mailing list archives
Re: Rate Stratfor's Incident Response
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Sat, 14 Jan 2012 13:11:37 -0600
--On January 14, 2012 8:33:13 AM -0700 Sanguinarious Rose
<SanguineRose () OccultusTerra com> wrote:
I've been watching this chat for a while and I have to say a lot of
views here does not impress me and in fact why I will never report a
vulnerability if I found one. Why would I want to even risk getting
arrested and/or FBI trouble from observing a security flaw? My policy
on finding them is to quietly just move a long. I'm sure I am not the
only one that does this or come to such a conclusion of is it even
worth the trouble.
The reaction of a security professional like me to this is, why aren't you
looking for security flaws on your own site? Why are you looking for
security flaws on other people's sites? If you want to do security
research, setup a site virtually and bang away at it to your heart's
content. Then report your findings.
I like how the assumptions are always this person is horrible and bad
for have founding a security flaw, he must not be trusted and treated
like a criminal.
You missed the point. It isn't that I think that you're a criminal. It's
that, as a security professional, I cannot take the chance that you are
not. I am forced to do due diligence, take the server offline, do
forensics, etc. That's a lot of work, time spent and disruption of my
normal duties, all you so you can feel proud about finding a
vulnerability. The cost to you is minimal. To me, it's expensive.
So why do you think it's acceptable for you to do some minimal work to
force others to do lots of extra work?
Why would he even be reporting it to begin with if
his goal is abusing the security flaw? After all the audacity of this
dangerous cyber criminal took the time to tell you about the flaw in
an email and should be punished for their indiscretion of reporting
Nobody's talking about punishing people for finding security flaws, but
you're punishing the security professionals for the "pleasure" of finding
vulnerabilities on their site. If I find a vulnerability in our assets, I
can simply fix or remediate the problem. If you find it, I have to treat
it as a breach, or I'm not doing my job.
The analogies of a house is a very very bad one. Do you expect
thousands of people to be walking around your house akin to viewing
I think thousands of people walking or driving past my house and looking
at it as they go by is perfectly normal. What's not normal is for one of
them to pull over, get out of their car, walk up to my door and check to
see if it's unlocked, walk around the house checking all the windows and
doors, etc., etc.
A more appropriate one would be a public store with doors
happen to be unlocked to completely open.
As Valdis pointed out, even public stores have private areas where you are
not allowed. You go there and someone is going to question you, maybe
even arrest you depending upon what you're doing.
"If it's not broken don't fix it" is the classical saying of many
individuals and sadly even more apply it to security. Even reporting
the flaw in some cases results not in fixing it but legal troubles for
the person reporting it. You would think they might want to fix it
after being informed about it right? After all if it works why fix it?
Why not silence that bad apple that found the flaw and no one else
will know kinda like daddy's little secret.
It's 2012. I seriously doubt most sites ignore vulnerabilities any more.
We HAVE learned a few things over the years. We are constantly auditing
for flaws, assessing for flaws and insisting that flaws are corrected. We
don't need your help to do our jobs. I can assure you that we are not
sitting around waiting for someone like you to help us.
Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
"When intelligence argues with stupidity and bias,
intelligence is bound to lose; intelligence has limits,
but stupidity and bias have none."
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/