Congrats: Now Security Researchers Are Afraid To Report Vulnerabilities
from the chilling-effects dept
Now that we keep hearing stories about security researchers in the US and elsewhere taking the blame for simply pointing out security holes, it was only a matter of time until security researchers started making it clear that the risk of pointing out security flaws just isn't worth it any more. Slashdot points to an article basically telling people in the security industry it's just not worth it. That's what you get when you repeatedly blame the messenger. Of course, the end result is that vulnerabilities stay open and those with malicious intent keep on causing problems.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Duh
[ link to this | view in chronology ]
learn something about law and police
I would recomend anyone involved get a pre-paid legal account to make this affordable. But anyone who knows will tell you that a police officer telling a lie to get information is simply being good. They are NOT compelled to be honest with you. And charges are only a problem when you are dealing with someone from the DAs office.
[ link to this | view in chronology ]
Re: learn something about law and police
- SRNissen
FABRICATE DIEM, PVNC
[ link to this | view in chronology ]
Re: Re: learn something about law and police
The fugitives were Canadian citizens. The United States sought their extradition on charges of fraud and conspiracy to commit fraud. While sentencing a co-accused, the assigned trial judge in the United States stated that if the fugitives did not cooperate and come to the United States voluntarily, he would impose the absolute maximum jail sentence that the law permitted. Furthermore, the prosecutor assigned to the case appeared on a Canadian television program and threatened that those fugitives who contested their extradition would serve longer sentences under much more stringent conditions, and would "be the boyfriend of a very bad man". The extradition judge stayed the proceedings.
Really nice - a prosecutor threatening accused persons on television with anal rape to get them to surrender.
[ link to this | view in chronology ]
lol
Anyway, it's unfortunate that this has got to this point, but let's face it, it was only a matter of time. It's true the messenger takes the blame, but it's really their own fault.
When you announce to the world that you found a vulnerability, I'd say your motive was a little more than being the happy helper.
[ link to this | view in chronology ]
Been there, done that, didn't get the T-shirt
FWIW, I've had to deal with a similar situation a couple of times, where I, my employer, or my client was a customer of a vendor, a flaw was found, and duly reported to the vendor... who then sat and did nothing.
For weeks... once it was months.
In both cases, the only thing that drove the vendor to fix the flaw in their product was to make it public. In the first case, I sent a trouble report, they responded with a "Oh yeah, not only is the W feature you mentioned vulnerable, the same flaw also affects U and V."; Last I heard from them for six weeks.
Published a proof-of-concept exploit to a well-known security discussion, and one week later a patch was available.
Second time around, I sent email. I called on the phone. I sent a fax. I sent a registered letter. Nothing. I posted everything except the actual IP addresses and passwords to the same forum as mentioned earlier. Still no response.
The only action which got the supplier to fix their flawed application was the publication of the complete details of the flaw, including passwords.
[ link to this | view in chronology ]
All I'm saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority.
[ link to this | view in chronology ]
Re:
All I'm saying is that technically speaking, squelching these guys is in their best interest. Priority one is to make the buck, everything past that is nice, but falls by the way side in preference to the fist priority
Well umm.. if they don't squelch the bugs in the first place, which should be company policy, then there is no reason to have a good worker(maybe?) fired, and no tons of negative PR for the company. Can't make any money if people don't trust your product, yes?
[ link to this | view in chronology ]
Lol..
-sigh- They should really hire just a random person off the streets to figure this shit out for them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
get real dude...... for any accounability to be enforcable it must be available in the spotlight.
Of course i stand for all of our government and corporate special interests to be held accountable for their misdeeds
[ link to this | view in chronology ]
funny guy
[ link to this | view in chronology ]
Open source listens
[ link to this | view in chronology ]
The King is not wearing any clothes.
[ link to this | view in chronology ]