UK ISP threatens security researcher

Stasiniewicz, Adam stasinia at msoe.edu
Fri Apr 20 03:32:02 UTC 2007


I guess my experience in this area differs.  Of the times I reported
security holes to vendors/site operators they were grateful for the tip.  I
used my real name (which apparently is somewhat unique) and real contact
information in case they had questions.  I always made sure to contact the
most appropriate person I could get contact info for (i.e. the security team
if possible; avoiding the general information address).  Though I guess the
big difference with me is I did not post detailed information about those
problems on the Internet for anyone to see.  

Frankly, posting a major flaw in the setup of thousands of routers before
the ISP has had a chance to correct the problem is doing more harm than
good.  I am not surprised at the ISPs response.  The person in question here
should have first notified the ISP and unless the ISP was unwilling to fix
the problem, only then should he have considered releasing the information
publicly.  

My $0.02,
Adam Stasiniewicz

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Simon Lyall
Sent: Thursday, April 19, 2007 8:26 PM
To: nanog at merit.edu
Subject: Re: UK ISP threatens security researcher


On Thu, 19 Apr 2007, Gadi Evron wrote:
> Looking at the lack of security response and seriousness from this ISP, I
> personally, in hindsight (although it was impossible to see back
> then) would not waste time with reporting issues to them, now.

These days there is almost never any reason to report a security issue
unless you are a professional security researcher who is looking for
publicity/work. [1]

If you are a random person who comes across a security hole in a website
or commercial product then the best thing to do is tell nobody, refrain
from any further investigation and if possible remove all evidence you
ever did anything.

There is almost zero potential upside of reporting these holes vs the very
real potential downside that the company might decide to go after you with
their legal team or the police.

Anonymous notifications to 3rd parties like security forums or
journalists might be an option if you really fell it is important. However
in the scheme of things giving $50 to your favorite charity is likely to
be safer and do the world more good.

[1] - An exception might be for open source projects or as part of your
 normal job with your companies products. Even then you should only follow
 normal channels and always be careful.

-- 
Simon J. Lyall  |  Very Busy  |  Web: http://www.darkmere.gen.nz/
"To stay awake all night adds a day to your life" - Stilgar | eMT.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3111 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070419/570dd573/attachment.bin>


More information about the NANOG mailing list