[96160] in North American Network Operators' Group
Re: UK ISP threatens security researcher
daemon@ATHENA.MIT.EDU (alex@pilosoft.com)
Fri Apr 20 10:37:58 2007
Date: Fri, 20 Apr 2007 10:31:52 -0400 (EDT)
From: alex@pilosoft.com
To: Gadi Evron <ge@linuxbox.org>
Cc: Simon Lyall <simon@darkmere.gen.nz>, <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.21.0704200817220.25872-100000@linuxbox.org>
Errors-To: owner-nanog@merit.edu
On Fri, 20 Apr 2007, Gadi Evron wrote:
>
> On Fri, 20 Apr 2007, Simon Lyall wrote:
> >
> > On Thu, 19 Apr 2007, Gadi Evron wrote:
> > > Looking at the lack of security response and seriousness from this
> > > ISP, I personally, in hindsight (although it was impossible to see
> > > back then) would not waste time with reporting issues to them, now.
> >
> > These days there is almost never any reason to report a security issue
> > unless you are a professional security researcher who is looking for
> > publicity/work. [1]
>
> Now, that is off-topic to NANOG.
Just because you disagree with someone's opinion, doesn't make it
offtopic.
> One comment: just because they are not reported does not mean they are
> not used. Proved beyond doubt this past year with all the 0day attacks
> and targeted attacks going on.
I'm not sure if Simon's comment was tongue-in-cheek.
I think if you are referring to "public disclosure", yes, I think there's
little point of doing this, unless you are seeking attention. Of course,
reporting a problem to vendor privately always makes sense.
I'm not sure the debate on public disclosure vs private falls under NANOG
AUP.
-alex
