Bugtraq mailing list archives
Re: Advisory: E*TRADE security problems in full
From: Tim Hollebeek <thollebeek () CIGITAL COM>
Date: Wed, 27 Sep 2000 12:59:38 -0400
That is, what is the best way to notify users? What percentage of users read BUGTRAQ versus security aficionados and hackers? The problem of disclosure on a list like this is that the majority of real users will NOT be reading the messages here and will never realistically find out about this until they read it on the front page of the New York Times or E*TRADE actually bothers to email its own customers.
A reasonable answer is to modify consumer protection laws so that companies are liable for damage from security flaws when and if they know about them unless they make reasonable efforts to fix them, contact users, and offer workarounds. E*TRADE would then have the choice of ignoring the issue and facing the financial consequences (if any; some security issues really ARE fairly minor), or they can instead take whatever steps they feel they need to in order to defend themselves if they get sued. Cem Kaner, among others, has been promoting the idea of using liability as a carrot to promote disclosure. Unfortunately, with UCITA, the current trend is in the other direction. Among other things, UCITA allows license agreements to contain disclosure limitations. See http://www.badsoftware.com. Tim Hollebeek Cigital, Inc. (formerly Reliable Software Technologies)
Current thread:
- Re: Advisory: E*TRADE security problems in full Tim Hollebeek (Sep 28)