Be Careful
Jason
jkenner@mindspring.com
Fri, 02 Feb 2001 18:00:12 +0000
CIE-Keith wrote:
>
> There must be more to the story. This is not your normal "break in".
> I have happened upon data a couple of times without trying and I did
> not commit a criminal act. They do have a data security problem.
>
> Maybe the angle the FBI is using is the way he proposed not to get
> the media involved which could be viewed as a bribe....... Definitely
> an over reaction if the information we received is accurate and
> complete.
If he stated outright conditions, such as pay up or I go full
disclosure, and if you do pay up, no one will ever hear about it,
that, at least to me, is a pretty clearly stated criminal intent.
Why?
Because the principles of full disclosure are FULL DISCLOSURE. It
doesnt work unless its full disclosure - and a promise to be silent
after the bug was fixed shortchanges the security community.
Furthermore, there is no security reason to not give full disclosure
after the bug is fixed... if he had any intention of telling anyone
other than their IT department, he should have done so regardless of
payment. The *only* consideration ethically allowable is giving time
for the problem to be corrected. It is unethical to aid in covering
the problem up, and in fact would result in stockholders having a
false sense of security about the company itself, had the problem been
covered up.
--
jkenner @ mindspring . com__
I Support Linux: _> _ _ |_ _ _ _|
Working Together To <__(_||_)| )| `(_|(_)(_|
To Build A Better Future. | <s>