This Is Why You Don't Punish The Messenger On Security Vulnerabilities

from the solve-the-vulnerability-at-least dept

Over the past few years, we've pointed to case after case after case after case after case after case of those who pointed out security vulnerabilities being attacked or blamed for the vulnerability. It's true that sometimes the "researchers" go too far -- but the important point is that security vulnerability get fixed. Instead, it's much easier to simply blame the messenger. Now, with all of the talk about hackers breaking into and taking data from Ohio University computers, Jon has submitted a story reminding everyone how it was just a few years ago that Ohio University was busy blaming the messenger for pointing out how weak the school's computer security was. Apparently, in the rush to blame and bury the guy, no one actually thought about fixing and protecting their computer system.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Brendan, 22 Jun 2006 @ 5:49pm

    Why even try?

    Sometime last year I contacted a local school that hosted a system that contained a vulnerability for SQL injection. This was pretty major seeing as the system contained records for staff records. I contacted them to tell them about the problem and they responded with insults and claims that it in fact was not a vulnerability.
    They still haven't fixed the issue to this day, I guess its just a matter of time untill someone else finds this with less than honorable intentions in mind.
    Point being, why even try to help? Too much trouble involved when it obivously will be more than likley met with negative reactions.

    link to this | view in thread ]

  2. identicon
    bhagiam@unni.com, 22 Jun 2006 @ 6:32pm

    keralafood

    leafnakki

    link to this | view in thread ]

  3. identicon
    Anonymous Bum, 22 Jun 2006 @ 6:42pm

    Your Best Teacher is....

    supposed to be you last mistake not a bunch of lazy fools with tenure.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 22 Jun 2006 @ 6:42pm

    YOu gO gettem!

    link to this | view in thread ]

  5. identicon
    |333173|3|_||3, 22 Jun 2006 @ 6:50pm

    Serves them right

    when someone hacks in and starts trashing htie network.

    link to this | view in thread ]

  6. identicon
    Rick, 22 Jun 2006 @ 7:27pm

    Re: Why even try?

    Send the exploited data and the method for retrieving it to the local newspaper, or really make a stink and go for some international media. The embarrasement alone should force some action...

    They were already warned.

    link to this | view in thread ]

  7. identicon
    Ronde, 22 Jun 2006 @ 7:44pm

    Re: Re: Why even try?

    They deserve everything that they get.

    link to this | view in thread ]

  8. identicon
    Griz, 22 Jun 2006 @ 10:04pm

    No Good Deed Shall Go Unpunished

    As an IT consultant, I make it a point to never make even the most cursory of security checks unless I'm paid and indemnified in writing, period. If I suspect or discover a vulnerability outside a clearly defined contractual relationship, just call me Sgt. Schultz, because I saw naaaaathing!

    If I'm feeling exceptionally charitable, I'll refer 'em to ISO 17799 or a similar "best standards" document... But I usually don't broach the issue of security at all. It seems the typical client thinks that hackers are beings out of the Lovecraftian Cthulhu Mythos, wreaking havoc upon those that merely invoke their names.

    In short, DNAWC (Do Not Associate With Catastrophe)

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 22 Jun 2006 @ 10:19pm

    I like what #8 said and its true. What the heck is wrong with our world?!?! Its like getting sued because you gave cpr to a drowning person and you break a rib or something. Or the criminal sueing you for your dog biting them after they broke into your house... Somewhere a few years back we really got off track.

    link to this | view in thread ]

  10. identicon
    AnarCh0s, 22 Jun 2006 @ 10:31pm

    Re: No Good Deed Shall Go Unpunished

    Why not refer them to Microsoft as an id10t??

    link to this | view in thread ]

  11. identicon
    SortaLikeJake, 23 Jun 2006 @ 2:15am

    HA

    That OU story was pretty hilarious. It's awesome that the guy is now laughing at his university's collective stupidity.

    I learned my lesson in h.s., getting into teachers' accounts and changing random grades (not mine), then showing administrators how easy it was to do it. All while sitting in an area next to the moronic net manager. Too bad the dean didn't appreciate my helpfulness. Suspension!
    I had half a mind to give everyone A's after that...

    link to this | view in thread ]

  12. identicon
    We Told You So, 23 Jun 2006 @ 2:23am

    Typical

    It'll just take some time before things heat up for these IT nimrods in the Hallowed Halls. After enough "victims" pile up, we can all write our letters to them, with copies to their sources of revenue, asking them like Dr. Phil says during the commercials..."What the fuck were you thinkin'???

    link to this | view in thread ]

  13. identicon
    eb, 23 Jun 2006 @ 9:38am

    They're going to get hit where it hurts

    I read somewhere (maybe ZDNet?) that alumni were sending really nasty messages to the effect of "you *&%#@** you're never going to see any money from me again" in response to a breach where data on contributors was lost at one school. That's going to get them where it hurts most.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.