Congrats: Now Security Researchers Are Afraid To Report Vulnerabilities

from the chilling-effects dept

Now that we keep hearing stories about security researchers in the US and elsewhere taking the blame for simply pointing out security holes, it was only a matter of time until security researchers started making it clear that the risk of pointing out security flaws just isn't worth it any more. Slashdot points to an article basically telling people in the security industry it's just not worth it. That's what you get when you repeatedly blame the messenger. Of course, the end result is that vulnerabilities stay open and those with malicious intent keep on causing problems.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Pedren, 22 May 2006 @ 4:44pm

    Duh

    How can they expect results when the only reinforcement they're give to these people is negative?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 May 2006 @ 4:58pm

    learn something about law and police

    Having read the article, the author was unduely upset. Of course the detective threatened all kinds of legal action. He had nothing and so played the bull shit card. It is standard police procedure to play the bull shit card when you are stalled. The best responce is to inform the officer that you will have your lawyer contact them.

    I would recomend anyone involved get a pre-paid legal account to make this affordable. But anyone who knows will tell you that a police officer telling a lie to get information is simply being good. They are NOT compelled to be honest with you. And charges are only a problem when you are dealing with someone from the DAs office.

    link to this | view in chronology ]

    • identicon
      SRNissen, 22 May 2006 @ 5:27pm

      Re: learn something about law and police

      Man, I am glad I don't have to deal with the american police. If a police officer over here lied to me, there'd be such an outrage. Also: Charges.

      - SRNissen
      FABRICATE DIEM, PVNC

      link to this | view in chronology ]

      • identicon
        Rex, 22 May 2006 @ 6:17pm

        Re: Re: learn something about law and police

        The American court system is something else. Here is a brief summary from a Canadian case where the Canadian courts ultimately refused to extradite accused persons to the United States:

        The fugitives were Canadian citizens. The United States sought their extradition on charges of fraud and conspiracy to commit fraud. While sentencing a co-accused, the assigned trial judge in the United States stated that if the fugitives did not cooperate and come to the United States voluntarily, he would impose the absolute maximum jail sentence that the law permitted. Furthermore, the prosecutor assigned to the case appeared on a Canadian television program and threatened that those fugitives who contested their extradition would serve longer sentences under much more stringent conditions, and would "be the boyfriend of a very bad man". The extradition judge stayed the proceedings.

        Really nice - a prosecutor threatening accused persons on television with anal rape to get them to surrender.

        link to this | view in chronology ]

  • identicon
    VPR, 22 May 2006 @ 6:07pm

    I would recomend anyone involved get a pre-paid legal account to make this affordable.

    lol

    Anyway, it's unfortunate that this has got to this point, but let's face it, it was only a matter of time. It's true the messenger takes the blame, but it's really their own fault.

    When you announce to the world that you found a vulnerability, I'd say your motive was a little more than being the happy helper.

    link to this | view in chronology ]

    • identicon
      been_there_done_that, 23 May 2006 @ 8:16am

      Been there, done that, didn't get the T-shirt

      When you announce to the world that you found a vulnerability, I'd say your motive was a little more than being the happy helper.

      FWIW, I've had to deal with a similar situation a couple of times, where I, my employer, or my client was a customer of a vendor, a flaw was found, and duly reported to the vendor... who then sat and did nothing.

      For weeks... once it was months.

      In both cases, the only thing that drove the vendor to fix the flaw in their product was to make it public. In the first case, I sent a trouble report, they responded with a "Oh yeah, not only is the W feature you mentioned vulnerable, the same flaw also affects U and V."; Last I heard from them for six weeks.

      Published a proof-of-concept exploit to a well-known security discussion, and one week later a patch was available.

      Second time around, I sent email. I called on the phone. I sent a fax. I sent a registered letter. Nothing. I posted everything except the actual IP addresses and passwords to the same forum as mentioned earlier. Still no response.

      The only action which got the supplier to fix their flawed application was the publication of the complete details of the flaw, including passwords.

      ...your motive was a little more than being the happy helper.
      I wasn't asking for money, I wasn't asking for my name to be mentioned in the advisory (though usually that is common courtesy). I was just asking for the product that I or my employer or my client had paid good money for to be secured.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 May 2006 @ 6:52pm

    Why wouldn't companies want to squelch these people? Their EULAs hold them harmless agansit any damage caused by the software. They could care less if you get creamed though some flaw in their stuff. They just want to keep the publicity associated with such possibilites and actual occurances to an absolute minimum. Besides, if there are no competent security researchers they can always blame some other component in your system or some 'misconfiguration'.

    All I'm saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority.

    link to this | view in chronology ]

    • identicon
      Sean, 22 May 2006 @ 7:31pm

      Re:

      Yes, this is 'double posting'.

      All I'm saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority

      Well umm.. if they don't squelch the bugs in the first place, which should be company policy, then there is no reason to have a good worker(maybe?) fired, and no tons of negative PR for the company. Can't make any money if people don't trust your product, yes?

      link to this | view in chronology ]

  • identicon
    Sean, 22 May 2006 @ 7:28pm

    Lol..

    Wow... they're JUST figuring this out? When I first heard of the bugs for Windows ME I was like "Why would they publically announce these bugs? It's like ASKING THE HACKERS TO DO IT"

    -sigh- They should really hire just a random person off the streets to figure this shit out for them.

    link to this | view in chronology ]

  • identicon
    charlie potatoes, 22 May 2006 @ 9:03pm

    Personally I have found that police are most receptive to criticism and instruction while away from the lights and cameras. Ergo, I would advise anyone wishing to teach our texas highway patrolmen constitutional law to do it on the side of a lonely highway late at night.

    link to this | view in chronology ]

    • identicon
      A Funny Guy / The Poison Pen, 22 May 2006 @ 9:42pm

      Re:

      umm.. and please let us know how that works out....

      get real dude...... for any accounability to be enforcable it must be available in the spotlight.

      Of course i stand for all of our government and corporate special interests to be held accountable for their misdeeds

      link to this | view in chronology ]

  • identicon
    charlie potatoes, 23 May 2006 @ 12:01am

    funny guy

    um, hey poison....i take it you're not from around here. i was puttin' the shuck on ya, as we say in texas. i don't recommend you try that. it comes under the heading of.."damn that was cool. i wish i'd had the nerve to say that to them.'

    link to this | view in chronology ]

  • identicon
    mthorn, 23 May 2006 @ 6:02am

    Open source listens

    That's one of the reasons why open source works. Not only do you have the source to find flaws, the maintainers of the code are highly receptive to bugs and flaws. That's why open source is more secure, even if it has flaws, because it will be promptly fixed by dozens of people who care about the software.

    link to this | view in chronology ]

  • identicon
    William C Bonner, 23 May 2006 @ 11:31am

    The King is not wearing any clothes.

    As long as no one points it out, then it hasn't happened.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.