[96225] in North American Network Operators' Group
Re: UK ISP threatens security researcher
daemon@ATHENA.MIT.EDU (Leigh Porter)
Tue Apr 24 06:58:05 2007
Date: Tue, 24 Apr 2007 11:55:12 +0100
From: Leigh Porter <leigh.porter@ukbroadband.com>
To: Dragos Ruiu <dr@kyx.net>
Cc: Simon Lyall <simon@darkmere.gen.nz>, nanog@merit.edu
In-Reply-To: <200704232250.20007.dr@kyx.net>
Errors-To: owner-nanog@merit.edu
Dragos Ruiu wrote:
> On Thursday 19 April 2007 18:25, Simon Lyall wrote:
>
>> If you are a random person who comes across a security hole in a website
>> or commercial product then the best thing to do is tell nobody, refrain
>> from any further investigation and if possible remove all evidence you
>> ever did anything.
>>
>> There is almost zero potential upside of reporting these holes vs the very
>> real potential downside that the company might decide to go after you with
>> their legal team or the police.
>>
>
> Bullshit.
>
> And when we start propagating messages like this, it will be bad news.
>
> Just report the bug. Unless they are ignorant idiots they should thank
> you in some way.
>
> cheers,
> --dr
>
>
Yeah but in this case the company the bug was being reported to
deliberately setup this back door password and had previously ignored
people bringing it to their attention. There is a point where, as you
say, their being ignorant idiots takes over.
So what do you do then? Yer damned if you do and everybody's pwned if
you don't!
--
Leigh
