1997-06-16 - Re: Homer on Terrorism

Header Data

From: Adam Shostack <adam@homeport.org>
To: tomw@netscape.com (Tom Weinstein)
Message Hash: 4b1fc4baf8c4b6f4b71c6f871db47a8b42b0b3c73c5d78676c72e2f41199b482
Message ID: <199706160215.WAA17222@homeport.org>
Reply To: <33A49D42.49741BF5@netscape.com>
UTC Datetime: 1997-06-16 02:37:30 UTC
Raw Date: Mon, 16 Jun 1997 10:37:30 +0800

Raw message

From: Adam Shostack <adam@homeport.org>
Date: Mon, 16 Jun 1997 10:37:30 +0800
To: tomw@netscape.com (Tom Weinstein)
Subject: Re: Homer on Terrorism
In-Reply-To: <33A49D42.49741BF5@netscape.com>
Message-ID: <199706160215.WAA17222@homeport.org>
MIME-Version: 1.0
Content-Type: text/plain

	Since this list has bred a lot of security consultants, I'll
comment on the business practices here.

	Sending a company a bill for doing work they didn't agree to
in advance is wrong.  I've spent substantial amounts of time finding
and documenting bugs in various products.  Some of its public, a lot
is not.  In most every event, the handshake and thank you has led to
consulting work for the company.

	If I show up with a bill in hand, thats not the right way to
start a business relationship.  So, questions of blackmail aside, its
plain bad practice.   I'll note that the company in Denmark is not a
well known one, nor is the name one that I've seen, so there are
questions of if the individual is using their true name or not while
chasing the money.  If they are not, it may be because they feel that
this sort of business practice is one they'd like to disassociate
themselves from.


Tom Weinstein wrote:

| > One can imagine people approaching a company with reports of a bug--as
| > a certain math professor approached a certain chip company with
| > reports of a strange FDIV problem--and being given the polite
| > runaround. "Thank you for sharing. We'll have one of our QA engineers
| > look into your report and maybe he'll get back to you."
| > 
| > (I have no idea if Netscape reacted in this way, but I can imagine
| > that the flow of bug reports may cause many to linger in the "In"
| > baskets without action.)
| As a matter of fact, we responded to him very quickly.  The day after
| we heard from him we had a phone call where Jeff Weinstein, Jim Roskind
| (Java security), and I were present.  We gave it serious attention as
| we do with all security holes.

"It is seldom that liberty of any kind is lost all at once."