Vulnerability Development: Re: Neato Bell Atlantic Feature

[Stephen Friedl <friedl () MTNDEW COM>]

> Stop looking at this as a toy to go play with, and start looking for similar
> breaches in the institutions you all use and warn them accordingly.  I fear
> there is a LOT of this kind of vulnerability going around.
I fear that this is going to get people into trouble because the great
majority of internet operations do not take unsolicited security advice
very well *at all*. I have sent dozens and dozens of emails to various
operations that had a security problem of this or that type, and 90%
of them simply ignore it even if you point out the exact details in a
friendly, helpful, and non-threatening way.

Even in the financial services industry, where you'd think that people
would have a heightened sense for anything about "security", things are
ignored or downright hostile.

This is how it could go:

You do some digging on your credit card site, find a problem, and send
an informative note with the details. You would disclaim any possible
financial gain (e.g., "I'm not looking for work") and provide plenty of
information to allow them to verify this for themselves or consult their
local networks.  You might offer suggestions on how they could fix it
themselves if the problem is of that nature. No normal person reading this
note could not possible mistake your good intentions and generous nature.

Except the moron who runs the site in question. He doesn't really
underdstand and decides that you're a bad guy. This gets escalated through
the company to other people who don't understand: remember that the same
mentality that lets them not "get it" on the original design means they
don't "get it" now.

So they call the authorities, and I believe that the U.S. Secret Service
has jurisdiction on credit card fraud. Now the Feds are involved, and
though eventually it will certainly all be sorted out, have they made
your life miserable in the meantime? DO NOT count on anybody understanding
that you are a good guy.

---

I have been told to get lost by a major U.S. computer professional
organization when I pointed out a serious problem in detail and offered
to help them fix it for nothing.  A government agency spoke privately
of having me *prosecuted* after doing an *authorized* audit that showed
that they had no clue about their network.

Standard & Poors ignored a huge security problem for months and then
denied its existence once it became public. They were notified repeatedly
at the highest level, and I admit that during my S&P nightmare it occurred
to me that the FBI could show up at my door at any minute.

If you are going to do this, *be careful*. If I found a problem with my
bank, I'm not sure I would ever send them the information in a way that
could ever be traced to me: the penalty for error here is just too high.

---
Stephen J Friedl|Software Consultant|Tustin, CA|  +1 714 544-6561
3B2-kind-of-guy |I speak for me only|  KA8CMY  |steve () unixwiz net