
as well as sending them a copy on a floppy disc (although who has a floppy drive these days?)
I think it's called irony.
Nottinghamshire-based software biz Impero has a lot of recycling to do – after hacker-turned-security-researcher Cal Leeming delivered over 9,000 paper copies of a vulnerability to the company's headquarters as a protest. Youtube Video A few weeks ago, Impero hit the headlines when it threatened to sue someone called …
This post has been deleted by its author
Yeah, that's what we tried first. Then Impero ignored the e-mail disclosure.
Perhaps your ire should be aimed at Impero, given that they have been non-responsive to disclosure, lying (or at best, being incompetently misinformed) about the degree of patched-ness of their code, and most of all, developing software to *spy on kids*.
"To save future cost, time, and carbon footprint, should security researchers be contemplating similar methods, we wanted to make clear that an email to security@imperosoftware.com will suffice!"
This sounds like the guy who has to deal with Picking Up What the Dog Left Behind tries to smoothen problems caused by Oversized Egos In a Child's Mind Supported By Lawyers in the upper echelons.
(No these are not the names of GSVs)
Albeit with a bit of a procedures issue, if I understood correctly.
A "legit security researcher" does not just publish his findings on a blog these days. Step one is to contact the company and open a discussion on the subject, at least asking the company to validate the findings.
Publish-and-be-damned is for when the company has repeatedly ignored the warnings, refused to acknowledge anything and denied all issues - that is when you go public and let the company fry, not before.
And you seem to have a bit of an understanding-the-article problem, if I understand correctly. Because, the "legit security researcher" who pulled this stunt (Leeming), wasn't the guy who found the vuln (Slipstream). Slipstream may have been an arse, but it wasn't his arse that farted out a copyright infringement sue ball.
If you're selling software, and get outed by a teenage wannabe, we can reasonably expect you to smile and gently chastise the irresponsible "researcher", rather than cry havoc and let loose the poodles of law.
>Publish-and-be-damned is for when the company has repeatedly ignored the warnings, refused to acknowledge anything and denied all issues - that is when you go public and let the company fry, not before.
Nobody said he had not written to them, his email was probably eaten by a hungry spam filter or simply ignored. If the bloke went through the trouble of finding a floppy, a compatible drive and computer, sure as hell he had already sent an email ... ;-)
Half right. As I understand it, they've changed the AES key in the current version, so you'd have to redo slipstreams work. The next version is switching to a certificate based system which, I believe, they're basically poaching from their IRM product (I could be wrong).
Security researchers should look at all these types of products, some of them have pretty glaring flaws, as in, no hacking required. For instance, anyone who logs onto a machine with the teacher element of AB Tutor installed can run the console.
He should have loaded them into a large drone, flown it over the area, & scattered them like it were a World War Leaflet Drop across enemy lines.
THAT would have been the British way of getting the message across.
Bonus points for using a drone that looks like Snoopy flying a Sopwith Camel. =-)p