Ethics of Full Disclosure of Security Holes Essay

2894 Words 12 Pages
Ethics of Full Disclosure of Security Holes

Introduction

Security breaches are making big headlines nowadays, and Microsoft is leading the charge. Its flagship operating systems and office suite are so bulky and complex, that it is impossible to be bug-free. The system administrators (the white hats) are up to their noses plugging all the holes from super hackers (the black hats). Yet they are also facing attack from another front – those that post vulnerabilities on the internet (the gray hats).

The gray hats are hackers that find security vulnerabilities and post them on the internet, forcing system administrators to patch up the holes. Usually, they inform the vendor ahead of time. Then, if they deem the company is
…show more content…
He compiles the code and unleashes the virus, and suddenly he is responsible. Scott Culp, manager for Microsoft's security response center, called information posted from some companies and independent security consultants as "information anarchy."

"It's high time the security community stopped providing the blueprints for building these weapons," And it's high time that computer users insisted that the security community live up to its obligation to protect them." 5

Marcus Ranum, CEO of security software vendor Network Flight Recorder Inc., agreed that posting security flaws do not work. Why isn’t the state of security improving then? These “rock throwing” incidents are just for pride, and to attack against large corporations like Microsoft. He says the gray hats are acting irresponsibly, destroying code that works, and is not making valuable contributions for the betterment of society. “The Huns didn't know how to build Rome; they just knew how to sack it," he said. "Just show us that you have useful stuff [instead of] destroying other people's stuff. 1 It would be better if they put their skills into helping create defenses in the software, instead of actively knit picking the weaknesses.

On the other side of the argument, researchers and users strongly encourage releasing information about security vulnerabilities quickly. If the white hats get to the information first, then they prevent the black ones from exploiting it. Deterring

Related Documents