Re: Speaking of ethics ...

[The Security Community <thesecuritycommunity () gmail com>]

My impression was that the McAfee report was 100% 20/20 hindsight.

Timed for Blackhat/Defcon, obviously.

Still, it doesn't support their cause of selling more AV products,
since they obviously didn't help in the first place.

STAND IN AWE OF OUR GLORIOUS FAILURE!!!!

On Fri, Aug 5, 2011 at 2:13 PM,  <michael.blanchard () emc com> wrote:
> Interesting....
> \@virusbtn: Does the security industry need a voluntary code of ethics?
> http://bit.ly/rs6KzO
>
>  So let me paint a scenario:
>
>  Company ABC has machines that are compromised with malware that is being controlled by and is sending confidential 
> information up to the C&C boxes that Mcafee refers to in Shady RAT.  Lets say that ABC company got compromised in 
> December last year.  They are also a customer of Mcafee.  So, McAfee's been following this C&C network since 2009 and 
> never told anyone until recently.  This March McAfee blocks their clients from being able to connect to this C&C 
> network and I assume this is when they tell the 72 companies that they're Pwned as well.
>    So, Company ABC has been leaking confidential information up to the C&C for 3 months, potentially hundreds of 
> millions of dollars worth of intellectual property has been leaked until McAfee says something in to them in March.
>
>  Who is liable?  Is this a lawsuit waiting to happen with McAfee being the defendant?  If a Security research firm 
> knows of a compromise, and doesn't immediately notify, wouldn't that make them liable for any damages?  I'd say yes, 
> if they don't' notify the company within a reasonable amount of time, they should be held liable for any losses.  
> This has been going on for over 2 years if not longer....  Why weren't these 72 companies notified right away about 
> what they found?
>
> Just my 2 cents worth for now :-)
>
> Michael P. Blanchard
> Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
> Office of Information Security & Risk Management
> EMC ² Corporation
> 32 Coslin Drive
> Southboro, MA 01772
>
>
> -----Original Message-----
> From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, 
> Trevor, Devon & Hannah
> Sent: Friday, August 05, 2011 2:48 PM
> To: funsec () linuxbox org
> Subject: [funsec] Speaking of ethics ...
>
> @virusbtn: Does the security industry need a voluntary code of ethics?
> http://bit.ly/rs6KzO
>
> @SecurityHumor: First: Do no Pwn (or FUD).
>
> http://twitter.com/#!/SecurityHumor/status/99454302174720000
>
> ======================  (quote inserted randomly by Pegasus Mailer)
> rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
> There are no *printed* instructions, but I found a CD-ROM called
> `How to Set Up Your Computer.'                         - Dan Piraro
> victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
> http://blogs.securiteam.com/index.php/archives/author/p1/
> http://twitter.com/rslade
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.