Bugtraq mailing list archives
Re: Advisory: E*TRADE security problems in full
From: reb () OPENRECORDS ORG
Date: Wed, 27 Sep 2000 04:43:16 -0500
Gunther, On Tue, 26 Sep 2000, Gunther Birznieks wrote:
I think this brings up an interesting point about disclosure which is close to home. That is, what is the best way to notify users?
<snip> I believe that it is the vendors duty to make the effort of notifying their users to the best of the vendors ability. This can be done by sending mail to registered users, popups in a browser if available, etc. The question is why would a financial institution want to scream to the entire world: YES WE'RE INSECURE, knowing that a news person would pick the story up and run with it? Vendors are going to try and save face as much as possible, especially the major players. A business such as E*Trade obtaining any publicity as being insecure would drive the non-technical majority away by the masses, if not current customers, potential customers would be affected.
I don't know what to suggest. Although perhaps it would be useful if vendors would voluntarily have their users subscribe to a special filtered version of BUGTRAQ based on the vendor name. So, for example, Schwab would link to a special Bugtraq security mailing list that they encourage their users to subscribe to incase Schwab ever had a security hole. If there are no security holes, the user would get no emails. ever. But if one ever did pop up, it wouldn't be Scwab telling the user's it would be BUGTRAQ. Vendors of security sensitive web services could use this as a selling point of their service. That they give a highly trusted 3rd party the capability of letting them know about any problems so they cannot ever hide a problem. I know if BUGTRAQ offered such a service, I would link to them and encourage our users to use them. As it is, the traffic on a real BUGTRAQ mailing list is too much to expect the common user who has minimal computer skills to read and filter BUGTRAQ on their own.
What you are proposing here isn't very viable due to several factors. Who would be responsible for such announcements? Who could post to the mailing list? Are you suggesting a vuln-dev area for the techies and then if the security flaw is verified and widespread, then forward the flaw in question to the list? How would that be different than what we have now? Most companies use 'updates' to cover fixes/security concerns, your normal everyday user would probably not know that their account before the update could be trivially compromised. In conclusion, the security community needs to keep full-disclosure putting the pressure on vendors to notify users and have their products as secure as possible. When vendors cut corners in the security arena, they hurt everyone. Reb <snip rest of message>
Current thread:
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable James Mancini (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Advisory: E*TRADE security problems in full Jeffrey W. Baker (Sep 25)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: Advisory: E*TRADE security problems in full Gunther Birznieks (Sep 27)
- Re: Advisory: E*TRADE security problems in full reb (Sep 27)
- Re: Advisory: E*TRADE security problems in full Signal 11 (Sep 28)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- <Possible follow-ups>
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Bridgette Julie Landers (Sep 26)