Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!mailrus!accuvax.nwu.edu!nucsrl!telecom-request From: claris!netcom!ergo@ames.arc.nasa.gov (Isaac Rabinovitch) Newsgroups: comp.dcom.telecom Subject: Re: How Do You Tell Someone About a Security Hole? Message-ID: <8344@accuvax.nwu.edu> Date: 27 May 90 17:01:10 GMT Sender: news@accuvax.nwu.edu Organization: NetCom- The Bay Area's Public Access Unix System {408 249-0290} Lines: 54 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 10, Issue 391, Message 7 of 12 kitty!larry@uunet.uu.net (Larry Lippman) writes: >> I feel the need to let them know about the gaping (and I mean gaping) >> computer and physical security holes they have, but I'm not sure about >> the best way to approach it (or even if I should). > I suspect your "need" is born of the guilt of trespass. In my >travels I have found that most people who *volunteer* information >about security flaws in a manner which is not part of their regular >job responsibilities are usually trying to hide something and I tend >to be suspicious of their motives. I've been holding this message in my NN directory for over a week, so I could summon up a semi-mature response. Here's a try. Lippman is confusing ignorance with innocence and lack of accountability with lack of responsibility. Our anonymous might well have been "trespassing" (though Lippman ignores the legal responsibility of the "offended" party in this sort of property rights issue). But what in Watergate's Name has that got to do with anything? If somebody sees your house being robbed, you expect them to do something about it, even if that somebody is a peeping tom. Attacking our "snoop" instead of dealing with the moral issues is an Ad Hominem argument, which is Latin for "Stick to the Facts, damnit." >Security issues are a *sensitive* topic, and right or wrong, >management does not usually appreciate unsolicited advice on this topic. And why do you suppose that is? (Socratic/rhetorical question.) > I fully agree with the Moderator. Extending to you the >benefit of the doubt that your motives are genuinely pristine and >altruistic, this is NOT YOUR PROBLEM, and YOU WILL GET NO REWARD for >disclosing this information to management. More likely than not, >should you do elect to disclose the information, your action in doing >so will make you a suspect for *something*. As I said in a previous posting, it's easy to get burned by a security problem, even if you're not responsible for it. True, bringing that to public attention raises your risk factor, but that's a self- preservation issue, not an ethical one! In any case, your "if nobody knows it's a problem, it's not a problem" attitude is childish. >I would suggest that you chalk this up as one of life's many >"lessons", get on with your career, and try not to get in the same >situation a second time. Such situations are unavoidable. You cannot work in a multiuser environment without encountering security slipups. And a computer professional who takes no interest in how his system works and what might go wrong with it is in the wrong job.