[96185] in North American Network Operators' Group
Re: UK ISP threatens security researcher
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Apr 20 16:18:26 2007
To: admin@digibase.ca
Cc: nanog@merit.edu
In-Reply-To: Your message of "Fri, 20 Apr 2007 14:56:06 EDT."
<200704201456.07096.admin@digibase.ca>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 20 Apr 2007 16:16:16 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1177100176_21169P
Content-Type: text/plain; charset=us-ascii
On Fri, 20 Apr 2007 14:56:06 EDT, Kradorex Xeron said:
> In my personal opinion, ISPs, vendors, and such should legally be held
> responsible for their product's security and unconditionally be made to
> repair any security holes. -- if a vendor or ISP maintains good security
> practices, there will be nothing for them to fear from this.
Repair *ANY* holes? *unconditionally*? Including ones that are *demonstrably*
difficult to actually exploit (for instance, attacks that require physical
access to the router), or have a low probability of causing significant damage?
For a "reducto ad absurdum" - I have found an attack against the MPEG format,
which combined with a known weakness in one vendor's handling of long runs of
zero bits, has the potential of corrupting one or two pixels in every 56
minutes of downloaded video, and requires that I be able to clamp a device of
my design around the cable within 2 feet of the router. You're required to fix
it, even though the fix will require the forklift upgrade of your entire
backbone, as the long-run issue is a design limitation of the router you use
throughout your core, and also harden all your PoP's to withstand an attack by
a squad of 3 to 5 M1 Abrams tanks, just in case I'm *really* determined to get
into the room with the router rack. Oh, and it's arguable that it isn't even
*your* problem to fix, but somebody else's.
Did you want to be legally held to this?
Be careful what you ask for - you might actually get it.
--==_Exmh_1177100176_21169P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFGKR+QcC3lWbTT17ARArZvAKCtUleEEnBrthAt1iNdwd1jvXNUXQCeMGKS
M7wJsraq/WjOtLnBLzAD96c=
=MGzN
-----END PGP SIGNATURE-----
--==_Exmh_1177100176_21169P--
