Re: Ethics Question

["Anders Reed-Mohn" <anders_rm () utepils com>]

Mike,  it shouldn't really be a problem for you
to alert Company Y about this. (However, it is now).

1. (Why it shouldn't be a problem)
You knew of this vulnerability in advance. You aquired that
knowledge as part of your job, and noone can hold you liable for
that.  
This means you could easily have told Company Y: "have you checked
with Company X whether this thing has been fixed?", based on your old
knowledge. But you can _not_ tell them that you know it still hasn't been
fixed.

2. (Why it is a problem _now_)
You have no right to know any more. The fact that you _know_
it still hasn't been fixed shows that you have poked your nose
into where it doesn't belong. And, as someone pointed out,
it is now even on record for the entire Internet to see.
Thus, you have lost your chance to alert anyone.

So, next time, don't tell the public what you did, rather go 
to the concerned parties directly.

Cheers,
Anders :)


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------