Slashdot Mirror
Reporting Vulnerabilities Is For The Brave
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
Coincidentally the quote on the bottom of the page when this was posted:
I stick my neck out for nobody. -- Humphrey Bogart, "Casablanca"
Ah well, at least we'll always have Paris.
You can't talk about Wikipedia's flaws on Wikipedia
3) Walk around until you find an unsecured AP of somebody you don't like.
So then the common computer illiterate that didn't have his AP properly secured gets hassled by the police instead.
When vulnerabilities are outlawed, only outlaws will use vulnerabilities.
I recently figured out a fairly anonymous method of reporting vulnerabilities for a cost of only $0.39. Send SASE for details.
Intron: the portion of DNA which expresses nothing useful.
Post vulnerabilies on as many IRC channels as you can. Post vulnerabilites on slashdot comments. Post them on jihad websites. Post them on college bulletin boards.
In short, post them as anonymously as possible. Don't go through the fucking "right" channels, because they are looking to retain their share-holders confidence. Which is why you heave a god damn shitbomb into their office and let them sort that son of a bitch out. Eventually, people will start taking security fucking seriously. They will start asking about NetBSD, hooking up hardware firewalls, and thinking twice before shopping at Best Buy. And the you won't be sitting in jail because you reported a 0-day exploit to M$/Apple/Redhat/Berkeley/FuckingSCOX.
Run an end-around. Works for football, works for World War II submarines, and it works for reporting vulnerabilites.