Congrats: Now Security Researchers Are Afraid To Report Vulnerabilities
from the chilling-effects dept
Now that we keep hearing stories about security researchers in the US and elsewhere taking the blame for simply pointing out security holes, it was only a matter of time until security researchers started making it clear that the risk of pointing out security flaws just isn’t worth it any more. Slashdot points to an article basically telling people in the security industry it’s just not worth it. That’s what you get when you repeatedly blame the messenger. Of course, the end result is that vulnerabilities stay open and those with malicious intent keep on causing problems.
Comments on “Congrats: Now Security Researchers Are Afraid To Report Vulnerabilities”
How can they expect results when the only reinforcement they’re give to these people is negative?
learn something about law and police
Having read the article, the author was unduely upset. Of course the detective threatened all kinds of legal action. He had nothing and so played the bull shit card. It is standard police procedure to play the bull shit card when you are stalled. The best responce is to inform the officer that you will have your lawyer contact them.
I would recomend anyone involved get a pre-paid legal account to make this affordable. But anyone who knows will tell you that a police officer telling a lie to get information is simply being good. They are NOT compelled to be honest with you. And charges are only a problem when you are dealing with someone from the DAs office.
Re: learn something about law and police
Man, I am glad I don’t have to deal with the american police. If a police officer over here lied to me, there’d be such an outrage. Also: Charges.
FABRICATE DIEM, PVNC
Re: Re: learn something about law and police
The American court system is something else. Here is a brief summary from a Canadian case where the Canadian courts ultimately refused to extradite accused persons to the United States:
The fugitives were Canadian citizens. The United States sought their extradition on charges of fraud and conspiracy to commit fraud. While sentencing a co-accused, the assigned trial judge in the United States stated that if the fugitives did not cooperate and come to the United States voluntarily, he would impose the absolute maximum jail sentence that the law permitted. Furthermore, the prosecutor assigned to the case appeared on a Canadian television program and threatened that those fugitives who contested their extradition would serve longer sentences under much more stringent conditions, and would “be the boyfriend of a very bad man”. The extradition judge stayed the proceedings.
Really nice – a prosecutor threatening accused persons on television with anal rape to get them to surrender.
Anyway, it’s unfortunate that this has got to this point, but let’s face it, it was only a matter of time. It’s true the messenger takes the blame, but it’s really their own fault.
When you announce to the world that you found a vulnerability, I’d say your motive was a little more than being the happy helper.
Re: Been there, done that, didn't get the T-shirt
FWIW, I’ve had to deal with a similar situation a couple of times, where I, my employer, or my client was a customer of a vendor, a flaw was found, and duly reported to the vendor… who then sat and did nothing.
For weeks… once it was months.
In both cases, the only thing that drove the vendor to fix the flaw in their product was to make it public. In the first case, I sent a trouble report, they responded with a “Oh yeah, not only is the W feature you mentioned vulnerable, the same flaw also affects U and V.”; Last I heard from them for six weeks.
Published a proof-of-concept exploit to a well-known security discussion, and one week later a patch was available.
Second time around, I sent email. I called on the phone. I sent a fax. I sent a registered letter. Nothing. I posted everything except the actual IP addresses and passwords to the same forum as mentioned earlier. Still no response.
The only action which got the supplier to fix their flawed application was the publication of the complete details of the flaw, including passwords.
I wasn’t asking for money, I wasn’t asking for my name to be mentioned in the advisory (though usually that is common courtesy). I was just asking for the product that I or my employer or my client had paid good money for to be secured.
Why wouldn’t companies want to squelch these people? Their EULAs hold them harmless agansit any damage caused by the software. They could care less if you get creamed though some flaw in their stuff. They just want to keep the publicity associated with such possibilites and actual occurances to an absolute minimum. Besides, if there are no competent security researchers they can always blame some other component in your system or some ‘misconfiguration’.
All I’m saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority.
Yes, this is ‘double posting’.
All I’m saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority
Well umm.. if they don’t squelch the bugs in the first place, which should be company policy, then there is no reason to have a good worker(maybe?) fired, and no tons of negative PR for the company. Can’t make any money if people don’t trust your product, yes?
Wow… they’re JUST figuring this out? When I first heard of the bugs for Windows ME I was like “Why would they publically announce these bugs? It’s like ASKING THE HACKERS TO DO IT”
-sigh- They should really hire just a random person off the streets to figure this shit out for them.
Personally I have found that police are most receptive to criticism and instruction while away from the lights and cameras. Ergo, I would advise anyone wishing to teach our texas highway patrolmen constitutional law to do it on the side of a lonely highway late at night.
umm.. and please let us know how that works out….
get real dude…… for any accounability to be enforcable it must be available in the spotlight.
Of course i stand for all of our government and corporate special interests to be held accountable for their misdeeds
um, hey poison….i take it you’re not from around here. i was puttin’ the shuck on ya, as we say in texas. i don’t recommend you try that. it comes under the heading of..”damn that was cool. i wish i’d had the nerve to say that to them.’
Open source listens
That’s one of the reasons why open source works. Not only do you have the source to find flaws, the maintainers of the code are highly receptive to bugs and flaws. That’s why open source is more secure, even if it has flaws, because it will be promptly fixed by dozens of people who care about the software.
The King is not wearing any clothes.
As long as no one points it out, then it hasn’t happened.