There is a rather sad thread in the Security Basics mailing list where people are discussing how risky it actually is to try to be the good guy and let companies know of potential vulnerabilities in their applications.
Such a discussion shouldn’t even take place. Why must companies be scared of people who are trying to help them? Yes, they’re talking about a bank in the thread, and that is surely a risky business. But tech companies, which should realize the importance of independent security work, aren’t any better, as Cisco showed us in 2005.
The thread creator says that a client of a friend of his found some “web exploits on several financial institutions” and asks what are his best options to let the vulnerable organizations know about the problems. This is what the first person who replied to the thread said:
1) Do not reveal this or tell anyone about it. Leave it be. As there is this heightened sense of urgency among banks to thwart potential attackers the person could be in trouble with the bank for simply discovering the issue. It really all depends on the person he or she deals with there. Not saying it would hold up in court, it likely wouldn’t, but anyone who has the ability to find exploits is generally regarded in a dim light by those who are uneducated on the subject.
The fact that staying quiet and simply doing nothing about it is the first thing to be considered in a situation like this isn’t making anyone of us any safer. I’m not criticizing whoever considers this an option, however — the sad state of affairs which we are in makes this a very sensible action.
I’m pretty sure that just pretending that there are no problems and that we will know of one immediately once it’s found isn’t contributing anything to people’s security. But ignorance is bliss.
“Digital Defense”
A bill relating to internet crimes is currently being discussed here in Brazil. It has been heavily criticized, but some of the criticism has to do with the fact that the largest online content providers in Brazil also provide internet services and the bill, once approved, will create several responsibilities for ISPs — and they don’t like that, of course.
There was one very interesting bit in the bill, called Digital Defense, that protected security researchers and professionals. It was there to guarantee that professionals could still analyze malicious software or perform penetration tests while not risking being sued. Lawyers, however, interpreted “incident response” as counter attacks and complained about the bits that allowed “defensive sniffing” of packets. As a result, “digital defense” was nuked from the bill. The people of ISSA Brazil are trying to get it back in, but I do not know the outcome of their requests.
Maybe every country needs a “digital defense” bill to protect researchers and security professionals. If security terms need to be well-defined in such a bill to make sure that it doesn’t become so broad as to also protect criminals, then so be it — let’s work on that. But the idea behind Digital Defense was a noble one, and we need it.
If people are scared of even finding a flaw, that’s bad, because you can bet the people who are the real criminals don’t fear anything when it comes to actually using them behind the protection of their computer screen.