North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UK ISP threatens security researcher

  • From: Owen DeLong
  • Date: Sat Apr 21 15:08:08 2007
I think if you are referring to "public disclosure", yes, I think there's
little point of doing this, unless you are seeking attention. Of course,
reporting a problem to vendor privately always makes sense. 

Public disclosure of the existence of a vulnerability and whatever
information is required to understand it well enough to mitigate
it, resolve it, or work around it is a good and useful thing.

Public disclosure of details of how to exploit the vulnerability
beyond what is required in my previous paragraph is not
useful and is both rude and counterproductive.  Generally,
however, I do not think it should be actionable or criminal.

If you leave your front door unlocked, that's dumb.  If I tell you
that you left your front door unlocked, that's a good thing.
If I tell your neighbors that you left your front door unlocked,
it's not necessarily helpful, but, it's not illegal, nor should it be.

OTOH, if you buy your lock from LockCo and I discover that
there is a key pattern that will open ALL LockCo locks, then,
it's good if I tell LockCo about that.  It's better if I also tell
the public so that people who choose to can either have
their locks repaired or can replace them if they so choose.
If I tell the public the exact key pattern required, that's not
so good, but, it's not illegal and it shouldn't be illegal or
actionable.  Now, if I used stolen LockCo engineering
diagrams to identify the key pattern in question, the use
of the stolen diagrams might be actionable and/or criminal.

Owen

Attachment: smime.p7s
Description: S/MIME cryptographic signature