From reading the various posts, it looks like there are really two different issues here:
1) Can the client relationship be re-established?
2) Should the ex-client be informed of the security holes that you've discovered.
If you answer these questions separately it puts the whole thing into a different perspective. Example 1: Its not worth the risk to inform them of the vulnerability when they might suspect us of wrong doing; Informing a client of a vulnerability is part of the service. Solution: inform them of the problem if the are willing to sign a contract.
Example 2: Too many employees of the client might be hurt if they got hacked; It would be nice to have them as a client again but not too likely. Solution: inform them of the problem and cope with the possible consequences.
Answering these two questions separately won't resolve the entire questions, but will help in looking at it from the perspective of risk assesment. Given the answers, here are the risks involved with the possible courses of action and risks x, y, and z are worth the risk.
At the risk of being laughed at by the/. crowd, I'll argue that the most important part of running an ISP is not the equipment but your tech support.
Good support people can keep most of your customers happy even when the equipment is in the server room smoking (or at least convince the customers to give you time to fix things before quiting), while bad support techs will drive away customers even when everything is working just fine.
The drawback to this is truely good customer support people are as hard or harder to find than really good engineers. The support people have to be reasonably good with the technical details and be able to deal with the customer contact day after day.
Disclaimer: I'm a support tech and have worked for an ISP that treated their customers well, and one that treated their customers as totals in the accounting books and nothing more. It makes a difference.
Actually, I know a guy who got to do exactly that.
The ISP he worked for at the time has filtered access, and when they first put it in they needed to look for holes in it. Management offered a bonus to whomever could find the most unblocked sites that fit the catagories they were trying to block.
This guy won, but being the nice guy that he is, he asked his girlfriend if she minded him doing "researching" this before he started.
Slashdot Mirror
1) Can the client relationship be re-established?
2) Should the ex-client be informed of the security holes that you've discovered.
If you answer these questions separately it puts the whole thing into a different perspective.
Example 1: Its not worth the risk to inform them of the vulnerability when they might suspect us of wrong doing;
Informing a client of a vulnerability is part of the service.
Solution: inform them of the problem if the are willing to sign a contract.
Example 2: Too many employees of the client might be hurt if they got hacked;
It would be nice to have them as a client again but not too likely.
Solution: inform them of the problem and cope with the possible consequences.
Answering these two questions separately won't resolve the entire questions, but will help in looking at it from the perspective of risk assesment. Given the answers, here are the risks involved with the possible courses of action and risks x, y, and z are worth the risk.
Good support people can keep most of your customers happy even when the equipment is in the server room smoking (or at least convince the customers to give you time to fix things before quiting), while bad support techs will drive away customers even when everything is working just fine.
The drawback to this is truely good customer support people are as hard or harder to find than really good engineers. The support people have to be reasonably good with the technical details and be able to deal with the customer contact day after day.
Disclaimer: I'm a support tech and have worked for an ISP that treated their customers well, and one that treated their customers as totals in the accounting books and nothing more. It makes a difference.
Personally I was hoping they would approve my favorite one: the .not
Just think of the potential uses (and abuses) of this one!
Actually, I know a guy who got to do exactly that.
The ISP he worked for at the time has filtered access, and when they first put it in they needed to look for holes in it. Management offered a bonus to whomever could find the most unblocked sites that fit the catagories they were trying to block.
This guy won, but being the nice guy that he is, he asked his girlfriend if she minded him doing "researching" this before he started.
I guess thats not too suprising, the original Galileo did some pretty neat science as well. Must be a tradition with the name.