[159805] in North American Network Operators' Group
Re: Security reporting response handling [was: Suggestions for the
daemon@ATHENA.MIT.EDU (Matt Palmer)
Tue Jan 22 05:37:34 2013
Date: Tue, 22 Jan 2013 19:10:31 +1100
From: Matt Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <50FE1434.3090206@vaxination.ca>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Jan 21, 2013 at 11:23:16PM -0500, Jean-Francois Mezei wrote:
> This article may be of interest:
>
> > http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/
>
> Basically, a Montreal student, developping mobile software to interface
> with schools system found a bug. Reported it. And when he tested to see
> if the bug had been fixed, got caugh and was expelled.
>
> I the context of this thread, they found a vulnerability in the web
> site's archutecture that allowed the to access any student's records.
>
> This is the perfect type of incident you can bring to your boss to
> justify proper architecture/security for your web site. "How would you
> react if it was your company's name in the headline ?"
That article doesn't justify security review, it justifies not being a
complete knob when someone reports a security hole in your site. There are
so many site vulnerabilities these days that they're not news. What *is*
news is when the vulnerable organisation goes off the deep end and massively
overreacts to the situation.
See Also: First State Superannuation.
- Matt
