[Dshield] RFC2142 is a two-way street - response

Jim McCullough jim.mccullough at gmail.com
Sun Dec 25 16:03:22 GMT 2005

Minor update on this.  An important option left off for those who just
got the CC shock.  A is definitely NOT an answer.  Temptation for some,
but NOT an answer.   B is a good answer, however, if B gets you nowhere.
Followup with C and take your biz elsewhere.  This way its a double
whammy to the people responsible for keeping that fixed.  1) their legal
dept just ripped them a new defecation orifice and 2) the financial
officer will see the reasons on account closure, thusly a second new
defecation orifice being created.

This would prob be best at Q1 or Q4 of the financial year for most
impact to the bank stock holders to become irritated and irrational with
the management of the bank.  Especially if its a local bank and you know
some of the stock holders.  Remember its the silly season, avoid travel
if possible.  And for those like me today, go back to bed.  Having kids
waking one up at 330 am to dig through presents isn't all bad, but blah
its too blasted early in the morning.

Jim McCullough
#dshield ( irc.freenode.net )
Happy Holiday's, may the CC companies Choke on their Intrest from this

RFC2142 is a two-way street

Published: 2005-12-25,
Last Updated: 2005-12-25 14:20:27 UTC by Kevin Liston (Version: 2(click
to highlight changes))

As Johannes pointed out in http://isc.sans.org/diary.php?storyid=957
RFC2142 is a pretty good RFC to follow.  It works both ways too.

For example, let's say you're running vulnerability scans against your
local bank's website browsing your local bank's website and you come
across what you think is a very serious vulnerability do you:

a) Jot that IP address down for later use when you need to pay off your
credit card debts from the holiday season's over-indulgences.

b) Drop a friendly fact-filled note to abuse at localbank.com


c) Launch a media campaign to publicize the risk encouraging your
readers to write letters to the Office of the Comptroller of the

If one supports the idea of Responsible Disclosure the answer would be
B, followed by C after an acceptable period of time.  I wouldn't
recommend choice A.  Jumping straight to C is likely to annoy
localbank's Incident Response team and result it happy letters from
their legal departments.  Another reader points out that he feels that
you should try B, and if that fails, take your business elsewhere.

More information about the list mailing list