How Much Hack Info Is Too Much?

Wednesday, 20 November 2002, 4:36 PM EST

To disclose or not disclose - it's a question that's been under heavy discussion in the computer security industry over the past year.

U.S. cybersecurity director Richard Clarke and virtually all software companies insist that software vendors should have a chance to fix problems before security researchers disclose them publicly.

Researchers counter that without full disclosure, companies often fail to swiftly patch security holes. Full disclosure, in theory, also alerts computer users to problems that are already known to malicious hackers, who often exploit holes before patches become available.

But a recent post on security news mailing list BugTraq has infuriated some who normally favor full disclosure.

The post details how a bit of programming code embedded in a Web page can reformat site visitors' hard drives, deleting all files stored on the affected drive. The exploit affects users running Microsoft Internet Explorer browser versions 5.5 or 6.0.

"Even if you are in favor of full disclosure, that post falls far outside of the accepted parameters for a public forum," said security expert Richard Smith. "I don't understand how publishing this kind of malicious code increases security. Symantec (which hosts the SecurityFocus website and BugTraq mailing list) is just helping out the script kiddies.

"BugTraq is a moderated list, so it has the choice of what messages are sent out to the list and which ones are rejected," Smith added. "Why wasn't this message rejected?"

[ Read more ]

Related items


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th