the moment the swarm tried to attack me he didn’t ask us to roll initiative to see who goes first. He said that was because the swarm noticed us and readied its action to attack me when I come in range. Can an alert character be surprised in such a way? Can an enemy who wants to get the drop on a party bypass rolling for initiative versus alert character by reading attack action?

Popup alert even when a site deletes the alert function | bypass

A website fully filter the alert function from his website, and replace it with an empty string, but I want to bypass it and still popup an alert, I am trying to solve an XSS challenge, and I figure out that the site identify the double "l" char, and fully removes the string.

http://alertmywebsite.com/2.php?xss=<script>allert(1)</script>

the output is <script>allert(1)</script>, and when I remove the second "l", the output is <script></script>, Only the "l" is still showing the alert function, any other double char is fully removes the string How can I bypass it ?

False positive security alert from Google?

I just had this security alert about one of my Google accounts:

  • Device : Unknown device
  • Time : 25 minutes ago
  • Place : United States
  • IP Address : 2a00:1450:4864:20::51b

Someone just used your password to try to connect to your account from an application not belonging to Google, we have blocked this person.

This alert arrived 30 minutes after I had made some security modifications and checks on my account. Moreover, I verified this IPV6 address, and it belongs to Google (I am using a VPN). Is it a false positive? 🤔

Is it too strong to allow a pc with alert feat to alert his friends?

Assume the following situation: The party has been surprised by an ambush. Every PC is surprised except PC Bob because he has the alert feat. Thanks to his high initiative bonus Bob gets to go first. He shouts “look out” to alert his party members of the imminent threat. The idea is that his party members are no longer surprised because he warned them.

While I think that this makes sense from a story telling perspective I am afraid this would be too strong as it allows one PC with the alert feat to give the “not surprised” part to other members of his party for pretty much free.

Is this allowed? Is there a RAW ruling or similar on this?

If not, do you have any experience with this situation and how did it play out in your games?

How to resolve the Format String Error alert in OWASP ZAP for a web application (ASP.NET C#)?

I have a web application with a log in page. In the log in page, I’ve set maxlength for the username input and the password input, which looks like the code below.

@Html.TextBoxFor(m => m.Username, new { @maxlength="30"}) 

When I run OWASP ZAP, it gives me an alert with the following description.

A Format String error occurs when the submitted data of an input string is evaluated as a command by the application

Potential Format String Error. The script closed the connection on a /%s

But when I remove @maxlength="30", the alert goes away.

I’ve been trying to find the remediation for this alert, but I’ve read that Format String vulnerability doesn’t really exist in C#: Do format string vulnerabilities exist in C# or Java? .

Is it just a “potential” error and nothing to worry about because it’s in C#? Or.. if this is something that needs to be taken care of, what can be done to resolve this alert from OWASP ZAP? (I’d believe removing @maxlength is not a solution).