| |||||||||||||
The risks of disclosing web vulnerabilitiesThe risks of disclosing web vulnerabilitiesPosted May 4, 2006 8:44 UTC (Thu) by dvrabel (subscriber, #9500)Parent article: The risks of disclosing web vulnerabilities
Sounds like McCarty didn't just find a flaw but used it to obtain personal data to which he was not authorized nor entitled and then proceeded to store and distribute that data. Should my personal data be misused in such a way I would expect and require investigation by the police or other appropriate authorities.
If we applaud such misuse of personal data then it becomes all too easy for wholescale misuse to occur under the guise of "security research".
(Log in to post comments)
The risks of disclosing web vulnerabilities Posted May 4, 2006 9:27 UTC (Thu) by eskild (subscriber, #1556) [Link] Well, yes, but... Reading the article it appears the web site owners didn't acknowledge the problem until they were presented with data that proved their systems' failure.
In other words: They flat-out denied they had a problem -- until it was proven to them with their own data.
It is hard for me to see how an organization acting in denial of their own problems could be convinced of their web site deficiencies in another manner.
So he *had* to retrieve data, he *had* to distribute them. But, of course, he *didn't* have to retain them once they were sent.
I see this behaviour as a typical "we don't have any problems, but we'll sue you to pieces if we have" scare tactic. Utterly, utterly irresponsible. And pathetic, too.
An anecdote: A couple years back I found an SQL injection vulnerability in a major Danish site, and I simply gave them a call. After some shuffling around with my phone call, I got to one of the developers. She was shocked -- but thankful, and they fixed it rapidly. That's how these things should work.
The risks of disclosing web vulnerabilities Posted May 14, 2006 19:48 UTC (Sun) by kasperd (guest, #11842) [Link] I see this behaviour as a typical "we don't have any problems, but we'll sue you to pieces if we have" scare tactic. Utterly, utterly irresponsible. And pathetic, too. I have experinced that as well with a Danish company. My experience with that particular company was a different reaction on each email I send to them.
At that point I decided the best I could do was to report it the company to authorities for keeping personal data without the amount of security required by the law. At least I felt that was the best I could do to my own position in case of a lawsuit. The company was given a very long time to respond about the problem. And just before their time ran out, they removed that particular symptom. However there was no proof that the vulnurability was really solved. And in other places there were still symptoms showing vulnurabilities, and other problems showing they just don't know what the hell they are doing. A couple years back I found an SQL injection vulnerability in a major Danish site, and I simply gave them a call. After some shuffling around with my phone call, I got to one of the developers. She was shocked -- but thankful, and they fixed it rapidly. Nice to hear that there still are companies handling such approaches reasonably. Unfortunately they are rare. I have reached the point where I don't know if it is worth the effort to tell sites about their security problems. I think the next time I come across a security vulnurability in a Danish site I'm just going to report it straight to the authorities and then just publish the fact that this company has been reported.
|
|||||||||||||