The good thing about this is that the security vulnerability was fixed. I am sure that the remainng customers feel good about this.

The bad was that this fellow had an axe to grind against his former employer and used his expertise to fulfill his vendetta.

The ugly is that the employer would have happily continued to let its customers think their email was secure when in fact it was not. How would all of you reading this feel if it were not an email system but a credit card authorization system? How certain can we be that those companies providing us online services have our best interests in mind. Certainly this email provider did not have their customer's best interests in mind. Forget undermining the willing posting of security information by us security folks. What happens if the public at large losses their confidence in service providers? What happens to all of us if people decide the risks are not worth it and decide to use the non-automated methods for conducting their business? The true risk here is that the employer risks compromising the entire industry's reputation. Perhaps they should be taken to court for their negligence. Could it not be argued that their actions could potentially result in the same problems they claimed this poor sap might have caused? Afterall, it is not a matter of 'if' some script kiddie finds the hole but 'when' and ALL internet service providers know this. If this is the way the government wants to interpret the law then they should apply it to all parts of the online world. The managers of the email provider should have done some jail time too.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/179/21537#21537