Hackers, software companies feud over disclosure of weaknesses
As Muhammad Faisal Rauf Danka recalls it, he tried 10 times to call a software maker about a devastating security flaw in one of its most popular programs.
"It is so simple it is funny," the Pakistani researcher says. But nothing happened. Then he took his findings to a global audience — a worldwide mailing list devoted to exposing and exploring software bugs.
Vindication came swiftly: Within days, Microsoft acknowledged that 200 million of its Passport accounts had been left open, apparently for months, allowing the easy hijacking of credit-card and other personal data. The company shut down the Passport system and fixed the hole.
To some, Danka is a hero for publicly prodding a big company into swiftly correcting an error. But to Microsoft, he is an "information anarchist" who makes it easier for malicious hackers to inflict havoc on the masses.
[ Read more ]
- Article: An informal analysis of vendor acknowledgement of vulnerabilities (8 April 2002)
- Article: Full Disclosure of Vulnerabilities - pros/cons and fake arguments (8 April 2002)
- Article: Issues: "Save a bug, safe a life?" (1 April 2002)