From: Stephen Friedl (steve@unixwiz.net)
Date: Tue Nov 12 2002 - 16:57:40 EST
> I just wanted to see what everyone's opinions were on means of
> approaching vulnerable prospective clients.
My sense is that this won't get you very far.
I routinely notify vulnerable networks and send reports that have full
details, specifically disclaim a solicitation for work, and invite them
to contact their local security people to get it fixed. I'm just a good
internet citizen, and so far 70-80% just ignore them outright. Some
treat me with *hostility*, and there is no way that these reports can
be taken that way. I've never taken money from an unsolicited report.
I was told to *get lost* by the ACM (yes, the computer professional
society) even after offering to help them fix their wide-open network
for free. After a bit of persistance I got them to fix part of it, but
it's since regressed and they're wide open again. Why bother?
People just don't care very much, and adding the "trolling for work"
factor is not likely to make the reception any warmer.
Not sure it's a completely dead trail, but it's likely to be very
frustrating.
Steve
---
Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561
www.unixwiz.net | I speak for me only | KA8CMY | steve@unixwiz.net
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT