Create an Account
username: password:
 
  MemeStreams Logo

Tim Callan's SSL Blog - Online Security

search

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Tim Callan's SSL Blog - Online Security
Topic: Miscellaneous 2:47 am EST, Dec 31, 2008

Q: These researchers have discussed their desire to maintain secrecy so that the hammer of legal action couldn't be used to prevent publication. Does VeriSign intend to sue these researchers?

A: Security researchers who behave ethically have no reason to fear legal action from VeriSign. Since its inception VeriSign has been one of the world's leading forces for online security, and the company has consistently used its resources and expertise to assist online security's progress. In fact, VeriSign is itself a white-hat security research firm (through our widely respected iDefense Labs), and we understand the concept of "ethical hacking." We're disappointed that these researchers did not share their results with us earlier, but we're happy to report that we have completely mitigated this attack.

Apparently the researchers disclosed to MS and Mozilla but refused to talk to Verisign for fear of preemptive legal action. I have to say that I can't blame them for being skittish. There is plenty of evidence in general that large companies will use their resources to go after security researchers making claims they want to silence. Microsoft and Mozilla are the exceptions. They are among the few companies who really do get security and deal with it very responsibly and professionally. I'm not sure Verisign's association with iDefense puts them in the same category.

The Sitefinder debacle was an absolutely outrageous abuse of power that sort of overshadows any good they might have done in the past. They made it absolutely clear in the midst of that incident that they don't care what technical professionals think about their company. I believe their CEO Stratton Sclavos used the word "zealots" in a news media interview to refer to people who disagreed with their actions. I'm pretty sure a frivolous lawsuit against a handful of "hackers" that has no basis in law would cause a less widespread outcry. If you are willing to do the one there is no reason why you wouldn't do the other.

Sclavos may be gone, but its going to take a hell of a lot more than complaining about not being in the loop before the sort of people he called "zealots" will be willing to trust the company he used to operate.

Tim Callan's SSL Blog - Online Security



 
 
Powered By Industrial Memetics
RSS2.0