This is something that I have run into many times in the past on both
the "wired side" and on the unwired side of the 'Net - - from the inside
and from the outside.
From a corporate stand point receiving unsolicited security information
from someone - the person reporting the security flaw is ALWAYS suspect
and is handled very suspiciously. Whether it be an internal
"unauthorized" person or an external person. Actually the external
person reporting the flaw may have a bit of a better time of reporting
the security flaw given a few factors:
1. Reporting the security flaw being a worried user of the system and
FULL cooperation with examiners = probably OK - but why/how did you
find it?
2. Reporting the security flaw anonymously = suspect - - logs are pulled
3. Reporting the security flaw and offering to assist for a fee =
suspect - logs are pulled and notification of authorities is on the table
4. Reporting the security flaw and making even simple demands =
extortion - all records are pulled and authorities are notified
5. Lot's more - - insert your own here
When reporting issues to the general public that you have obtained
specific info on (as in this case) there are various reactions but in
general they just don't want to know. Some of the reactions I have
gotten are as follows:
1. How did you do that?
2. Who / what are you?
3. Prove it - - If proven they may or may not call the cops or get
really agitated
4. Well duh! I'm in a public space
5. They just don't want to talk at all
I am sure that this is tremendously abridged but it's a bit of a start.
Until the general public actually gets a clue reporting anything to them
is a waste of time.
Toby
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
