Penetration Testing mailing list archives
RE: Informing Companies about security vulnerabilities...
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Fri, 6 Oct 2006 10:51:49 -0500
-----Original Message----- [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright Sent: Thursday, October 05, 2006 10:29 PM [snip anecdotes of good-doing] On the other hand, I sleep at night.
I guess I do not share your sentiments here then. My experiences have led me to different conclusions as of late.
"Who is going to be our Ralph Nader?" We all should be.
This, really, is the answer I was hoping from someone, but you see, no one really has a voice right now. At least, not that does more than finger-pointing.
At the same time, we are professionals and not vigilantes we have no right to judge the world and to take the enforcement of any issues we note to heart.
I am reasonably competent to judge software security defects and extraordinarily competent to judge that vendors grossly lying to their clients is both bad and evil. I think we should take those issues to heart. Sooner or later, if problems stay the same as our platforms evolve, they are going to cost human lives.
More so, we have no right to actively look for holes in sites we have no connection to.
That is an ambiguous, undefined statement. "Holes". "Connection". How do you know you have no connection to it? What is a hole? What is testing? Bah. I think most folks get the "don't go evil hacking" sentiment, including the courts. It's why they have "intent" in the law. It's all the other undefined mess that's going to bite us, and in fact, already is. -ae ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- RE: (illegal?) Informing Companies about security vulnerabilities..., (continued)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- RE: RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: Informing Companies about security vulnerabilities... mr . nasty (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re: RE: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... stillnone (Oct 05)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)
- Re: Informing Companies about security vulnerabilities... Art Cooper (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- RE: Informing Companies about security vulnerabilities... jason (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- Informing Companies about security vulnerabilities... Erin Carroll (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... v0083mw02 (Oct 06)
- Informing Companies about security vulnerabilities... me (Oct 06)
- RE: Informing Companies about security vulnerabilities... Michael Scheidell (Oct 09)