On Mon, Jan 21, 2013 at 11:23:16PM -0500, Jean-Francois Mezei wrote: > This article may be of interest: > > > http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/ > > Basically, a Montreal student, developping mobile software to interface > with schools system found a bug. Reported it. And when he tested to see > if the bug had been fixed, got caugh and was expelled. > > I the context of this thread, they found a vulnerability in the web > site's archutecture that allowed the to access any student's records. > > This is the perfect type of incident you can bring to your boss to > justify proper architecture/security for your web site. "How would you > react if it was your company's name in the headline ?"
That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation. See Also: First State Superannuation. - Matt
