mailing list archives
Re: Advisory: E*TRADE security problems in full
From: Tim Hollebeek <thollebeek () CIGITAL COM>
Date: Wed, 27 Sep 2000 12:59:38 -0400
That is, what is the best way to notify users? What percentage of users
read BUGTRAQ versus security aficionados and hackers? The problem of
disclosure on a list like this is that the majority of real
users will NOT be reading the messages here and will never realistically
find out about this until they read it on the front page of the New York
Times or E*TRADE actually bothers to email its own customers.
A reasonable answer is to modify consumer protection laws so that companies
are liable for damage from security flaws when and if they know about them
unless they make reasonable efforts to fix them, contact users, and offer
E*TRADE would then have the choice of ignoring the issue and facing the
financial consequences (if any; some security issues really ARE fairly
or they can instead take whatever steps they feel they need to in order to
defend themselves if they get sued.
Cem Kaner, among others, has been promoting the idea of using liability as
a carrot to promote disclosure. Unfortunately, with UCITA, the current
is in the other direction. Among other things, UCITA allows license
to contain disclosure limitations. See http://www.badsoftware.com.
(formerly Reliable Software Technologies)
- Re: Advisory: E*TRADE security problems in full Tim Hollebeek (Sep 28)