Supreme Court Leaves Us Hanging On Crucial Patent Case

This Is Why You Don't Punish The Messenger On Security Vulnerabilities

from the solve-the-vulnerability-at-least dept

Thu, Jun 22nd 2006 4:51pm — Mike Masnick

Over the past few years, we've pointed to case after case after case after case after case after case of those who pointed out security vulnerabilities being attacked or blamed for the vulnerability. It's true that sometimes the "researchers" go too far -- but the important point is that security vulnerability get fixed. Instead, it's much easier to simply blame the messenger. Now, with all of the talk about hackers breaking into and taking data from Ohio University computers, Jon has submitted a story reminding everyone how it was just a few years ago that Ohio University was busy blaming the messenger for pointing out how weak the school's computer security was. Apparently, in the rush to blame and bury the guy, no one actually thought about fixing and protecting their computer system.

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Brendan, 22 Jun 2006 @ 5:49pm

Why even try?
Sometime last year I contacted a local school that hosted a system that contained a vulnerability for SQL injection. This was pretty major seeing as the system contained records for staff records. I contacted them to tell them about the problem and they responded with insults and claims that it in fact was not a vulnerability.
They still haven't fixed the issue to this day, I guess its just a matter of time untill someone else finds this with less than honorable intentions in mind.
Point being, why even try to help? Too much trouble involved when it obivously will be more than likley met with negative reactions.
[ link to this | view in chronology ]
- Rick, 22 Jun 2006 @ 7:27pm
  
  Re: Why even try?
  Send the exploited data and the method for retrieving it to the local newspaper, or really make a stink and go for some international media. The embarrasement alone should force some action...
  
  They were already warned.
  [ link to this | view in chronology ]
  - Ronde, 22 Jun 2006 @ 7:44pm
    
    Re: Re: Why even try?
    They deserve everything that they get.
    [ link to this | view in chronology ]
bhagiam@unni.com, 22 Jun 2006 @ 6:32pm

keralafood
leafnakki
[ link to this | view in chronology ]
Anonymous Bum, 22 Jun 2006 @ 6:42pm

Your Best Teacher is....
supposed to be you last mistake not a bunch of lazy fools with tenure.
[ link to this | view in chronology ]
Anonymous Coward, 22 Jun 2006 @ 6:42pm

YOu gO gettem!
[ link to this | view in chronology ]
|333173|3|_||3, 22 Jun 2006 @ 6:50pm

Serves them right
when someone hacks in and starts trashing htie network.
[ link to this | view in chronology ]
Griz, 22 Jun 2006 @ 10:04pm

No Good Deed Shall Go Unpunished
As an IT consultant, I make it a point to never make even the most cursory of security checks unless I'm paid and indemnified in writing, period. If I suspect or discover a vulnerability outside a clearly defined contractual relationship, just call me Sgt. Schultz, because I saw naaaaathing!

If I'm feeling exceptionally charitable, I'll refer 'em to ISO 17799 or a similar "best standards" document... But I usually don't broach the issue of security at all. It seems the typical client thinks that hackers are beings out of the Lovecraftian Cthulhu Mythos, wreaking havoc upon those that merely invoke their names.

In short, DNAWC (Do Not Associate With Catastrophe)
[ link to this | view in chronology ]
- AnarCh0s, 22 Jun 2006 @ 10:31pm
  
  Re: No Good Deed Shall Go Unpunished
  Why not refer them to Microsoft as an id10t??
  [ link to this | view in chronology ]
Anonymous Coward, 22 Jun 2006 @ 10:19pm

I like what #8 said and its true. What the heck is wrong with our world?!?! Its like getting sued because you gave cpr to a drowning person and you break a rib or something. Or the criminal sueing you for your dog biting them after they broke into your house... Somewhere a few years back we really got off track.
[ link to this | view in chronology ]
SortaLikeJake, 23 Jun 2006 @ 2:15am

HA
That OU story was pretty hilarious. It's awesome that the guy is now laughing at his university's collective stupidity.

I learned my lesson in h.s., getting into teachers' accounts and changing random grades (not mine), then showing administrators how easy it was to do it. All while sitting in an area next to the moronic net manager. Too bad the dean didn't appreciate my helpfulness. Suspension!
I had half a mind to give everyone A's after that...
[ link to this | view in chronology ]
We Told You So, 23 Jun 2006 @ 2:23am

Typical
It'll just take some time before things heat up for these IT nimrods in the Hallowed Halls. After enough "victims" pile up, we can all write our letters to them, with copies to their sources of revenue, asking them like Dr. Phil says during the commercials..."What the fuck were you thinkin'???
[ link to this | view in chronology ]
eb, 23 Jun 2006 @ 9:38am

They're going to get hit where it hurts
I read somewhere (maybe ZDNet?) that alumni were sending really nasty messages to the effect of "you *&%#@** you're never going to see any money from me again" in response to a breach where data on contributors was lost at one school. That's going to get them where it hurts most.
[ link to this | view in chronology ]