Bugtraq mailing list archives
Re: Advisory: E*TRADE security problems in full
From: Signal 11 <signal11 () MEDIAONE NET>
Date: Wed, 27 Sep 2000 11:49:15 -0500
disclosure on a list like this is that the majority of real users will NOT be reading the messages here and will never realistically find out about this until they read it on the front page of the New York Times or E*TRADE actually bothers to email its own customers.
In the same way that people who are apathetic about politics aren't going to know where the candidates stand on the issues, people who do not actively educate themselves on security won't find this information. There is no way possible for us to educate the general public about these issues.
Unfortunately it seems that many posts on here say the vendors don't listen or don't care.
Related to the first problem - their target market doesn't care, why should they? For example, the average joe doesn't purchase Cisco hardware. They, therefore, are not Cisco's target market. You'll note then that due to their audience being more educated Cisco takes a more active role in security. It even works on Microsoft - Their Windows 2000 server has gotten alot more attention security-wise than, say, Windows 98.
On the other hand, I've seen stuff posted in the past about our stuff where the author of the post never emailed me first and therefore, hackers would find out about a bug before I could generate a mailing to all the people who used my software (I don't give out our mailing list).
Considering the low amount of interest generated by most vendors, and the inherent human need to be recognized, can you blame them? Would you rather: a) Alert the vendor, who will send you a form response saying "Thanks, we'll put every resource into solving this problem" (And never hear from them again) b) Send a message to BugTraq where you can gain recognition by people who think like you do - and are interested in security. I see quite abit of lamenting from people who choose option A on this list - it's not that people don't want to inform the vendor, it's just that the odds of success are so low they don't bother. "Just report it to Bugtraq and let the script kiddies raise hell with them for a few months, that'll learn 'em!" Works too, doesn't it?
Of course, I hope this exploit becomes front-page material but who knows. Although maybe its not front page news since to people who have worked in the financial industry, the lack of general security is well known. Many
The security of financial institutions is very good, it's just not the kind of security YOU want. They are much more concerned about data integrity and transaction integrity than your personal data, and it makes sense: If their database becomes corrupt, that's millions, possibly billions, of dollars worth of damage. Imagine if the State of Minnesota lost all records for who owned which home. Fast fact: Did you know that the only thing needed to withdraw money from your checking account is the account number? No signature, no date, no special watermark - that's for you not the bank. Maybe I should write up an advisory on that...
advantage. They must have felt that they were unlikely to get caught.
Or, like most vendors, they honestly weren't aware of the problem until someone pointed it out. Don't start the clock running until after you notify them and confirm they got the message. Conversely, if you don't notify them first, don't go claiming that they're a big, greedy corporation who doesn't care about security after the news breaks. Cheers, -- Signal 11 -o- BOFH, boredengineers.com Catapultam habeo. Nisi pecuniam omnem mihi dabis ad capul tuum saxum immane mittam. ( I have a catapult. Give me all the money or I will fling an enormous rock at your head. )
Current thread:
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable James Mancini (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Advisory: E*TRADE security problems in full Jeffrey W. Baker (Sep 25)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: Advisory: E*TRADE security problems in full Gunther Birznieks (Sep 27)
- Re: Advisory: E*TRADE security problems in full reb (Sep 27)
- Re: Advisory: E*TRADE security problems in full Signal 11 (Sep 28)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- <Possible follow-ups>
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Bridgette Julie Landers (Sep 26)