Be Careful

[foodog@qwest.net]

  It could just be the shape of things to come if the DMCA
people attain their dream.  They're the ones who want to
make reverse engineering, security analysis and public
software reviews a crime.  Perhaps the memory of Kevin
Mitnick (locked up for years w/o trial) is too faded and the
FBI needs a new "Don't Even Smell Like a Hacker or This WILL
Happen to You!" poster-child.

  This is the exact crap that spawned the full disclosure
security movement:

0 - Honest person discovers a problem.

1 - Honest person contacts vendor about the problem.  (Opt.
suggests fix or asks for a job)

2 - Vendor sends attack lawyers (or FBI) who seize
computers/property and threaten to destroy your life if you
reveal the "secret".

2a - vendor ignores vulnerability; it's been taken care of.
2b - someone else finds and exploits hole, prosecute
original victim(0) since they obviously "told".

3 - Next problem discovered, skip vendor and go public,
complete with exploit code so noone can claim "that
vulnerability is completely hypothetical".  (If you're not
equipped w/ buff lawyers, disclose it pseudonymously)

3a - Vendor cries "No Fair! You've endangered our innocent
clients!"; many laugh 'til they cramp up and can't breath.

  The next time someone finds a hole in that site's security
they sure as hell won't try to be helpful.  They're more
likely to post it to /. as Anonymous Coward and let the Wall
Street Journal report it.  *Yawn*.

Steve
Everything old is new again...

CIE-Keith wrote:
> 
> There must be more to the story.  This is not your normal "break in".
> I have happened upon data a couple of times without trying and I did
> not commit a criminal act.  They do have a data security problem.
> 
> Maybe the angle the FBI is using is the  way he proposed not to get
> the media involved which could be viewed as a bribe.......  Definitely
> an over reaction if the information we received is accurate and
> complete.
> 
> Keith

-- 
Carpe cerevisiae