How Much Hack Info Is Too Much?
To disclose or not disclose - it's a question that's been under heavy discussion in the computer security industry over the past year.
U.S. cybersecurity director Richard Clarke and virtually all software companies insist that software vendors should have a chance to fix problems before security researchers disclose them publicly.
Researchers counter that without full disclosure, companies often fail to swiftly patch security holes. Full disclosure, in theory, also alerts computer users to problems that are already known to malicious hackers, who often exploit holes before patches become available.
But a recent post on security news mailing list BugTraq has infuriated some who normally favor full disclosure.
The post details how a bit of programming code embedded in a Web page can reformat site visitors' hard drives, deleting all files stored on the affected drive. The exploit affects users running Microsoft Internet Explorer browser versions 5.5 or 6.0.
"Even if you are in favor of full disclosure, that post falls far outside of the accepted parameters for a public forum," said security expert Richard Smith. "I don't understand how publishing this kind of malicious code increases security. Symantec (which hosts the SecurityFocus website and BugTraq mailing list) is just helping out the script kiddies.
"BugTraq is a moderated list, so it has the choice of what messages are sent out to the list and which ones are rejected," Smith added. "Why wasn't this message rejected?"
[ Read more ]
- Article: An informal analysis of vendor acknowledgement of vulnerabilities (8 April 2002)
- Article: Full Disclosure of Vulnerabilities - pros/cons and fake arguments (8 April 2002)
- Article: Issues: "Save a bug, safe a life?" (1 April 2002)