mailing list archives
Re: Advisory: E*TRADE security problems in full
From: reb () OPENRECORDS ORG
Date: Wed, 27 Sep 2000 04:43:16 -0500
On Tue, 26 Sep 2000, Gunther Birznieks wrote:
I think this brings up an interesting point about disclosure which is close
That is, what is the best way to notify users?
I believe that it is the vendors duty to make the effort of
notifying their users to the best of the vendors ability. This can be
done by sending mail to registered users, popups in a browser if
available, etc. The question is why would a financial institution want to
scream to the entire world: YES WE'RE INSECURE, knowing that a news person
would pick the story up and run with it?
Vendors are going to try and save face as much as possible,
especially the major players. A business such as E*Trade obtaining any
publicity as being insecure would drive the non-technical majority away by
the masses, if not current customers, potential customers would be
I don't know what to suggest. Although perhaps it would be useful if
vendors would voluntarily have their users subscribe to a special filtered
version of BUGTRAQ based on the vendor name. So, for example, Schwab would
link to a special Bugtraq security mailing list that they encourage their
users to subscribe to incase Schwab ever had a security hole. If there are
no security holes, the user would get no emails. ever. But if one ever did
pop up, it wouldn't be Scwab telling the user's it would be BUGTRAQ.
Vendors of security sensitive web services could use this as a selling
point of their service. That they give a highly trusted 3rd party the
capability of letting them know about any problems so they cannot ever hide
a problem. I know if BUGTRAQ offered such a service, I would link to them
and encourage our users to use them. As it is, the traffic on a real
BUGTRAQ mailing list is too much to expect the common user who has minimal
computer skills to read and filter BUGTRAQ on their own.
What you are proposing here isn't very viable due to several
factors. Who would be responsible for such announcements? Who could post
to the mailing list? Are you suggesting a vuln-dev area for the techies
and then if the security flaw is verified and widespread, then forward the
flaw in question to the list? How would that be different than what
we have now?
Most companies use 'updates' to cover fixes/security concerns,
your normal everyday user would probably not know that their account
before the update could be trivially compromised.
In conclusion, the security community needs to keep
full-disclosure putting the pressure on vendors to notify users and have
their products as secure as possible. When vendors cut corners in the
security arena, they hurt everyone.
<snip rest of message>