Re: Rate Stratfor's Incident Response

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On January 14, 2012 8:33:13 AM -0700 Sanguinarious Rose 
<SanguineRose () OccultusTerra com> wrote:

> I've been watching this chat for a while and I have to say a lot of
> views here does not impress me and in fact why I will never report a
> vulnerability if I found one. Why would I want to even risk getting
> arrested and/or FBI trouble from observing a security flaw? My policy
> on finding them is to quietly just move a long. I'm sure I am not the
> only one that does this or come to such a conclusion of is it even
> worth the trouble.

The reaction of a security professional like me to this is, why aren't you 
looking for security flaws on your own site?  Why are you looking for 
security flaws on other people's sites?  If you want to do security 
research, setup a site virtually and bang away at it to your heart's 
content.  Then report your findings.

> I like how the assumptions are always this person is horrible and bad
> for have founding a security flaw, he must not be trusted and treated
> like a criminal.

You missed the point.  It isn't that I think that you're a criminal.  It's 
that, as a security professional, I cannot take the chance that you are 
not.  I am forced to do due diligence, take the server offline, do 
forensics, etc.  That's a lot of work, time spent and disruption of my 
normal duties, all you so you can feel proud about finding a 
vulnerability.  The cost to you is minimal.  To me, it's expensive.

So why do you think it's acceptable for you to do some minimal work to 
force others to do lots of extra work?

> Why would he even be reporting it to begin with if
> his goal is abusing the security flaw? After all the audacity of this
> dangerous cyber criminal took the time to tell you about the flaw in
> an email and should be punished for their indiscretion of reporting
> it.

Nobody's talking about punishing people for finding security flaws, but 
you're punishing the security professionals for the "pleasure" of finding 
vulnerabilities on their site.  If I find a vulnerability in our assets, I 
can simply fix or remediate the problem.  If you find it, I have to treat 
it as a breach, or I'm not doing my job.

> The analogies of a house is a very very bad one. Do you expect
> thousands of people to be walking around your house akin to viewing
> the website?

I think thousands of people walking or driving past my house and looking 
at it as they go by is perfectly normal.  What's not normal is for one of 
them to pull over, get out of their car, walk up to my door and check to 
see if it's unlocked, walk around the house checking all the windows and 
doors, etc., etc.

> A more appropriate one would be a public store with doors
> happen to be unlocked to completely open.

As Valdis pointed out, even public stores have private areas where you are 
not allowed.  You go there and someone is going to question you, maybe 
even arrest you depending upon what you're doing.

> "If it's not broken don't fix it" is the classical saying of many
> individuals and sadly even more apply it to security. Even reporting
> the flaw in some cases results not in fixing it but legal troubles for
> the person reporting it. You would think they might want to fix it
> after being informed about it right? After all if it works why fix it?
> Why not silence that bad apple that found the flaw and no one else
> will know kinda like daddy's little secret.

It's 2012.  I seriously doubt most sites ignore vulnerabilities any more. 
We HAVE learned a few things over the years.  We are constantly auditing 
for flaws, assessing for flaws and insisting that flaws are corrected.  We 
don't need your help to do our jobs.  I can assure you that we are not 
sitting around waiting for someone like you to help us.

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
"When intelligence argues with stupidity and bias,
intelligence is bound to lose; intelligence has limits,
but stupidity and bias have none."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/