Congrats: Now Security Researchers Are Afraid To Report Vulnerabilities

from the chilling-effects dept

Now that we keep hearing stories about security researchers in the US and elsewhere taking the blame for simply pointing out security holes, it was only a matter of time until security researchers started making it clear that the risk of pointing out security flaws just isn't worth it any more. Slashdot points to an article basically telling people in the security industry it's just not worth it. That's what you get when you repeatedly blame the messenger. Of course, the end result is that vulnerabilities stay open and those with malicious intent keep on causing problems.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Pedren, May 22nd, 2006 @ 4:44pm

    Duh

    How can they expect results when the only reinforcement they're give to these people is negative?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, May 22nd, 2006 @ 4:58pm

    learn something about law and police

    Having read the article, the author was unduely upset. Of course the detective threatened all kinds of legal action. He had nothing and so played the bull shit card. It is standard police procedure to play the bull shit card when you are stalled. The best responce is to inform the officer that you will have your lawyer contact them.

    I would recomend anyone involved get a pre-paid legal account to make this affordable. But anyone who knows will tell you that a police officer telling a lie to get information is simply being good. They are NOT compelled to be honest with you. And charges are only a problem when you are dealing with someone from the DAs office.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    SRNissen, May 22nd, 2006 @ 5:27pm

    Re: learn something about law and police

    Man, I am glad I don't have to deal with the american police. If a police officer over here lied to me, there'd be such an outrage. Also: Charges.

    - SRNissen
    FABRICATE DIEM, PVNC

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    VPR, May 22nd, 2006 @ 6:07pm

    I would recomend anyone involved get a pre-paid legal account to make this affordable.

    lol

    Anyway, it's unfortunate that this has got to this point, but let's face it, it was only a matter of time. It's true the messenger takes the blame, but it's really their own fault.

    When you announce to the world that you found a vulnerability, I'd say your motive was a little more than being the happy helper.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Rex, May 22nd, 2006 @ 6:17pm

    Re: Re: learn something about law and police

    The American court system is something else. Here is a brief summary from a Canadian case where the Canadian courts ultimately refused to extradite accused persons to the United States:

    The fugitives were Canadian citizens. The United States sought their extradition on charges of fraud and conspiracy to commit fraud. While sentencing a co-accused, the assigned trial judge in the United States stated that if the fugitives did not cooperate and come to the United States voluntarily, he would impose the absolute maximum jail sentence that the law permitted. Furthermore, the prosecutor assigned to the case appeared on a Canadian television program and threatened that those fugitives who contested their extradition would serve longer sentences under much more stringent conditions, and would "be the boyfriend of a very bad man". The extradition judge stayed the proceedings.

    Really nice - a prosecutor threatening accused persons on television with anal rape to get them to surrender.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, May 22nd, 2006 @ 6:52pm

    Why wouldn't companies want to squelch these people? Their EULAs hold them harmless agansit any damage caused by the software. They could care less if you get creamed though some flaw in their stuff. They just want to keep the publicity associated with such possibilites and actual occurances to an absolute minimum. Besides, if there are no competent security researchers they can always blame some other component in your system or some 'misconfiguration'.

    All I'm saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Sean, May 22nd, 2006 @ 7:28pm

    Lol..

    Wow... they're JUST figuring this out? When I first heard of the bugs for Windows ME I was like "Why would they publically announce these bugs? It's like ASKING THE HACKERS TO DO IT"

    -sigh- They should really hire just a random person off the streets to figure this shit out for them.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Sean, May 22nd, 2006 @ 7:31pm

    Re:

    Yes, this is 'double posting'.

    All I'm saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority

    Well umm.. if they don't squelch the bugs in the first place, which should be company policy, then there is no reason to have a good worker(maybe?) fired, and no tons of negative PR for the company. Can't make any money if people don't trust your product, yes?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    charlie potatoes, May 22nd, 2006 @ 9:03pm

    Personally I have found that police are most receptive to criticism and instruction while away from the lights and cameras. Ergo, I would advise anyone wishing to teach our texas highway patrolmen constitutional law to do it on the side of a lonely highway late at night.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    A Funny Guy / The Poison Pen, May 22nd, 2006 @ 9:42pm

    Re:

    umm.. and please let us know how that works out....

    get real dude...... for any accounability to be enforcable it must be available in the spotlight.

    Of course i stand for all of our government and corporate special interests to be held accountable for their misdeeds

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    charlie potatoes, May 23rd, 2006 @ 12:01am

    funny guy

    um, hey poison....i take it you're not from around here. i was puttin' the shuck on ya, as we say in texas. i don't recommend you try that. it comes under the heading of.."damn that was cool. i wish i'd had the nerve to say that to them.'

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    mthorn, May 23rd, 2006 @ 6:02am

    Open source listens

    That's one of the reasons why open source works. Not only do you have the source to find flaws, the maintainers of the code are highly receptive to bugs and flaws. That's why open source is more secure, even if it has flaws, because it will be promptly fixed by dozens of people who care about the software.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    been_there_done_that, May 23rd, 2006 @ 8:16am

    Been there, done that, didn't get the T-shirt

    When you announce to the world that you found a vulnerability, I'd say your motive was a little more than being the happy helper.

    FWIW, I've had to deal with a similar situation a couple of times, where I, my employer, or my client was a customer of a vendor, a flaw was found, and duly reported to the vendor... who then sat and did nothing.

    For weeks... once it was months.

    In both cases, the only thing that drove the vendor to fix the flaw in their product was to make it public. In the first case, I sent a trouble report, they responded with a "Oh yeah, not only is the W feature you mentioned vulnerable, the same flaw also affects U and V."; Last I heard from them for six weeks.

    Published a proof-of-concept exploit to a well-known security discussion, and one week later a patch was available.

    Second time around, I sent email. I called on the phone. I sent a fax. I sent a registered letter. Nothing. I posted everything except the actual IP addresses and passwords to the same forum as mentioned earlier. Still no response.

    The only action which got the supplier to fix their flawed application was the publication of the complete details of the flaw, including passwords.

    ...your motive was a little more than being the happy helper.
    I wasn't asking for money, I wasn't asking for my name to be mentioned in the advisory (though usually that is common courtesy). I was just asking for the product that I or my employer or my client had paid good money for to be secured.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    William C Bonner, May 23rd, 2006 @ 11:31am

    The King is not wearing any clothes.

    As long as no one points it out, then it hasn't happened.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This