Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Security experts hit out at "unethical" bug finder

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Security experts hit out at "unethical" bug finder
Date: Mon, 14 Mar 2005 03:43:43 -0600 (CST) 
http://software.silicon.com/security/0,39024655,39128621,00.htm

By Will Sturgeon 
silicon.com
March 11, 2005 

Security experts have hit out at US firm Immunity Inc, which provides
paid-up members with vulnerability information under non-disclosure
agreements (NDA), which it subsequently keeps from vendors and the
world at large.

A silicon.com article last week revealed Immunity and its founder Dave
Aitel have been causing a stir in the security world in recent months
with a business model branded "unethical" but entirely above-board.

The greatest source of growing concern appears to focus on the NDA and
the potential for anybody to sign up and pay the price for
notification of vulnerabilities.

One rival bug finder, who operates along the more traditional lines of
informing the affected vendor of the flaw in its product and working
with them to patch it before releasing any details of the
vulnerability, has hit out at Immunity Inc.

Drew Copley, senior research engineer at eEye Digital Security, told
silicon.com the situation of signing members to a non-disclosure
agreement in return for information on security vulnerabilities is
"extremely unethical".

"What are these people missing here?" asked Copley. "Are they crazy?  
What prevents any organised criminal group or criminal from getting on
there and signing a NDA?"

"We treat security vulnerabilities that are not fixed yet by the
vendor as state secrets. Selling them to anyone who would pose as a
company or sign a NDA is highly unethical."

Copley said even "total disclosure", whereby everybody . vendors,
researchers and the general public alike - is given the information at
the same time would be preferable.

eEye was last week credited for working with Computer Associates to
fix flaws in CA's licensing software.

Simon Perry, VP security strategy at CA, told silicon.com: "Knowledge
cannot be effectively controlled. NDAs in the IT community as a whole
are not taken seriously and there do not appear to be adequate
controls to ensure that the information does not leak to those who
have an interest in creating a dangerous exploit."

"The business model deliberately creates a culture of the security
haves, and the security have-nots. It does not improve security
overall," he added.

Perry also questioned whether Aitel's customers are getting value for
money. Because vendors are kept out of the loop, flaws go un-patched
while Immunity's customers are given a workaround.

"You're given a workaround by Immunity, but you don't have a fix . a
patch from the vendor that permanently addresses the problem. The door
is closed, but it's not locked shut."



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Security experts hit out at "unethical" bug finder, InfoSec News <=
Previous by Date:  [ISN] Government Agencies To Get Early Dibs On Windows Patches, InfoSec News
Next by Date:  [ISN] Computer security pioneer honored, InfoSec News
Previous by Thread:  [ISN] Government Agencies To Get Early Dibs On Windows Patches, InfoSec News
Next by Thread:  [ISN] Computer security pioneer honored, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]