[96154] in North American Network Operators' Group
RE: UK ISP threatens security researcher
daemon@ATHENA.MIT.EDU (Stasiniewicz, Adam)
Thu Apr 19 23:34:03 2007
Date: Thu, 19 Apr 2007 22:32:02 -0500
In-Reply-To: <Pine.LNX.4.56.0704201130430.4395@localhost.localdomain>
From: "Stasiniewicz, Adam" <stasinia@msoe.edu>
To: <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This is a multipart message in MIME format.
------=_NextPart_000_0032_01C782D2.8D56D690
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I guess my experience in this area differs. Of the times I reported
security holes to vendors/site operators they were grateful for the tip. I
used my real name (which apparently is somewhat unique) and real contact
information in case they had questions. I always made sure to contact the
most appropriate person I could get contact info for (i.e. the security team
if possible; avoiding the general information address). Though I guess the
big difference with me is I did not post detailed information about those
problems on the Internet for anyone to see.
Frankly, posting a major flaw in the setup of thousands of routers before
the ISP has had a chance to correct the problem is doing more harm than
good. I am not surprised at the ISPs response. The person in question here
should have first notified the ISP and unless the ISP was unwilling to fix
the problem, only then should he have considered releasing the information
publicly.
My $0.02,
Adam Stasiniewicz
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Simon Lyall
Sent: Thursday, April 19, 2007 8:26 PM
To: nanog@merit.edu
Subject: Re: UK ISP threatens security researcher
On Thu, 19 Apr 2007, Gadi Evron wrote:
> Looking at the lack of security response and seriousness from this ISP, I
> personally, in hindsight (although it was impossible to see back
> then) would not waste time with reporting issues to them, now.
These days there is almost never any reason to report a security issue
unless you are a professional security researcher who is looking for
publicity/work. [1]
If you are a random person who comes across a security hole in a website
or commercial product then the best thing to do is tell nobody, refrain
from any further investigation and if possible remove all evidence you
ever did anything.
There is almost zero potential upside of reporting these holes vs the very
real potential downside that the company might decide to go after you with
their legal team or the police.
Anonymous notifications to 3rd parties like security forums or
journalists might be an option if you really fell it is important. However
in the scheme of things giving $50 to your favorite charity is likely to
be safer and do the world more good.
[1] - An exception might be for open source projects or as part of your
normal job with your companies products. Even then you should only follow
normal channels and always be careful.
--
Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/
"To stay awake all night adds a day to your life" - Stilgar | eMT.
------=_NextPart_000_0032_01C782D2.8D56D690
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII8TCCAnkw
ggHioAMCAQICEHg6llS1jgKihe455g2o/+UwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDcxODIxMzU1OFoXDTA3MDcxODIxMzU1
OFowZDEVMBMGA1UEBBMMU3Rhc2luaWV3aWN6MQ0wCwYDVQQqEwRBZGFtMRowGAYDVQQDExFBZGFt
IFN0YXNpbmlld2ljejEgMB4GCSqGSIb3DQEJARYRc3Rhc2luaWFAbXNvZS5lZHUwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAMUNrsHDkhDPYRC7+z+GKbg+dAKSbe5ULqYMyb4XOjBicsMAPWdH
MmlpjwKU+ZzjHRCbyt344F/T9JZUFLPKY3wOf/nZO17SaRRUkehC7QQ4zB0DrWmP2sq1I8V7uqnm
bCxuoT3NMse+BQiPigmDYNFn5/K29Gt0KdKMmZKCPpzxAgMBAAGjLjAsMBwGA1UdEQQVMBOBEXN0
YXNpbmlhQG1zb2UuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAGUWA8G1riLgX
s9At4/zFey75fHNpfhdqxR84jQULZ+tqZZoY3evXB3NVash1PQ//TtI5AJKT/NYlnSoBIP9AOLrK
4u7ZgZzQ9quHaBe3RVkxDAMsRMxpayooxdQ91JyGBW0LHmu9ANHYcBsn2cFX65khY+bajs9zi16g
EhRcoUowggMtMIIClqADAgECAgEAMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMG
A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBD
b25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD
VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFs
LWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNOTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRow
GAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
cyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZI
hvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDUadfUsJRkW3HpR9gMUbbqcpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmHHYbq
o925zpZkGsIUbkSsfOaP6E0PcR9AOKYAo4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/npom
1Wq7OCQIapjHsdqjmJH9edvlWsQcuQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTwTRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP9Lpk
nBesRynfnZhe0mxgcVyirNx54+duAEcftQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOpgyXy
5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KBMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB
0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2
aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJ
KoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoX
DTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5n
IChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31
W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3
PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIG
A1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29t
L1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAc
MRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswN
o2asZw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe
JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/
XV9lTzGCAvgwggL0AgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0
aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5n
IENBAhB4OpZUtY4CooXuOeYNqP/lMAkGBSsOAwIaBQCgggHYMBgGCSqGSIb3DQEJAzELBgkqhkiG
9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDQyMDAzMzIwMlowIwYJKoZIhvcNAQkEMRYEFEFSsR4Z
aMhNeMfc4btGNt8p6pYyMGcGCSqGSIb3DQEJDzFaMFgwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC
AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqG
SIb3DQIFMIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
SXNzdWluZyBDQQIQeDqWVLWOAqKF7jnmDaj/5TCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNV
BAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQeDqWVLWOAqKF7jnmDaj/5TANBgkq
hkiG9w0BAQEFAASBgKLv+pkiwa5tVVfZ0/v+kTKZ4KiJuXiCLOc2jYHY1pQzn8/gRaXFeLaSjOqL
GRBBXRTcbGG0VJt8Xwcbj3AccV/VqVT6v+bPtTzw04wQt4jLlgV51i8HxparS5rgDQP01GT8mdvQ
Nj3Su1WXJUlbJ6QPMGq2CdAAkyzqPS6gAG6qAAAAAAAA
------=_NextPart_000_0032_01C782D2.8D56D690--
