Re: Advisory: E*TRADE security problems in full

[Tim Hollebeek <thollebeek () CIGITAL COM>]

> That is, what is the best way to notify users? What percentage of users
> read BUGTRAQ versus security aficionados and hackers? The problem of
> disclosure on a list like this is that the majority of real
> users will NOT be reading the messages here and will never realistically
> find out about this until they read it on the front page of the New York
> Times or E*TRADE actually bothers to email its own customers.

A reasonable answer is to modify consumer protection laws so that companies
are liable for damage from security flaws when and if they know about them
unless they make reasonable efforts to fix them, contact users, and offer
workarounds.

E*TRADE would then have the choice of ignoring the issue and facing the
financial consequences (if any; some security issues really ARE fairly
minor),
or they can instead take whatever steps they feel they need to in order to
defend themselves if they get sued.

Cem Kaner, among others, has been promoting the idea of using liability as
a carrot to promote disclosure.  Unfortunately, with UCITA, the current
trend
is in the other direction.  Among other things, UCITA allows license
agreements
to contain disclosure limitations.  See http://www.badsoftware.com.

Tim Hollebeek
Cigital, Inc.
(formerly Reliable Software Technologies)