Bugtraq mailing list archives
Re: Advisory: E*TRADE security problems in full
From: Ben Galehouse <bgalehou () PACBELL NET>
Date: Mon, 25 Sep 2000 21:18:35 -0700
"Jeffrey W. Baker" wrote:
Will I continue to release this style of Alert? I think so. The ratio of encouragement to flames was about 5 to 1. I don't think it is smart to release exploit code against a financial institution. I regard that as giving away the combination to the vault at the bank. I think my User Alert is more like handing out flyers to the bank customers warning them that the bank doesn't bother locking the vault at night.
I think that the idea of slow disclosure is workable. I think it does give the end users a little bit of a head start on the black hats. But spreading the disclosure out over weeks or months might be too big of a delay. As was demonstrated here, security problems are often easy to find once you know where to look. A week after an initial advisory on a problem like this, and anybody who really wants to know the problem is likely to. I think that your initial advisory should have broadcast intent to publish on a commesurate timeline. Seriously. Once the blackhats have it figured, the game is up. The end user accounts were never _really_ secure, and during the week following such an advisory they become less secure. This is the price of any sort of disclosure, therefore the price of security. I think it is safe to say that the only way to make systems secure is for the managers who run them to be responsible. Public disclosure serves to make them responsible.
Current thread:
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable James Mancini (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Advisory: E*TRADE security problems in full Jeffrey W. Baker (Sep 25)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: Advisory: E*TRADE security problems in full Gunther Birznieks (Sep 27)
- Re: Advisory: E*TRADE security problems in full reb (Sep 27)
- Re: Advisory: E*TRADE security problems in full Signal 11 (Sep 28)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- <Possible follow-ups>
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Bridgette Julie Landers (Sep 26)