Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Question about ethics when discovering a security

from [Jeremy Bishop] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Question about ethics when discovering a security fault in system
Date: Thu, 27 Oct 2005 11:51:09 -0700 
On Thursday 27 October 2005 11:28, Torbjörn Samuelsson wrote:

Hi

I stumbled upon a security fault (discovered it by mistake) this
Sunday in a perimeter security device.
The day after I contacted the manufacturer and informed them about it
and later that evening the acknowledged the problem and they where
able to reproduce it.


This sounds like a decent response time.  Was it a "we looked into this 
and it seems you are correct" response that you received, or something 
closer to "yeah, we already know about that and don't really care"?


My question is what is good ethics for me to continue with this?



What I want a resolution so the device we bought to provide us with
remote access and security shall work securely and that the company


So, you are also a customer?  This gives you excellent grounds for 
asking how the company plans to correct this flaw.  Since it seems 
their initial response was both prompt and favorable, it's likely that 
some sort of update will be made available.  Your responsibility is to 
find a way to mitigate the current risk to your company until a fix is 
in place.  This usually includes allowing some time for the company to 
produce such a fix.  Going immediately public with the flaw is less 
than polite to the company, and will also jeopardize your own company.  
(I.e. People will now not only about the flaw, but about someone who is 
vulnerable to it: you.)


shall inform other owner of there products about the problem so they
wont have the same security breach.


It is possible that the company may do this on their own.  You don't 
have a responsibility to their other customers, only a more generalized 
responsibility to the community.  Custom on this list is that the 
vulnerability is revealed after a reasonable time.  "Reasonable" is a 
balance between allowing the vendor to produce a fix (so that when the 
problem is announced, people aren't needlessly exposed) and alerting 
the community to a problem (because it's likely someone else already 
knows about the problem, and is exploiting it).

Jeremy

-- 
...would you work for a company that couldn't tell the difference in
quality of its employees' normal work product and the work product of
someone on drugs without performing a test?
              -- socks
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] MDKSA-2005:200 - Updated apache-mod_auth_shadow packages fix security restriction bypass issues., Mandriva Security Team
Next by Date:  [Full-disclosure] MDKSA-2005:201 - Updated sudo packages fix vulnerability, Mandriva Security Team
Previous by Thread:  [Full-disclosure] Question about ethics when discovering a security fault in system, Torbjörn Samuelsson
Next by Thread:  Re: [Full-disclosure] Question about ethics when discovering a security fault in system, Michael Holstein
Indexes:  [Date] [Thread] [Top] [All Lists]