From: mailing lists (bofn@irq.org)
Date: Thu Oct 05 2006 - 03:27:37 EDT
My experiences are that companies and organisations really do not want to know about such
things.
and will aggressively deny the facts when confronted, after they tried to not respond for
a while.
they will only Shoot the Messenger and hardly ever fix their infosec issues.
we have to understand that its confronting people with blunt prove of their failure.
and the natural reaction in these days of endless disclaimers is 'never admit fault'.
we have talked to a few international banks, government departments in different
countries, and also well known security companies like Cenzic, and they all seem to
follow the same procedure when confronted with a friendly email detailing major security
flaws in their public facing infrastucture.
Being:
- Ignore, no response
- Friendly {substance less} Public Relations response
- Annoyed "what do You Want from us!?" response
- Aggressive "we will call the cops" response
- Silence..., and the bugs/flaws stay in place.
so, i think its just a sign of the times, people refuse to take any responsibility for
their actions, and will rather try to send a friendly helping hand to jail then sit down
for 10 minutes to look at what they could improve.
Cheers..
#--------------------
> So I drafted a letter to the editor as well as several other prominent
> people at the newspaper. It detailed my finding and recommended some
> possible mitigation strategies. After emailing this I didn't hear
> anything for a few days, so I emailed it again and followed up with a
> phone call. After getting no response to the second email and then
> having been bounced around from department to department when I called I
> just said forget it.
>
> Has anyone else gone through a similar situation? Was the company
> receptive? Other companies I've contacted in the past have been quite
> receptive - I'm just curious if other people have gone through this as
> well.
>
> No need to fill the list with this, you can email me directly with your
> inputs and stories.
>
> --
> Joe McCray
> Toll Free: 1-866-892-2132
> Email: joe@learnsecurityonline.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:06 EDT