[Owasp-rochester-announce] Question: Is this extortion or security consulting?

David Stevenson dsteven8 at rochester.rr.com
Sun Oct 4 22:26:01 EDT 2009


Question: What if the security flaw involved the potential exposure of
consumer identity information such as credit card numbers, social security
numbers, passwords, security questions such as mother's maiden name, full
name and address? Does this person have a moral obligation to current and
potentially future consumers to warn them of the problem? Especially with
the prevalence of identity theft?

What if the security flaw was due to basic security flaws such as SQL
Injection, which could be easily prevented by use of parameterized queries
and/or stored procedures? Whether the responsibility accrues to company
management (get the project done, we don't care about security, and no we
don't have time to address security issues), or accrues to software
developers is debatable. But if the company does not do due diligence, do
current and potentially future shareholders need to be informed of the
risks?

Is it a moral responsibility to protect those who could be injured by such
security flaws?

Doesn't this country still protect whistle-blowers?

And lastly, shouldn't those who labor in the security field get paid for
their work? There are those who believe that they shouldn't have to pay fair
market labor rates for Information Technology expertise.

David Stevenson


-----Original Message-----
From: Charles Profitt [mailto:indigo196 at rochester.rr.com] 
Sent: Sunday, October 04, 2009 9:50 PM
To: Andrea Cogliati
Cc: David Stevenson; owasp-rochester-announce at lists.owasp.org
Subject: Re: [Owasp-rochester-announce] Question: Is this extortion or
security consulting?

This is a tough one for me.

The revealing of the 'flaw' to the public (and crackers) could harm
people using that companies software. At the same time asking to be paid
for information is not a 'new' thing.

So the issue really is not that it is wrong to be paid for the
information... but the release of 'dangerous' information to potential
bad guys. Then again the security researcher did not 'make the flaw' the
original software company did.

What would people have thought if there had been a worker who knew about
a flaw in an automobile that caused it to explode but chose to not tell
anyone?

This is one of those grey areas, but 'demands' and 'threats' tend to be
viewed in a poor light.
 

On Sun, 2009-10-04 at 20:40 -0400, Andrea Cogliati wrote:
> It's definitely blackmailing. Like it or not, the only "currency"  
> received by security researchers for discovering vulnerabilities is  
> credit. I don't entirely agree with this practice, but this is how the  
> industry has been working for almost 10 years.
> 
> Andrea
> 
> On Oct 4, 2009, at 2:29 PM, David Stevenson wrote:
> 
> > I saw this in LinkedIn in the Question and Answer section. People  
> > are calling this payment extortion. Is that a correct view, or is  
> > the hacker protecting consumers from poor security provided by  
> > corporations? Unstated in this description is whether consumer  
> > identity information, such as credit card numbers and/or social  
> > security numbers, were at risk of disclosure. Also unstated is  
> > whether company assets, or revenue, were at risk due to the security  
> > flaw. Were the security risks easily preventable, such as security  
> > risks caused by SQL Injection attacks?
> >
> > How to recognize on the financial statements a payment to a hacker,  
> > that stops him from posting a security flaw on the internet?
> > A payment of 100,000 was made to keep the flaw of the program from  
> > being public, how would this payment be recognized on the financial  
> > statements?
> > David Stevenson
> > _______________________________________________
> > Owasp-rochester-announce mailing list
> > Owasp-rochester-announce at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-rochester-announce
> 
> _______________________________________________
> Owasp-rochester-announce mailing list
> Owasp-rochester-announce at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-rochester-announce



More information about the Owasp-rochester-announce mailing list