> I just wanted to see what everyone's opinions were on means of > approaching vulnerable prospective clients. My sense is that this won't get you very far. I routinely notify vulnerable networks and send reports that have full details, specifically disclaim a solicitation for work, and invite them to contact their local security people to get it fixed. I'm just a good internet citizen, and so far 70-80% just ignore them outright. Some treat me with *hostility*, and there is no way that these reports can be taken that way. I've never taken money from an unsolicited report. I was told to *get lost* by the ACM (yes, the computer professional society) even after offering to help them fix their wide-open network for free. After a bit of persistance I got them to fix part of it, but it's since regressed and they're wide open again. Why bother? People just don't care very much, and adding the "trolling for work" factor is not likely to make the reception any warmer. Not sure it's a completely dead trail, but it's likely to be very frustrating. Steve --- Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561 www.unixwiz.net | I speak for me only | KA8CMY | steveat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 18:11:48 PST