Sounds like you "no big deal" folks have never dealt with a security breach in your lives...I have. When somebody exploits a security hole (rather than simply reporting it), hundreds if not thousands of man hours need to go into just finding out what that person did, and creating a report of the incident. If at that point civil or criminal charges are warranted, another ton of man hours need to go into evidence gathering, and EVERYTHING needs to be printed out in triplicate for all the lawyers (Thousands of pages worth). Whether or not there is ultimately prosecution that costs money, big money; money that you have to pay whenever you use that company's services (if its a gov't agency, you pay in your taxes).

It is not up to Lamo whether or not the company takes action on a reported problem, for him to think otherwise is definitely indicitive of an "ego trip". I wonder, did he offer to pay for all of his searches when he reported the security hole? I kind of doubt it...is that not theft of service at the least?

Oh, and don't go with the "if they'd have properly secured their network..." business. Fact: There is no such thing as a completely secure network. The reality is mistakes are made, whether it be poor policy or a low-level tech who wants to go home early and doesn't finish their job properly. If any of you worked in a shop with more than 5 employees (or your house) you'd know this.

If you want to go scanning for problems so you can play the big security hero, fine. But if you want to go around finding holes, exploiting them, and costing people big bucks to clean up after you, good riddance!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6934/22247#22247