From: Phoebe Tunstall (foibey@gmail.com)
Date: Fri May 12 2006 - 15:52:18 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 12 May 2006 13:55:03 -0400
Karyn Pichnarczyk <karyn@sandstorm.net> wrote:
> Therefore, the Actual Damage is the re-evaluation of all systems, and
> verification of all data on those compromised systems, to ensure that
> the company's data has not been twiddled with/changed/modified.
I wouldn't argue that what the people mentioned in the articles did was ethical (or particularly sane). However, surely once a critical flaw like that is discovered at all the data accessed must be considered potentially-compromised, whether the flaw was discovered by someone who had permission to look or not. The data was available relatively easily to anyone who took a look. There's a good possibility that there have already been intruders who weren't so gracious as to identify themselves. The intruder who identifies themselves is not responsible for this "damage", as the damage exists with or without them. I think the actual damage you refer to is just logical phallacy to cover the issue that a piece of critical technology is seriously flawed. An intruder who does nothing to a company but inform them of a security flaw doesn't hurt the company, as the problem was there before they arrived.
> A defense of "I didn't do anything" does not lead much credence to
> a criminal's testimony.
No, but identifying yourself as the perp does in a few legal systems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEZOd41vzgRTK71/IRAqTqAKCx2B9ARYCUKFfnJunDuG26dneXlQCgkYJ4
4ShGJ0dYxLJndbs4Y4qh2cU=
=jWhX
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:57 EDT