How Much Hack Info Is Too Much?

Wednesday, 20 November 2002, 4:36 PM EST

To disclose or not disclose - it's a question that's been under heavy discussion in the computer security industry over the past year.

U.S. cybersecurity director Richard Clarke and virtually all software companies insist that software vendors should have a chance to fix problems before security researchers disclose them publicly.

Researchers counter that without full disclosure, companies often fail to swiftly patch security holes. Full disclosure, in theory, also alerts computer users to problems that are already known to malicious hackers, who often exploit holes before patches become available.

But a recent post on security news mailing list BugTraq has infuriated some who normally favor full disclosure.

The post details how a bit of programming code embedded in a Web page can reformat site visitors' hard drives, deleting all files stored on the affected drive. The exploit affects users running Microsoft Internet Explorer browser versions 5.5 or 6.0.

"Even if you are in favor of full disclosure, that post falls far outside of the accepted parameters for a public forum," said security expert Richard Smith. "I don't understand how publishing this kind of malicious code increases security. Symantec (which hosts the SecurityFocus website and BugTraq mailing list) is just helping out the script kiddies.

"BugTraq is a moderated list, so it has the choice of what messages are sent out to the list and which ones are rejected," Smith added. "Why wasn't this message rejected?"

[ Read more ]

Related items




Spotlight

The context-aware security lifecycle and the cloud

Posted on 25 November 2014.  |  Ofer Wolf, CEO at Sentrix, explains the role of the context-aware security lifecycle and illustrates how the cloud is shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Nov 26th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //