North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UK ISP threatens security researcher

  • From: Kradorex Xeron
  • Date: Fri Apr 20 17:55:19 2007

On Friday 20 April 2007 16:16, [email protected] wrote:
> On Fri, 20 Apr 2007 14:56:06 EDT, Kradorex Xeron said:
> > In my personal opinion, ISPs, vendors, and such should legally be held
> > responsible for their product's security and unconditionally be made to
> > repair any security holes. -- if a vendor or ISP maintains good security
> > practices, there will be nothing for them to fear from this.
>
> Repair *ANY* holes?  *unconditionally*? Including ones that are
> *demonstrably* difficult to actually exploit (for instance, attacks that
> require physical access to the router), or have a low probability of
> causing significant damage?
>
> For a "reducto ad absurdum" - I have found an attack against the MPEG
> format, which combined with a known weakness in one vendor's handling of
> long runs of zero bits, has the potential of corrupting one or two pixels
> in every 56 minutes of downloaded video, and requires that I be able to
> clamp a device of my design around the cable within 2 feet of the router. 
> You're required to fix it, even though the fix will require the forklift
> upgrade of your entire backbone, as the long-run issue is a design
> limitation of the router you use throughout your core, and also harden all
> your PoP's to withstand an attack by a squad of 3 to 5 M1 Abrams tanks,
> just in case I'm *really* determined to get into the room with the router
> rack. Oh, and it's arguable that it isn't even *your* problem to fix, but
> somebody else's.
>
> Did you want to be legally held to this?


Maybe if companies repaired holes when people find them instead of shrugging 
them off like they do, or threatened the researcher with a lawsuit (even 
though no malicious action was taken) such action would NOT have to be taken.

What would you rather do?
A: Patch the hole ASAP, process over within days, perhaps keeping the problem 
out of the media, minimal energy taken.
B: Take someone to court for finding a problem in your system thus looking 
like a bigot, media coverage ensues.
C: Ignore the problem, wait until someone with malicious intent comes along 
and causes a DoS or otherwise, then struggle to keep the problem down until a 
patch is deployed

So many companies talk out both sides of their mouths, they tell the media and 
post on their websites that security is one of the most important things to 
them, yet they don't take any action to keep their systems and products 
secure.

>
> Be careful what you ask for - you might actually get it.

I wish for many things, most of which are only present in a perfect world.. ;)