nanog mailing list archives
RE: UK ISP threatens security researcher
From: "Stasiniewicz, Adam" <stasinia () msoe edu>
Date: Thu, 19 Apr 2007 22:32:02 -0500
I guess my experience in this area differs. Of the times I reported security holes to vendors/site operators they were grateful for the tip. I used my real name (which apparently is somewhat unique) and real contact information in case they had questions. I always made sure to contact the most appropriate person I could get contact info for (i.e. the security team if possible; avoiding the general information address). Though I guess the big difference with me is I did not post detailed information about those problems on the Internet for anyone to see. Frankly, posting a major flaw in the setup of thousands of routers before the ISP has had a chance to correct the problem is doing more harm than good. I am not surprised at the ISPs response. The person in question here should have first notified the ISP and unless the ISP was unwilling to fix the problem, only then should he have considered releasing the information publicly. My $0.02, Adam Stasiniewicz -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Simon Lyall Sent: Thursday, April 19, 2007 8:26 PM To: nanog () merit edu Subject: Re: UK ISP threatens security researcher On Thu, 19 Apr 2007, Gadi Evron wrote:
Looking at the lack of security response and seriousness from this ISP, I personally, in hindsight (although it was impossible to see back then) would not waste time with reporting issues to them, now.
These days there is almost never any reason to report a security issue unless you are a professional security researcher who is looking for publicity/work. [1] If you are a random person who comes across a security hole in a website or commercial product then the best thing to do is tell nobody, refrain from any further investigation and if possible remove all evidence you ever did anything. There is almost zero potential upside of reporting these holes vs the very real potential downside that the company might decide to go after you with their legal team or the police. Anonymous notifications to 3rd parties like security forums or journalists might be an option if you really fell it is important. However in the scheme of things giving $50 to your favorite charity is likely to be safer and do the world more good. [1] - An exception might be for open source projects or as part of your normal job with your companies products. Even then you should only follow normal channels and always be careful. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
Attachment:
smime.p7s
Description:
Current thread:
- Re: UK ISP threatens security researcher, (continued)
- Re: UK ISP threatens security researcher Valdis . Kletnieks (Apr 20)
- Re: UK ISP threatens security researcher Kradorex Xeron (Apr 20)
- Re: UK ISP threatens security researcher Peter Corlett (Apr 20)
- Re: UK ISP threatens security researcher Donald Stahl (Apr 20)
- Re: UK ISP threatens security researcher Patrick W. Gilmore (Apr 20)
- RE: UK ISP threatens security researcher Rod Beck (Apr 20)
- Re: UK ISP threatens security researcher Roland Perry (Apr 20)
- Re: UK ISP threatens security researcher Gadi Evron (Apr 19)
- Re: UK ISP threatens security researcher Simon Lyall (Apr 19)
- RE: UK ISP threatens security researcher Stasiniewicz, Adam (Apr 19)
- Re: UK ISP threatens security researcher Gadi Evron (Apr 20)
- Re: UK ISP threatens security researcher alex (Apr 20)
- Re: UK ISP threatens security researcher J. Oquendo (Apr 20)
- Re: UK ISP threatens security researcher alex (Apr 20)
- Re: UK ISP threatens security researcher Valdis . Kletnieks (Apr 20)
- Re: UK ISP threatens security researcher Sam Hayes Merritt, III (Apr 20)