Penetration Testing mailing list archives
RE: Informing Companies about security vulnerabilities...
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Fri, 6 Oct 2006 10:41:19 -0500
Unfortunately your ideas do not help address the four times I've been victim of identity theft/cloning, and subsequent costs, nor provide recourse to the vendors creating, selling, and shipping defective products to users I have no idea are consumers of those products. But that defectively store my private data. And trust me, there's more impact than financial. How about the hours sucked out of my life helping law enforcement straighten out an identity theft issue? Interestingly, you are one of several that have made the "not my burden to bear" statement. Which has it's own interesting ethical implications. Yeah yeah, all security researchers do this to get their 15 minutes of fame, I get it. But what about my mother? My grandmother? My peers and friends? All can be (and some have been) impacted negatively by this defective software. Yet these thugs march arrogantly on with EULA & license agreement in the one hand, and the threat-of-lawsuit stick in the other. Now that doesn't seem right to me. The questions I still have: 1) How bad does it have to get? Human life? 2) What do we do about it? Nothing? Assume it is self correcting? What is the history of other industries at this juncture? I believe, history speaks to regulation and whistle blowers, not to self-healing. As much as I shudder to think of how regulation might occur with software, do we have any other precedents? -ae
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mr.nasty () ix netcom com Sent: Thursday, October 05, 2006 3:56 PM To: pen-test () securityfocus com Subject: RE: Informing Companies about security vulnerabilities... Here's my worthless two cents. Chances are you are not the first one to discover the problem. Hence unless you do business with them it really doesn't affect you financially. On the other hand the right thing (not the legal thing) to do is inform someone at the company (find many company email addresses - support () company com etc.) and provide then what you found. NO RECOMMENDATIONS should be offered. Number one they do not pay you to provide them with Recommendations or solutions. Number two unless this business affects you financially it's not your burden to bear. And if you do have some financial interest in a company that ignores its customers...LEAVE. Number three you can't get blood from a turnip or teach pigs to sing. That's just my worthless two cents. -------------------------------------------------------------- ---------- This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ?camp=701600000008bOW -------------------------------------------------------------- ----------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- WAS Informing Companies NOW Announcing ' or 1=1--, (continued)
- WAS Informing Companies NOW Announcing ' or 1=1-- Thor (Hammer of God) (Oct 06)
- Re: WAS Informing Companies NOW Announcing ' or 1=1-- Ian Scott (Oct 06)
- RE: WAS Informing Companies NOW Announcing ' or 1=1-- Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: (illegal?) Informing Companies about security vulnerabilities... Nathan Keltner (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)
- Re: Informing Companies about security vulnerabilities... Art Cooper (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... jason (Oct 06)