At 08:29 AM 4/5/00 -0500, you wrote:
>So what do you guys think about part time hackers that attempt a breakin,
>post general results on a website, and then ask for payment to fix your
>problems?
I have a problem with posting any results to a website. If they are the
cause of the problems that they want to charge you to fix, I think that's
supremely unethical. And all the hackers that I know (even the part time
ones) are extremely ethical. I wouldn't trust any hacker that caused damage
to my system and then asked for money to fix it-- because what is he going
to leave in or put in that isn't covered?
If the problems that they want to fix are the security holes and not damage
that they cause, that would be a little different. It might be annoying to
have somebody send you a bill for that, but it may be a sign of a bigger
problem that you're not aware of (like the netadmin being a bozo).
In either case, I wouldn't have them fix the problem. There are a lot of
full-time hackers/experienced security admins with businesses to fix those
problems. People with credentials and such. I'm doing a website for one of
those businesses now and there are people working there with 10-15 years of
info security experience and military security clearance. With people like
that available to work on my system, I certainly wouldn't hire some random
hacker to fix it.
>Just curious...
>
>Please direct all responses to the newsgroup so that all may benefit from my
>lack of wisdom!
>----- Original Message -----
>From: <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Tuesday, April 04, 2000 9:20 PM
>Subject: RE: Security holes revisited -- reward offered
>
>
> > Mike,
> >
> > While it might not sound like it from my prior post, I agree with you.
>The
> > issue is why pay someone with an axe to grind to penetrate your system.
>But
> > whether he gets paid or not, my gut says the kid will try anyway just to
>get
> > back at the webmaster. Would I pay him? No way.
> >
> > However, should he succeed, or if the threat feels warranted, I would
> > definitely consider hiring a "tiger team" to review my security and as you
> > mention, under a contractual agreement, attempt to infiltrate security.
>Any
> > team that is worth hiring, will have such agreements to sign when you hire
> > them, because they want to be legally protected should they succeed. This
> > kid, however, is most likely going to break the law in his efforts if he
> > decides to, and manages to succeed in, modifying the web site or mis-using
> > information technology owned by the site. Unfortunately, it sounds like
> > even if he did, he might get a break from the owner, and that's the real
> > injustice here.
> >
> > Best of luck to the webmaster...
> >
> > --Doug
> >
> > -----Original Message-----
> > From: Mike Sheldon [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, April 04, 2000 3:29 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Security holes revisited -- reward offered
> >
> >
> > I have to violently disagree with this.
> >
> > The individual in question is not a reputable security expert, he's a kid
> > with an axe to grind.
> >
> > I would never use any security group who cannot post a bond against any
> > potential damage they may cause in the act of attempting to penetrate the
> > system.
> >
> > Michael J. Sheldon
> > Internet Applications Developer
> > Phone: 480.699.1084
> > http://www.desertraven.com/
> > PGP Key Available on Request
> > --------------------------------------------------------------------------
>----
> > Archives: http://www.eGroups.com/list/cf-talk
> > To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
> >
>
>------------------------------------------------------------------------------
>Archives: http://www.eGroups.com/list/cf-talk
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
