Re: Advisory: E*TRADE security problems in full

[Signal 11 <signal11 () MEDIAONE NET>]

> disclosure on a list like this is that the majority of real users will NOT
> be reading the messages here and will never realistically find out about
> this until they read it on the front page of the New York Times or E*TRADE
> actually bothers to email its own customers.

In the same way that people who are apathetic about politics aren't going
to know where the candidates stand on the issues, people who do not actively
educate themselves on security won't find this information. There is no
way possible for us to educate the general public about these issues.

> Unfortunately it seems that many posts on here say the vendors
> don't listen or don't care.

Related to the first problem - their target market doesn't care,
why should they? For example, the average joe doesn't purchase Cisco
hardware. They, therefore, are not Cisco's target market. You'll note
then that due to their audience being more educated Cisco takes a more
active role in security. It even works on Microsoft - Their Windows 2000
server has gotten alot more attention security-wise than, say, Windows 98.

> On the other hand, I've seen stuff posted in the past about
> our stuff where the author of the post never emailed me first and
> therefore, hackers would find out about a bug before I could generate a
> mailing to all the people who used my software (I don't give out our
> mailing list).

Considering the low amount of interest generated by most vendors, and
the inherent human need to be recognized, can you blame them? Would you
rather:

a) Alert the vendor, who will send you a form response saying
   "Thanks, we'll put every resource into solving this problem"
   (And never hear from them again)

b) Send a message to BugTraq where you can gain recognition by people
   who think like you do - and are interested in security.

I see quite abit of lamenting from people who choose option A on this
list - it's not that people don't want to inform the vendor, it's just
that the odds of success are so low they don't bother. "Just report it to
Bugtraq and let the script kiddies raise hell with them for a few months,
that'll learn 'em!" Works too, doesn't it?

> Of course, I hope this exploit becomes front-page material but who knows.
> Although maybe its not front page news since  to people who have worked in
> the financial industry, the lack of general security is well known. Many

The security of financial institutions is very good, it's just not the
kind of security YOU want. They are much more concerned about data
integrity and transaction integrity than your personal data, and it makes
sense: If their database becomes corrupt, that's millions, possibly
billions,
of dollars worth of damage. Imagine if the State of Minnesota lost all
records for who owned which home.

Fast fact: Did you know that the only thing needed to withdraw money from
your
checking account is the account number? No signature, no date, no special
watermark - that's for you not the bank. Maybe I should write up an advisory
on that...

> advantage. They must have felt that they were unlikely to get caught.

Or, like most vendors, they honestly weren't aware of the problem until
someone pointed it out. Don't start the clock running until after you
notify them and confirm they got the message. Conversely, if you don't
notify them first, don't go claiming that they're a big, greedy corporation
who doesn't care about security after the news breaks.

Cheers,

--
Signal 11 -o- BOFH, boredengineers.com
Catapultam habeo. Nisi pecuniam omnem mihi dabis ad capul
tuum saxum immane mittam. ( I have a catapult. Give me all
the money or I will fling an enormous rock at your head. )