Posts by Ian Rons

Zimbardo strikes again

For this and related reasons, Britain seems to be casually engaging in a kind of Stanford Prison Experiment, and unfortunately there don't seem to be any signs of an over-arching intelligence guiding the experiment -- cryptocratic or otherwise. The country really is in a bad state.

@Bronek Kozicki

"Vendor has been given 2 weeks to show interest and provide any sort of update. Which he failed to do. You seem to think that vendor was asked to fix the bug in 2 weeks time, but there is nothing to support this."

On the contrary, in the section of the "security advisory" that I quoted it is clear that the vendor was replying to correspondence, but hadn't got around to dealing with it yet. Only a teenager without business experience (who else has the time to find bugs in other people's software for free?) would assume that this shows "no interrest [sic] in fixing the bugs". It's clear that Kloxo are lackadaisical about security, and I am in no way attempting to exculpate them -- indeed, looking at the vulns being exploited, they're complete t***ers -- but the fact they have problems is hardly unique in the IT industry, is it? That fact doesn't justify releasing these vulns so soon, and without warning. I can understand wanting a bit of kudos for finding all those bugs, but seriously...

You ask me what I would do. I would give the company a bit longer to respond, whilst embarrassing them with a public but non-specific security alert. If it took them more than a few months (let's say 6), *then* I would think about publication, and to hell with them. I would wait more than *3 days* for a follow-up to the last piece of correspondence...