Pingree on Security - Comments

Benjamin Woodford: Is the RIAA out of control with enforcement?

nospam@example.com (Benjamin Woodford) — Mon, 09 Jun 2008 14:51:41 -0700

When I first heard about this I was furious!! Evidently things like bitTorrent are only used for piracy, and there is not a legal reason that anyone would ever want use it.

Also how many laws did MediaDefender break by attacking a legitamate company shutting down thier business. Had this been a couple of high school kids people would be screaming for prosecution.

I hope that Revision3 is able to get compensated for the time that thier network was down.

I don't favor piracy or any other illegal activities, but this time the RIAA has gone too far in thier attempts to combat piracy.

Lawrence Pingree: Paypal XSS, ethics and the law

nospam@example.com (Lawrence Pingree) — Sat, 17 May 2008 10:54:06 -0700

I apologize if I Embarrassed you, hopefully we can make amends.

Lawrence Pingree: Paypal XSS, ethics and the law

nospam@example.com (Lawrence Pingree) — Sat, 17 May 2008 10:51:43 -0700

I thought this was fitting
http://youtube.com/watch?v=7SmeNAZYi5A&feature=related

Lawrence Pingree: Paypal XSS, ethics and the law

nospam@example.com (Lawrence Pingree) — Sat, 17 May 2008 10:14:32 -0700

I'm working to rename it soon. Excellent suggestion!

Lawrence Pingree: Paypal XSS, ethics and the law

nospam@example.com (Lawrence Pingree) — Sat, 17 May 2008 10:11:17 -0700

Thanks for the comment, as far as third party checking I'm fine with that as long as it is under the guise of helping the service. Paypal and others have a fiduciary responsibility to repair or fix any security related issues already for PCI and GLBA. What I take issue with is the public disclosure which places all paypal users at risk. I'd be happy if the gentleman worked with Paypal to fix the issues privately, but in fact when you do an interview on TV, Print or online its just to gain notoriety and fame, a precept that bothers me and I do think is unethical as it directly places others at risk and only for the persons ego glory. In the "good old days" security testing was performed by administrators against other administrator's systems and there was a code of ethics to let the administrator (then called a sysop) know that the hole existed so they could address it. Whats lacking today is that honor code, now its all about getting glory off being in the media outlets which I feel is somewhat sad.

Matti Nikki: Paypal XSS, ethics and the law

nospam@example.com (Matti Nikki) — Sat, 17 May 2008 04:02:54 -0700

Attacking websites and looking for security holes is technically illegal in Finland, but the law says there needs to be a malicious intent or an intent to use any found security holes.

So, the law doesn't really apply here, although you never know what the courts might decide if things get there. Afterall, one poor kid accidently portscanned a bank's address range when he was looking for proxy servers. The courts judged that since a proxy server in a bank network could've enabled him to get into bank's internal network, and he certainly was looking for proxies to use them, it meant he had intended to break into the bank's internal network. Ouch! To add insult to injury, he also had to pay the bank for the costs involved in improving the security after the "incident".

I personally believe looking for security holes in third party services should be allowed, especially since they're so common and often easy to find. As a user, I want the services I use to be secure, because I trust them with my personal information. In case of paypal and online banks, I also trust them with my money. Why should I blindly trust these sites?

Or let's ask it like this: if you knew an SQL injection hole could be found in 5 minutes in a service you use, would you still use it? Would you buy from an online store with such a hole, if you knew your credit card data could be stolen by an attacker at any time?

Knowing that good people are checking sites for security holes makes me feel more secure about using those sites.

PS. sorry for the messy and unorganized reply.

Lawrence Pingree: Paypal XSS, ethics and the law

nospam@example.com (Lawrence Pingree) — Fri, 16 May 2008 18:38:28 -0700

Excellent feedback Steve. I guess I stand corrected, I'm happy to see some of you have opinions about this topic. I'd bet you might feel differently about public disclosure if your bank account were emptied and all because of a disclosure about PayPal, but I digress and appreciate your opinion.

I do still believe that probing systems and injecting unintended traffic into a website should be illegal, I am certain that he didn't just start by "knowing" the parameter to tamper right off the bat, I bet more than likely he probed many times to find the hole and many jurisdictions would prosecute for such activities under unauthorized use clauses.

Angus N. Ominous: Paypal XSS, ethics and the law

nospam@example.com (Angus N. Ominous) — Fri, 16 May 2008 17:24:39 -0700

"He embarrassed me! SEIZE HIM!"

Petri Koistinen: Paypal XSS, ethics and the law

nospam@example.com (Petri Koistinen) — Fri, 16 May 2008 16:56:50 -0700

Please, rename your blog to "Ostrich security by Lawrence A Pingree".

SteveJ: Paypal XSS, ethics and the law

nospam@example.com (SteveJ) — Fri, 16 May 2008 16:56:20 -0700

Unauthorised access to a computer system is illegal in many jurisdictions. Demonstrating that it is possible to make a particular dialog box pop up in your own browser, on your own PC, is not unauthorised access to a computer system, in Finland or anywhere else.

This researcher injected javascript into the Paypal page displayed by his own browser. He has not "hacked into Paypal", or stolen anyone's Paypal details. He merely demonstrated that a phishing attack is possible - we have no reason to believe he actually directed it at anyone else.

So it's not illegal, and if Paypal doesn't object to the method of disclosure, which as far as I'm aware hasn't happened, I don't think it's unethical either. Even if Paypal were to object to the public disclosure it might not be unethical, depending whether they had already been informed, if so how long ago, etc.

"I'm certain that Paypal has an army of security personnel that are slated to ensure this sort of thing does not happen."

Sure. And that army needs help from outsiders, since in point of fact they did not ensure this sort of thing does not happen.

Independent researchers, the ones who report their results rather than selling them to credit card fraudsters, make sites more secure, not less. Prosecuting them as if they were criminal hackers would be counter-productive, even if they had broken the law (which I don't believe happened here).

Analogies are cheap online, so feel free to ignore this bit, but it's like losing your wallet and then prosecuting the guy for theft who picks it up and hands it in to the cops. After all, he walked off with your wallet, right? If that's not illegal in Finland, it should be!

"XSS and SQL injections are not that tough"

If that's true, then "bad guys" can easily perform attacks if they want to. Since they presumably want to, they presumably are. So I don't see any harm in a "good guy" demonstrating that it is possible.

Or rather, there isn't any security harm. Obviously there is some PR damage to Paypal and perhaps also Verisign's EV SSL system. But surely you wouldn't advocate that they protect themselves from that PR damage using spurious arguments about security risks?

Tony Bright: Using credit statistics to determine who is most trustworthy

nospam@example.com (Tony Bright) — Thu, 17 Apr 2008 09:37:48 -0700

Hi Lawrence,

My opinion is this:
Credit worthiness is an important factor in venture funding only to banks (investment banks included), large VC firms and your referenced Prosper and similar P-2-P lending networks, where you must have a high credit score to even post. Angel Investors and smaller VC groups know well that " bad things happen to good people" and being entrepreneurial themselves, they also understand, that you do not hit a homerun each time you get up to bat. These exceptions to your rule, provide funding to start-up ventures knowing that Steve Jobs, Bill Gates and Sam Waldon would have never received their initial working capital if their credit was the deciding factor.

Please keep this in mind.

Thank You,
Tony Bright

www.pdcaholdings.com

Darrell Pruitt DDS: Interesting HIPAA Study on Dentists

nospam@example.com (Darrell Pruitt DDS) — Sat, 12 Apr 2008 09:40:35 -0700

It pleases me to see that Lawrence Pingree posted my study. There has been far too little reliable information about HIPAA available for dentists in the nation. I think the study shows that if mandated requirements are meaningful, dentists will comply. If the requirements are absurd dentists will ignore them - keeping the cost of services as low as possible. God bless America. Darrell Pruitt DDS

Benjamin Woodford: Using Diceware for passphrase selection

nospam@example.com (Benjamin Woodford) — Fri, 14 Mar 2008 13:41:57 -0700

O.K. I personally have all the dice that would be required to perform this function (I now I'm a geek). However I still think that I would never use this method of password picking. If I have to randomly roll my pass phrase then I am going to have to write it down somewhere, and probably loose it. I definately see my brain being a better way to choose a password.

woody: My New Book!

nospam@example.com (woody) — Sun, 09 Mar 2008 11:23:51 -0700

Test your forex skills at http://www.pipsociety.com

Benjamin Woodford: Port level Intrusion Prevention Systems

nospam@example.com (Benjamin Woodford) — Thu, 28 Feb 2008 11:43:55 -0800

In a securing e-commerce class that I teach we discussed this very thing a couple of weeks ago. The thought that we kept coming back to is a choice between security and freedom. Right now more than ever it seems that our activities on the internet are being monitored (ie NSA&ATT) or our access being limited (bandwidth shaping). How much of our freedom on the internet are we willing to give up in order to help protect ourselves.

This arguement is one that we face not only on the internet, but in most aspects of our life. How much freedom are we willing to give up in order to keep ourselves safe.
It will be interesting to see if anything is done at the ISP level or if we are going to be left to our own defenses as we are now.