nanog mailing list archives

Re: Security reporting response handling [was: Suggestions for the future on your web site]

From: Matt Palmer <mpalmer () hezmatt org>
Date: Tue, 22 Jan 2013 19:10:31 +1100

On Mon, Jan 21, 2013 at 11:23:16PM -0500, Jean-Francois Mezei wrote:

This article may be of interest:

http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/


Basically, a Montreal student, developping mobile software to interface
with schools system found a bug. Reported it. And when he tested to see
if the bug had been fixed, got caugh and was expelled.

I the context of this thread, they found a vulnerability in the web
site's archutecture that allowed the to access any student's records.

This is the perfect type of incident you can bring to your boss to
justify proper architecture/security for your web site. "How would you
react if it was your company's name in the headline ?"


That article doesn't justify security review, it justifies not being a
complete knob when someone reports a security hole in your site.  There are
so many site vulnerabilities these days that they're not news.  What *is*
news is when the vulnerable organisation goes off the deep end and massively
overreacts to the situation.

See Also: First State Superannuation.

- Matt

Current thread:

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...), (continued)
- - - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 24)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Andrew Sullivan (Jan 24)
    - Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
    - Re: Suggestions for the future on your web site: (was cookies, and . (Jan 25)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Scott Howard (Jan 24)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 24)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 21)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Scott Weeks (Jan 21)
  - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 21)
    - Re: Security reporting response handling [was: Suggestions for the future on your web site] Matt Palmer (Jan 22)
    - Re: Security reporting response handling [was: Suggestions for the future on your web site] Suresh Ramasubramanian (Jan 22)
    - Re: Security reporting response handling [was: Suggestions for the future on your web site] Alain Hebert (Jan 22)
    - Re: Security reporting response handling [was: Suggestions for the future on your web site] Jimmy Hess (Jan 23)
    - Re: Security reporting response handling [was: Suggestions for the future on your web site] . (Jan 23)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Valdis . Kletnieks (Jan 22)