Unfortunately for Eric, but it will serve a lesson to those starting in security field not to do anything before being prepaid and covered by legal exempt/non-accountability agreement with the client.

Once I read an article by group of Russian security researchers (a reputable one) where they performed 'sociological' pen-testing. They scanned for various vulnerabilities many random sites (cross-site scripting, SQL injections, etc., - nothing ground breaking or unkown of). Most of those sites were in Western World domain space - for having the 'privilege' of residing in Russia they may not fear swarming armies of lawers after them. They did not do any damage though. And then they contacted every site owner and reported their findings with suggestions for repairing the sites' security (and didn't ask for money). The main idea of this experiment was to study the responses, - big number of site owners didn't replay at all (most probably just ignored the mail); but of those who did respond most of the replays were hostile!!

Conclusion: don't do anything in IT security, neither good nor bad, before deciding what you want to get from it.

On the other hand , if Eric wanted publicity, he will receive it.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/191/913#913