This Is Why You Don't Punish The Messenger On Security Vulnerabilities
from the solve-the-vulnerability-at-least dept
Over the past few years, we’ve pointed to case after case after case after case after case after case of those who pointed out security vulnerabilities being attacked or blamed for the vulnerability. It’s true that sometimes the “researchers” go too far — but the important point is that security vulnerability get fixed. Instead, it’s much easier to simply blame the messenger. Now, with all of the talk about hackers breaking into and taking data from Ohio University computers, Jon has submitted a story reminding everyone how it was just a few years ago that Ohio University was busy blaming the messenger for pointing out how weak the school’s computer security was. Apparently, in the rush to blame and bury the guy, no one actually thought about fixing and protecting their computer system.
Comments on “This Is Why You Don't Punish The Messenger On Security Vulnerabilities”
Why even try?
Sometime last year I contacted a local school that hosted a system that contained a vulnerability for SQL injection. This was pretty major seeing as the system contained records for staff records. I contacted them to tell them about the problem and they responded with insults and claims that it in fact was not a vulnerability.
They still haven’t fixed the issue to this day, I guess its just a matter of time untill someone else finds this with less than honorable intentions in mind.
Point being, why even try to help? Too much trouble involved when it obivously will be more than likley met with negative reactions.
Re: Why even try?
Send the exploited data and the method for retrieving it to the local newspaper, or really make a stink and go for some international media. The embarrasement alone should force some action…
They were already warned.
Re: Re: Why even try?
They deserve everything that they get.
keralafood
leafnakki
Your Best Teacher is....
supposed to be you last mistake not a bunch of lazy fools with tenure.
YOu gO gettem!
Serves them right
when someone hacks in and starts trashing htie network.
No Good Deed Shall Go Unpunished
As an IT consultant, I make it a point to never make even the most cursory of security checks unless I’m paid and indemnified in writing, period. If I suspect or discover a vulnerability outside a clearly defined contractual relationship, just call me Sgt. Schultz, because I saw naaaaathing!
If I’m feeling exceptionally charitable, I’ll refer ’em to ISO 17799 or a similar “best standards” document… But I usually don’t broach the issue of security at all. It seems the typical client thinks that hackers are beings out of the Lovecraftian Cthulhu Mythos, wreaking havoc upon those that merely invoke their names.
In short, DNAWC (Do Not Associate With Catastrophe)
Re: No Good Deed Shall Go Unpunished
Why not refer them to Microsoft as an id10t??
I like what #8 said and its true. What the heck is wrong with our world?!?! Its like getting sued because you gave cpr to a drowning person and you break a rib or something. Or the criminal sueing you for your dog biting them after they broke into your house… Somewhere a few years back we really got off track.
HA
That OU story was pretty hilarious. It’s awesome that the guy is now laughing at his university’s collective stupidity.
I learned my lesson in h.s., getting into teachers’ accounts and changing random grades (not mine), then showing administrators how easy it was to do it. All while sitting in an area next to the moronic net manager. Too bad the dean didn’t appreciate my helpfulness. Suspension!
I had half a mind to give everyone A’s after that…
Typical
It’ll just take some time before things heat up for these IT nimrods in the Hallowed Halls. After enough “victims” pile up, we can all write our letters to them, with copies to their sources of revenue, asking them like Dr. Phil says during the commercials…”What the fuck were you thinkin’???
They're going to get hit where it hurts
I read somewhere (maybe ZDNet?) that alumni were sending really nasty messages to the effect of “you *&%#@** you’re never going to see any money from me again” in response to a breach where data on contributors was lost at one school. That’s going to get them where it hurts most.