RE: Informing Companies about security vulnerabilities...

From: Arian J. Evans (arian.evans@anachronic.com)
Date: Fri Oct 06 2006 - 11:41:19 EDT


Unfortunately your ideas do not help address the four
times I've been victim of identity theft/cloning, and
subsequent costs, nor provide recourse to the vendors
creating, selling, and shipping defective products to
users I have no idea are consumers of those products.

But that defectively store my private data. And trust
me, there's more impact than financial. How about the
hours sucked out of my life helping law enforcement
straighten out an identity theft issue?

Interestingly, you are one of several that have made
the "not my burden to bear" statement. Which has it's
own interesting ethical implications.

Yeah yeah, all security researchers do this to get
their 15 minutes of fame, I get it.

But what about my mother? My grandmother? My peers
and friends? All can be (and some have been) impacted
negatively by this defective software.

Yet these thugs march arrogantly on with EULA & license
agreement in the one hand, and the threat-of-lawsuit
stick in the other. Now that doesn't seem right to me.

The questions I still have:

1) How bad does it have to get? Human life?

2) What do we do about it? Nothing? Assume it is
self correcting? What is the history of other
industries at this juncture?

I believe, history speaks to regulation and whistle
blowers, not to self-healing. As much as I shudder
to think of how regulation might occur with software,
do we have any other precedents?

-ae

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of
> mr.nasty@ix.netcom.com
> Sent: Thursday, October 05, 2006 3:56 PM
> To: pen-test@securityfocus.com
> Subject: RE: Informing Companies about security vulnerabilities...
>
> Here's my worthless two cents.
>
> Chances are you are not the first one to discover the
> problem. Hence unless you do business with them it really
> doesn't affect you financially. On the other hand the right
> thing (not the legal thing) to do is inform someone at the
> company (find many company email addresses -
> support@company.com etc.) and provide then what you found.
> NO RECOMMENDATIONS should be offered.
>
> Number one they do not pay you to provide them with
> Recommendations or solutions.
>
> Number two unless this business affects you financially it's
> not your burden to bear. And if you do have some financial
> interest in a company that ignores its customers...LEAVE.
>
> Number three you can't get blood from a turnip or teach pigs to sing.
>
> That's just my worthless two cents.
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ?camp=701600000008bOW
> --------------------------------------------------------------
> ----------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT