Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: pand0ra <pand0ra.usa () gmail com>
Date: Thu, 5 Oct 2006 12:47:17 -0600
The problem here is that he did not have permission to do what he did. I don't go around my neighborhood checking the windows and doors of every house to see if I can get in. It's none of my business. The people who own the data (data owners) are the ONLY people who are responsible for protecting their data. The problem here is that he knowingly made an attack agains those systems without permission. That is not 'stumbling' across a problem, he was actively looking for one. I understand his intentions (that he did not intend to harm anyone and was trying to help) but he did cross the line. I hope nothing bad happens to either party and that Joseph learns from this experience. I disagree with you in that it does not matter "on the information that can be retrieved via a vulnerable website". If you don't have anything valuable in your house would you want people just walking in because they can? Maybe even setting up a porn store in your house? Is it their (everybody else's) responsability to go to every house to make sure it is secured? But I do agree with you in that if you know something is wrong that you should tell someone about the problem. On 10/5/06, Andreas Putzo <putzoa () gmx de> wrote:
On Oct 04, pand0ra wrote: > "You can try to set them an ultimatum pretending to disclose the holes > to the public. Perhaps they are more willing to react if they are forced > to do so." > > Ethically, that is bad. You should never force (or threaten) anyone > into doing something they don't want to. I agree completely with Jay > and Dan. This depends greatly on the information that can be retrieved via a vulnerable website IMHO. What if you can get personal data of the customers of the company or you can do financial harm to them? Then it would be unethical to do nothing against it. In general i agree with you that it is never nice to force someone to do something. However, i don't want to put this threat into a discussion ethical vs. unethical behavior.. -- regards, Andreas Putzo ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- RE: Informing Companies about security vulnerabilities..., (continued)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 04)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 04)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)
- RE: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- Re: Informing Companies about security vulnerabilities... Dragos Ruiu (Oct 05)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... jay.tomas (Oct 04)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- Re: Informing Companies about security vulnerabilities... Stefano Zanero (Oct 05)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- RE: Informing Companies about security vulnerabilities... Krpata, Tyler (Oct 04)