RE: Informing Companies about security vulnerabilities...

From: Arian J. Evans (arian.evans@anachronic.com)
Date: Fri Oct 06 2006 - 11:51:49 EDT


 
> -----Original Message-----
> [mailto:listbounce@securityfocus.com] On Behalf Of Craig Wright
> Sent: Thursday, October 05, 2006 10:29 PM
>
> [snip anecdotes of good-doing]
> On the other hand, I sleep at night.

I guess I do not share your sentiments here then. My experiences
have led me to different conclusions as of late.
 
> "Who is going to be our Ralph Nader?" We all should be.

This, really, is the answer I was hoping from someone, but you
see, no one really has a voice right now. At least, not that
does more than finger-pointing.

> At the same time, we are professionals and not vigilantes
> we have no right to judge the world and to take the
> enforcement of any issues we note to heart.

I am reasonably competent to judge software security defects
and extraordinarily competent to judge that vendors grossly
lying to their clients is both bad and evil.

I think we should take those issues to heart. Sooner or later,
if problems stay the same as our platforms evolve, they are
going to cost human lives.

> More so, we have no right to
> actively look for holes in sites we have no connection to.

That is an ambiguous, undefined statement. "Holes". "Connection".
How do you know you have no connection to it? What is a hole?
What is testing? Bah.

I think most folks get the "don't go evil hacking" sentiment,
including the courts. It's why they have "intent" in the law.

It's all the other undefined mess that's going to bite us,
and in fact, already is.

-ae

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT