Be Careful - yeah, pretty off-topic and I apologise.

[foodog@qwest.net]

I wouldn't be flogging this if there was higher list volume
(or I had a life) but, WTF, there's not (and I don't).

Jason wrote:
> ...
> If he stated outright conditions, such as pay up or I go full
> disclosure, and if you do pay up, no one will ever hear about it,
> that, at least to me, is a pretty clearly stated criminal intent.

Agreed.  If that were the case he probably would have been
charged with extortion.  According to the last info I read
(AZ Republic article) he hasn't been charged with any
crime.  My take is that he's stunned and pissed that they
didn't shower him with praise and money.

I think he's guilty of being naive and amateurish.  Kidz
read stories from the days of yore, when tech companies
hired people who hacked into them.  Unfortunately, the net
these days is chock full of soulless banker-type mofos who
are there 'cause that's where the easy, low-overhead bucks
are, IMHO, of course.

A fairly safe move would have been to tell them about the
problem as a concerned customer.  He could have added: "I'm
looking for a job, Could your IT staff use someone to review
security issues?".  If hell coincidentally froze over at
that instant they might have asked him to submit a resume.

The _safe_ move is to call as a howling, clueless luser and
yell "How come I see somebody elses stuff instead of mine on
the computer thing?  Can they see what I put in? Huh? I'm
gonna call the Newschannel Computer Expert Guy!".  He might
have at least got a free hotel stay out of it :-)

I've been following the PEN-TEST list at securityfocus.com. 
It has a good number of participants who do penetration
testing for a living.  The concensus is that if you point
out security holes and offer to fix them for a fee you'll
find yourself under investigation.  You don't sniff at
anything until you've got a "get out of jail free card" that
your lawyers have blessed, or you're like a kid with a bag
full of rocks offering to sell homeowners window insurance.

> Because the principles of full disclosure are FULL DISCLOSURE. It
> doesnt work unless its full disclosure - and a promise to be silent
> after the bug was fixed shortchanges the security community.

It's no crime to advocate security by obscurity, it's just
lame.  There are plenty of people besides MS who are
_really_ unhappy with full disclosure.  Marcus Rainum of NFR
is one particularly curious example; it got him to where he
is, and now he'd like to slam the door behind him. 
Charming.

> Furthermore, there is no security reason to not give full disclosure
> after the bug is fixed... if he had any intention of telling anyone
> other than their IT department, he should have done so regardless of
> payment.

I'd argue that there's no value to security folks in
reporting that you'd found yet another site with clueless
web coders, but they've fixed it now.  It's not like he
discovered a buffer overflow in the http daemon.

> The *only* consideration ethically allowable is giving time
> for the problem to be corrected. It is unethical to aid in covering
> the problem up, and in fact would result in stockholders having a
> false sense of security about the company itself, had the problem been
> covered up.

*Bzzt*, I disagree again :-) If the internal IT staff found
and corrected the problem, it's not unethical.  It could be,
if they didn't make a concerted effort to determine if
someone's data may have been compromised and contact (at
least) those customers.  For example, the logs show the same
IP address making requests using dozens of ID tokens, only a
few of which worked, that'd raise a flag.

Even _I'm_ sick of this now, L8r
Steve
-- 
Never attribute to malice that which can adequately be
explained by stupidity