Re: Advisory: E*TRADE security problems in full

[Ben Galehouse <bgalehou () PACBELL NET>]

"Jeffrey W. Baker" wrote:

> Will I continue to release this style of Alert?  I think so.  The ratio of
> encouragement to flames was about 5 to 1.  I don't think it is smart to
> release exploit code against a financial institution.  I regard that as
> giving away the combination to the vault at the bank.  I think my User
> Alert is more like handing out flyers to the bank customers warning them
> that the bank doesn't bother locking the vault at night.

I think that the idea of slow disclosure is workable. I think it does
give the end users a little bit of a head start on the black hats. But
spreading the disclosure out over weeks or months might be too big of a
delay.

As was demonstrated here, security problems are often easy to find once
you know where to look.  A week after an initial advisory on a problem
like this, and anybody who really wants to know the problem is likely
to.  I think that your initial advisory should have broadcast intent to
publish on a commesurate timeline.  Seriously.  Once the blackhats have
it figured, the game is up.

The end user accounts were never _really_ secure, and during the week
following such an advisory they become less secure.  This is the price
of any sort of disclosure, therefore the price of security. I think it
is safe to say that the only way to make systems secure is for the
managers who run them to be responsible. Public disclosure serves to
make them responsible.