If nobody else is going to respond to this rant then I will.
> What should they have done? Given the company
> a month? Six months? A Year? No matter what
> the timeframe someone will find something
> wrong with it.
30 days is the norm. 2 weeks? Come on. If you don't think that even waiting to contact someone will do anything then why wait at all? And if they're going to contact them then they could have at least given them time. The only thing this does is release another minor zero-day exploit.
By the way: I did say minor exploit. Most people don't have smartcard readers. Since it takes special hardware I can't see this being a huge exploit. Kinkos cards can only be used at Kinkos and you can't transfer money to PayPal so what does this get you? Free photocopies. This looks like another case of the press blowing a minor exploit out of proportion.
> How is it that an unpaid, curious individual,
> without the benefit of the code or system
> design found this and the hired experts did
> not?
The posting came from some security company. What makes you think he was unpaid or wasn't a professional or didn't have the design? And being paid shouldn't make an difference how the exploit is handled. This was poorly handled.
Sure the experts at ExpressPay know nothing about security. Neither do the clerks or store managers. I don't think the last anonymous guy was saying anything about that. But the hackers that found this could have handled it better.. This just emphasizes the hacker stereotype.
> What should they have done? Given the company
> a month? Six months? A Year? No matter what
> the timeframe someone will find something
> wrong with it.
30 days is the norm. 2 weeks? Come on. If you don't think that even waiting to contact someone will do anything then why wait at all? And if they're going to contact them then they could have at least given them time. The only thing this does is release another minor zero-day exploit.
By the way: I did say minor exploit. Most people don't have smartcard readers. Since it takes special hardware I can't see this being a huge exploit. Kinkos cards can only be used at Kinkos and you can't transfer money to PayPal so what does this get you? Free photocopies. This looks like another case of the press blowing a minor exploit out of proportion.
> How is it that an unpaid, curious individual,
> without the benefit of the code or system
> design found this and the hired experts did
> not?
The posting came from some security company. What makes you think he was unpaid or wasn't a professional or didn't have the design? And being paid shouldn't make an difference how the exploit is handled. This was poorly handled.
Sure the experts at ExpressPay know nothing about security. Neither do the clerks or store managers. I don't think the last anonymous guy was saying anything about that. But the hackers that found this could have handled it better.. This just emphasizes the hacker stereotype.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/150/684#684