Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Advisory: E*TRADE security problems in full
From: Tim Hollebeek <thollebeek () CIGITAL COM>
Date: Wed, 27 Sep 2000 12:59:38 -0400

That is, what is the best way to notify users? What percentage of users
read BUGTRAQ versus security aficionados and hackers? The problem of
disclosure on a list like this is that the majority of real
users will NOT be reading the messages here and will never realistically
find out about this until they read it on the front page of the New York
Times or E*TRADE actually bothers to email its own customers.

A reasonable answer is to modify consumer protection laws so that companies
are liable for damage from security flaws when and if they know about them
unless they make reasonable efforts to fix them, contact users, and offer
workarounds.

E*TRADE would then have the choice of ignoring the issue and facing the
financial consequences (if any; some security issues really ARE fairly
minor),
or they can instead take whatever steps they feel they need to in order to
defend themselves if they get sued.

Cem Kaner, among others, has been promoting the idea of using liability as
a carrot to promote disclosure.  Unfortunately, with UCITA, the current
trend
is in the other direction.  Among other things, UCITA allows license
agreements
to contain disclosure limitations.  See http://www.badsoftware.com.

Tim Hollebeek
Cigital, Inc.
(formerly Reliable Software Technologies)


  By Date           By Thread  

Current thread:
  • Re: Advisory: E*TRADE security problems in full Tim Hollebeek (Sep 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]