nanog mailing list archives
Re: UK ISP threatens security researcher
From: Owen DeLong <owen () delong com>
Date: Sat, 21 Apr 2007 12:02:45 -0700
I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course,reporting a problem to vendor privately always makes sense.
Public disclosure of the existence of a vulnerability and whatever information is required to understand it well enough to mitigate it, resolve it, or work around it is a good and useful thing. Public disclosure of details of how to exploit the vulnerability beyond what is required in my previous paragraph is not useful and is both rude and counterproductive. Generally, however, I do not think it should be actionable or criminal. If you leave your front door unlocked, that's dumb. If I tell you that you left your front door unlocked, that's a good thing. If I tell your neighbors that you left your front door unlocked, it's not necessarily helpful, but, it's not illegal, nor should it be. OTOH, if you buy your lock from LockCo and I discover that there is a key pattern that will open ALL LockCo locks, then, it's good if I tell LockCo about that. It's better if I also tell the public so that people who choose to can either have their locks repaired or can replace them if they so choose. If I tell the public the exact key pattern required, that's not so good, but, it's not illegal and it shouldn't be illegal or actionable. Now, if I used stolen LockCo engineering diagrams to identify the key pattern in question, the use of the stolen diagrams might be actionable and/or criminal. Owen
Attachment:
smime.p7s
Description:
Current thread:
- Re: UK ISP threatens security researcher, (continued)
- Re: UK ISP threatens security researcher Gadi Evron (Apr 19)
- Re: UK ISP threatens security researcher Simon Lyall (Apr 19)
- RE: UK ISP threatens security researcher Stasiniewicz, Adam (Apr 19)
- Re: UK ISP threatens security researcher Gadi Evron (Apr 20)
- Re: UK ISP threatens security researcher alex (Apr 20)
- Re: UK ISP threatens security researcher J. Oquendo (Apr 20)
- Re: UK ISP threatens security researcher alex (Apr 20)
- Re: UK ISP threatens security researcher Valdis . Kletnieks (Apr 20)
- Re: UK ISP threatens security researcher Sam Hayes Merritt, III (Apr 20)
- Re: UK ISP threatens security researcher Gadi Evron (Apr 19)
- Re: UK ISP threatens security researcher Gadi Evron (Apr 20)
- Re: UK ISP threatens security researcher Owen DeLong (Apr 21)
- Re: UK ISP threatens security researcher Dragos Ruiu (Apr 23)
- Re: UK ISP threatens security researcher Leigh Porter (Apr 24)