This Is Why You Don't Punish The Messenger On Security Vulnerabilities

from the solve-the-vulnerability-at-least dept

Over the past few years, we've pointed to case after case after case after case after case after case of those who pointed out security vulnerabilities being attacked or blamed for the vulnerability. It's true that sometimes the "researchers" go too far -- but the important point is that security vulnerability get fixed. Instead, it's much easier to simply blame the messenger. Now, with all of the talk about hackers breaking into and taking data from Ohio University computers, Jon has submitted a story reminding everyone how it was just a few years ago that Ohio University was busy blaming the messenger for pointing out how weak the school's computer security was. Apparently, in the rush to blame and bury the guy, no one actually thought about fixing and protecting their computer system.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Brendan, Jun 22nd, 2006 @ 5:49pm

    Why even try?

    Sometime last year I contacted a local school that hosted a system that contained a vulnerability for SQL injection. This was pretty major seeing as the system contained records for staff records. I contacted them to tell them about the problem and they responded with insults and claims that it in fact was not a vulnerability.
    They still haven't fixed the issue to this day, I guess its just a matter of time untill someone else finds this with less than honorable intentions in mind.
    Point being, why even try to help? Too much trouble involved when it obivously will be more than likley met with negative reactions.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    bhagiam@unni.com, Jun 22nd, 2006 @ 6:32pm

    keralafood

    leafnakki

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Bum, Jun 22nd, 2006 @ 6:42pm

    Your Best Teacher is....

    supposed to be you last mistake not a bunch of lazy fools with tenure.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jun 22nd, 2006 @ 6:42pm

    YOu gO gettem!

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    |333173|3|_||3, Jun 22nd, 2006 @ 6:50pm

    Serves them right

    when someone hacks in and starts trashing htie network.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Rick, Jun 22nd, 2006 @ 7:27pm

    Re: Why even try?

    Send the exploited data and the method for retrieving it to the local newspaper, or really make a stink and go for some international media. The embarrasement alone should force some action...

    They were already warned.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Ronde, Jun 22nd, 2006 @ 7:44pm

    Re: Re: Why even try?

    They deserve everything that they get.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Griz, Jun 22nd, 2006 @ 10:04pm

    No Good Deed Shall Go Unpunished

    As an IT consultant, I make it a point to never make even the most cursory of security checks unless I'm paid and indemnified in writing, period. If I suspect or discover a vulnerability outside a clearly defined contractual relationship, just call me Sgt. Schultz, because I saw naaaaathing!

    If I'm feeling exceptionally charitable, I'll refer 'em to ISO 17799 or a similar "best standards" document... But I usually don't broach the issue of security at all. It seems the typical client thinks that hackers are beings out of the Lovecraftian Cthulhu Mythos, wreaking havoc upon those that merely invoke their names.

    In short, DNAWC (Do Not Associate With Catastrophe)

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jun 22nd, 2006 @ 10:19pm

    I like what #8 said and its true. What the heck is wrong with our world?!?! Its like getting sued because you gave cpr to a drowning person and you break a rib or something. Or the criminal sueing you for your dog biting them after they broke into your house... Somewhere a few years back we really got off track.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    AnarCh0s, Jun 22nd, 2006 @ 10:31pm

    Re: No Good Deed Shall Go Unpunished

    Why not refer them to Microsoft as an id10t??

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    SortaLikeJake, Jun 23rd, 2006 @ 2:15am

    HA

    That OU story was pretty hilarious. It's awesome that the guy is now laughing at his university's collective stupidity.

    I learned my lesson in h.s., getting into teachers' accounts and changing random grades (not mine), then showing administrators how easy it was to do it. All while sitting in an area next to the moronic net manager. Too bad the dean didn't appreciate my helpfulness. Suspension!
    I had half a mind to give everyone A's after that...

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    We Told You So, Jun 23rd, 2006 @ 2:23am

    Typical

    It'll just take some time before things heat up for these IT nimrods in the Hallowed Halls. After enough "victims" pile up, we can all write our letters to them, with copies to their sources of revenue, asking them like Dr. Phil says during the commercials..."What the fuck were you thinkin'???

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    eb, Jun 23rd, 2006 @ 9:38am

    They're going to get hit where it hurts

    I read somewhere (maybe ZDNet?) that alumni were sending really nasty messages to the effect of "you *&%#@** you're never going to see any money from me again" in response to a breach where data on contributors was lost at one school. That's going to get them where it hurts most.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This