Thursday, April 27, 2006

Here's Why They Can't Catch The BlackHats

Because they're catching all the whites and greys instead.

That was the smart-alaecky side of me speaking, but this truly is an issue that has to be decided upon. I have absolutely heard of multiple site owners being grateful someone found an issue and notified them before a really bad person used the issue.

I think the big question here is the actual disclosure process. I think everyone can agree that current generally accepted disclosure practice is to notify the software vendor first and give them a reasonable amount of time to respond.

Therefore my question here would be: did he notify USC first, or Security Focus first ?

Breach case could curtail Web flaw finders
Robert Lemos, SecurityFocus 2006-04-26

Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.

Last Thursday, the U.S. Attorney's Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information-technology professional Eric McCarty, alleging that he used a Web exploit to illegally access an online application system for prospective students of the University of Southern California last June. The security issue--which could have allowed an attacker to manipulate a database of some 275,000 USC student and applicant records--was reported to SecurityFocus that same month. An article was published after the university was notified of the issue and fixed the vulnerable Web application.


Post a Comment

Links to this post:

Create a Link

<< Home