funsec mailing list archives
Re: Speaking of ethics ...
From: <michael.blanchard () emc com>
Date: Fri, 5 Aug 2011 14:13:52 -0400
Interesting.... \@virusbtn: Does the security industry need a voluntary code of ethics? http://bit.ly/rs6KzO So let me paint a scenario: Company ABC has machines that are compromised with malware that is being controlled by and is sending confidential information up to the C&C boxes that Mcafee refers to in Shady RAT. Lets say that ABC company got compromised in December last year. They are also a customer of Mcafee. So, McAfee's been following this C&C network since 2009 and never told anyone until recently. This March McAfee blocks their clients from being able to connect to this C&C network and I assume this is when they tell the 72 companies that they're Pwned as well. So, Company ABC has been leaking confidential information up to the C&C for 3 months, potentially hundreds of millions of dollars worth of intellectual property has been leaked until McAfee says something in to them in March. Who is liable? Is this a lawsuit waiting to happen with McAfee being the defendant? If a Security research firm knows of a compromise, and doesn't immediately notify, wouldn't that make them liable for any damages? I'd say yes, if they don't' notify the company within a reasonable amount of time, they should be held liable for any losses. This has been going on for over 2 years if not longer.... Why weren't these 72 companies notified right away about what they found? Just my 2 cents worth for now :-) Michael P. Blanchard Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE Office of Information Security & Risk Management EMC ² Corporation 32 Coslin Drive Southboro, MA 01772 -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah Sent: Friday, August 05, 2011 2:48 PM To: funsec () linuxbox org Subject: [funsec] Speaking of ethics ... @virusbtn: Does the security industry need a voluntary code of ethics? http://bit.ly/rs6KzO @SecurityHumor: First: Do no Pwn (or FUD). http://twitter.com/#!/SecurityHumor/status/99454302174720000 ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org There are no *printed* instructions, but I found a CD-ROM called `How to Set Up Your Computer.' - Dan Piraro victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Speaking of ethics ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Aug 05)
- Re: Speaking of ethics ... michael.blanchard (Aug 05)
- Re: Speaking of ethics ... The Security Community (Aug 05)
- Re: Speaking of ethics ... kbechtel (Aug 05)
- Re: Speaking of ethics ... michael.blanchard (Aug 05)