Re: UK ISP threatens security researcher

• From: J. Oquendo
• Date: Fri Apr 20 11:30:54 2007

I'm not sure if Simon's comment was tongue-in-cheek.

I think if you are referring to "public disclosure", yes, I think there's little point of doing this, unless you are seeking attention. Of course, reporting a problem to vendor privately always makes sense.

I'm not sure the debate on public disclosure vs private falls under NANOG AUP.

-alex

1) Reporting to vendors... I don't know how many vendors from
Microsoft on down I've reported issues to... Sometimes it
works sometimes it doesn't. For the heavy hitters (MS, IBM,
etc.) they should acknowledge and take responsibility for
their issues, else have the issues publicly disclosed.

How would you feel if you used a product a company KNOWS lacks
fundamental security controls and does little to fix it. How
would you feel if AFTER the fact someone leveraged a method
to affect you. How would you feel AFTER the fact, finding
out they were told and did nothing for eons.

I've disclosed a pretty bad denial of service bug. Tested not
only by me, but by about six other individuals one in one of
the world's biggest insurance agencies... Confirmed... Another
in academia land... Confirmed... A professional pentester with
a DoD contract... Confirmed... Sent it to MS... "Well it
doesn't work" said the MS team... I didn't even bother disclosing
it out after that. Not because it didn't work but because the
last thing I wanted to see was something akin to another Smurf
like attack on MS being part of my own shop where I work is
MS based. I gave up. On occasion I will take a few minutes to
find something stupid to break because I fiddle with things.
Sometimes I release things publicly, sometimes I don't depending
on what I perceive to be a level of severity. If its minor, it
gets released and this is only because I've gotten tired of
dealing with the idiotic policies these companies use to shoot
themselves in their own foot.

On the other hand, if I attempted to contact someone, got the
cold shoulder, attempted again, and something was that bad, why
should I be chastised after I decided to let others using that
product know "Hey if you use that product... It might not be
all that safe." I get flack whenever I release something in the
wild and those whose messages go to my trash bin, know little
about the fact that I'd made attempts to contact the vendor.

From Cisco, to Microsoft, to open source vendors (Asterisk),
whomever, most times I will contact the necessary party... They
fail to respond, it goes public. Same happened way back when
with Computrace (LoJack for Laptops)... Where I contacted them
over and over... They told me "You're wrong... After proving
my points repeatedly... Finally I ended up pulling their card
and posting their entire email transcription... I still have
an NDA they wanted me to sign which is summarized as "We will
pay you x amount of what you spend if you just... well shut
up." Right.... I see nothing wrong with responsible public
disclosure.

The happiness of society is the end of government.
John Adams

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

• Follow-Ups:
  • Re: UK ISP threatens security researcher alex

• References:
  • Re: UK ISP threatens security researcher alex

• Prev by Date: Re: UK ISP threatens security researcher
• Next by Date: Re: UK ISP threatens security researcher
• Date Index
• Thread Index
• Author Index
• Historical