RSS
Congrats: Now Security Researchers Are Afraid To Report Vulnerabilities
from the chilling-effects dept
Now that we keep hearing stories about security researchers in the US and elsewhere taking the blame for simply pointing out security holes, it was only a matter of time until security researchers started making it clear that the risk of pointing out security flaws just isn't worth it any more. Slashdot points to an article basically telling people in the security industry it's just not worth it. That's what you get when you repeatedly blame the messenger. Of course, the end result is that vulnerabilities stay open and those with malicious intent keep on causing problems.
I have an app...
App Developer Conversations: What Does The iPad Mini Mean For The App Economy?
Marketing And Monetization Strategies For Free Apps
I’m looking for research...
Why Data Is The New Oil, With Dan Foreman Of Lumi Mobile
Innovate More. Code Less: Optimizing Open-Source Utilization
I have an idea...
App Developer Conversations: Successful Fundraising Techniques
75 Questions To Help You Write An RFP For Website Design
Reader Comments (rss)
(Flattened / Threaded)
Duh
[ reply to this | link to this | view in thread ]
learn something about law and police
I would recomend anyone involved get a pre-paid legal account to make this affordable. But anyone who knows will tell you that a police officer telling a lie to get information is simply being good. They are NOT compelled to be honest with you. And charges are only a problem when you are dealing with someone from the DAs office.
[ reply to this | link to this | view in thread ]
Re: learn something about law and police
- SRNissen
FABRICATE DIEM, PVNC
[ reply to this | link to this | view in thread ]
lol
Anyway, it's unfortunate that this has got to this point, but let's face it, it was only a matter of time. It's true the messenger takes the blame, but it's really their own fault.
When you announce to the world that you found a vulnerability, I'd say your motive was a little more than being the happy helper.
[ reply to this | link to this | view in thread ]
Re: Re: learn something about law and police
The fugitives were Canadian citizens. The United States sought their extradition on charges of fraud and conspiracy to commit fraud. While sentencing a co-accused, the assigned trial judge in the United States stated that if the fugitives did not cooperate and come to the United States voluntarily, he would impose the absolute maximum jail sentence that the law permitted. Furthermore, the prosecutor assigned to the case appeared on a Canadian television program and threatened that those fugitives who contested their extradition would serve longer sentences under much more stringent conditions, and would "be the boyfriend of a very bad man". The extradition judge stayed the proceedings.
Really nice - a prosecutor threatening accused persons on television with anal rape to get them to surrender.
[ reply to this | link to this | view in thread ]
All I'm saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority.
[ reply to this | link to this | view in thread ]
Lol..
-sigh- They should really hire just a random person off the streets to figure this shit out for them.
[ reply to this | link to this | view in thread ]
Re:
All I'm saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority
Well umm.. if they don't squelch the bugs in the first place, which should be company policy, then there is no reason to have a good worker(maybe?) fired, and no tons of negative PR for the company. Can't make any money if people don't trust your product, yes?
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Re:
get real dude...... for any accounability to be enforcable it must be available in the spotlight.
Of course i stand for all of our government and corporate special interests to be held accountable for their misdeeds
[ reply to this | link to this | view in thread ]
funny guy
[ reply to this | link to this | view in thread ]
Open source listens
[ reply to this | link to this | view in thread ]
Been there, done that, didn't get the T-shirt
FWIW, I've had to deal with a similar situation a couple of times, where I, my employer, or my client was a customer of a vendor, a flaw was found, and duly reported to the vendor... who then sat and did nothing.
For weeks... once it was months.
In both cases, the only thing that drove the vendor to fix the flaw in their product was to make it public. In the first case, I sent a trouble report, they responded with a "Oh yeah, not only is the W feature you mentioned vulnerable, the same flaw also affects U and V."; Last I heard from them for six weeks.
Published a proof-of-concept exploit to a well-known security discussion, and one week later a patch was available.
Second time around, I sent email. I called on the phone. I sent a fax. I sent a registered letter. Nothing. I posted everything except the actual IP addresses and passwords to the same forum as mentioned earlier. Still no response.
The only action which got the supplier to fix their flawed application was the publication of the complete details of the flaw, including passwords.
I wasn't asking for money, I wasn't asking for my name to be mentioned in the advisory (though usually that is common courtesy). I was just asking for the product that I or my employer or my client had paid good money for to be secured.[ reply to this | link to this | view in thread ]
The King is not wearing any clothes.
[ reply to this | link to this | view in thread ]
Add Your Comment