Re: More info for E*TRADE users

[Christian <christian () dijkstra murdoch edu au>]

On Fri, Sep 22, 2000 at 01:42:18PM -0700, Jeffrey W. Baker wrote:
> I have been rightly criticized by private email that my earlier User Alert
> regarding E*TRADE did not provide enough information about how the user
> can keep on using E*TRADE without being subject to this attack.  Here are
> my extended recommendations:
> 1) Never use the six-month login feature of the E*TRADE site.
> 2) Always close and restart your browser before and after using E*TRADE.
> 3) Never visit any other web site while you are using E*TRADE.  This
> includes E*TRADE's own web mail application and their message boards.
> 4) Search for and remove any cookies from *.etrade.com after using
> E*TRADE.  Even if you explicitly tell E*TRADE not to set permanent
> cookies, it will still sometimes set them for six months.  Do this step
> after every time you exit the browser after using E*TRADE.

I think most people would appreciate that you're trying to do the right
thing in terms of both protecting e-trade customers and also giving the
company a second chance but I wonder whether this half-full-disclosure
approach will really have the desired effect.  Consider that the
information you've given above is *probably* enough for people who would
like to find out the specific vulnerabilities with the e-trade system to
go away and do that.  (If you found it *without* the extra help, why
shouldn't other people now?)  Given that the fact the specifics of the
vulnerability are "out" may not become widely known then the situation
could well end up being worse than if you'd revealed everything from the
beginning.  Furthermore, if it happened that you had missed additional
ways the vulnerability might be exploited (for example, in combination
with one or more other vulnerabilities) then it could turn out that your
advice for minimising exposure will not protect e-trade customers as
much as you thought.  By not revealing all information and allowing open
discussion the situation may even be worse than if you'd said nothing at
all.

I'm inclined to think that if a company does not fix a problem and
does not have a very good reason for leaving their customers exposed
(and, to me, "corporate inertia" doesn't sound like a good reason!) then
full-disclosure and the resulting public presssure seems the best course
of action.  However, since I don't know the specifics of the
vulnerabilities or the company's reason for not moving swiftly the fix
them, I am obviously not in a position to say one way or the other.
Only you can decide that.

Regards,

Christian.