Be Careful

Alan Dayley adayley@adtron.com
Thu, 01 Feb 2001 10:15:02 -0700 

Better solution if you have access to a lawyer:

1 - Discover and document security hole.
2 - Hire lawyer.
3 - Your lawyer contacts vendor threatening lawsuit because your personal
information is at risk.  Also hold them liable for any spurious expenses
that can be blamed on unauthorized use of your personal information.
4 - Collect settlement from vendor and let them fix their own problem.

Attack lawyers can work both ways!

Alan

At 08:41 AM 2/1/01 -0700, you wrote:
>  It could just be the shape of things to come if the DMCA
>people attain their dream.  They're the ones who want to
>make reverse engineering, security analysis and public
>software reviews a crime.  Perhaps the memory of Kevin
>Mitnick (locked up for years w/o trial) is too faded and the
>FBI needs a new "Don't Even Smell Like a Hacker or This WILL
>Happen to You!" poster-child.
>
>  This is the exact crap that spawned the full disclosure
>security movement:
>
>0 - Honest person discovers a problem.
>
>1 - Honest person contacts vendor about the problem.  (Opt.
>suggests fix or asks for a job)
>
>2 - Vendor sends attack lawyers (or FBI) who seize
>computers/property and threaten to destroy your life if you
>reveal the "secret".
>
>2a - vendor ignores vulnerability; it's been taken care of.
>2b - someone else finds and exploits hole, prosecute
>original victim(0) since they obviously "told".
>
>3 - Next problem discovered, skip vendor and go public,
>complete with exploit code so noone can claim "that
>vulnerability is completely hypothetical".  (If you're not
>equipped w/ buff lawyers, disclose it pseudonymously)
>
>3a - Vendor cries "No Fair! You've endangered our innocent
>clients!"; many laugh 'til they cramp up and can't breath.
>
>  The next time someone finds a hole in that site's security
>they sure as hell won't try to be helpful.  They're more
>likely to post it to /. as Anonymous Coward and let the Wall
>Street Journal report it.  *Yawn*.
>
>Steve
>Everything old is new again...

/------------------------------------------
|Alan Dayley             www.adtron.com
|Software Engineer       602-735-0300 x331
|ADayley@adtron.com
|
|Adtron Corporation         
|3710 E. University Drive, Suite 5
|Phoenix, AZ  85034
\-------------------------------------------