This Is Why You Don't Punish The Messenger On Security Vulnerabilities

from the solve-the-vulnerability-at-least dept

Over the past few years, we’ve pointed to case after case after case after case after case after case of those who pointed out security vulnerabilities being attacked or blamed for the vulnerability. It’s true that sometimes the “researchers” go too far — but the important point is that security vulnerability get fixed. Instead, it’s much easier to simply blame the messenger. Now, with all of the talk about hackers breaking into and taking data from Ohio University computers, Jon has submitted a story reminding everyone how it was just a few years ago that Ohio University was busy blaming the messenger for pointing out how weak the school’s computer security was. Apparently, in the rush to blame and bury the guy, no one actually thought about fixing and protecting their computer system.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “This Is Why You Don't Punish The Messenger On Security Vulnerabilities”

Subscribe: RSS Leave a comment
Brendan (user link) says:

Why even try?

Sometime last year I contacted a local school that hosted a system that contained a vulnerability for SQL injection. This was pretty major seeing as the system contained records for staff records. I contacted them to tell them about the problem and they responded with insults and claims that it in fact was not a vulnerability.

They still haven’t fixed the issue to this day, I guess its just a matter of time untill someone else finds this with less than honorable intentions in mind.

Point being, why even try to help? Too much trouble involved when it obivously will be more than likley met with negative reactions.

Griz says:

No Good Deed Shall Go Unpunished

As an IT consultant, I make it a point to never make even the most cursory of security checks unless I’m paid and indemnified in writing, period. If I suspect or discover a vulnerability outside a clearly defined contractual relationship, just call me Sgt. Schultz, because I saw naaaaathing!

If I’m feeling exceptionally charitable, I’ll refer ’em to ISO 17799 or a similar “best standards” document… But I usually don’t broach the issue of security at all. It seems the typical client thinks that hackers are beings out of the Lovecraftian Cthulhu Mythos, wreaking havoc upon those that merely invoke their names.

In short, DNAWC (Do Not Associate With Catastrophe)

SortaLikeJake says:


That OU story was pretty hilarious. It’s awesome that the guy is now laughing at his university’s collective stupidity.

I learned my lesson in h.s., getting into teachers’ accounts and changing random grades (not mine), then showing administrators how easy it was to do it. All while sitting in an area next to the moronic net manager. Too bad the dean didn’t appreciate my helpfulness. Suspension!

I had half a mind to give everyone A’s after that…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...