How Much Hack Info Is Too Much?

Wednesday, 20 November 2002, 4:36 PM EST

To disclose or not disclose - it's a question that's been under heavy discussion in the computer security industry over the past year.

U.S. cybersecurity director Richard Clarke and virtually all software companies insist that software vendors should have a chance to fix problems before security researchers disclose them publicly.

Researchers counter that without full disclosure, companies often fail to swiftly patch security holes. Full disclosure, in theory, also alerts computer users to problems that are already known to malicious hackers, who often exploit holes before patches become available.

But a recent post on security news mailing list BugTraq has infuriated some who normally favor full disclosure.

The post details how a bit of programming code embedded in a Web page can reformat site visitors' hard drives, deleting all files stored on the affected drive. The exploit affects users running Microsoft Internet Explorer browser versions 5.5 or 6.0.

"Even if you are in favor of full disclosure, that post falls far outside of the accepted parameters for a public forum," said security expert Richard Smith. "I don't understand how publishing this kind of malicious code increases security. Symantec (which hosts the SecurityFocus website and BugTraq mailing list) is just helping out the script kiddies.

"BugTraq is a moderated list, so it has the choice of what messages are sent out to the list and which ones are rejected," Smith added. "Why wasn't this message rejected?"

[ Read more ]

Related items


The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Wed, Aug 27th