I'm for full disclosure when (a) it makes the vendor put out a patch sooner than later or (b) it contains enough information so that the people affected can mitigate the risk and it is posted at places where these people are probable to read it. But this recent post on security team screams of the I'm 1337, I can use nmap, I rooted 14716 computers
sentiment. How does disclosing this flaw with such detail (like subnet addresses and the ISP name) help anyone? The story would have been just as interesting would he left those details out. And how many of the ISPs customers read or even know about this blog? Did the guy try to contact the ISP? He doesn't say. The most interesting part is that he publicly admitted to computer intrusion and may be liable under the UK law! Very nicely done there champ! I'm going now to contact some (hopefully) responsible people at Beyond Security (the sponsor of the blog) and the ISP to get this issue resolved.
Friday, February 23, 2007
Full disclosure gone bad
Subscribe to:
Post Comments (Atom)
I was going to comment here, but thought I might as well do it on my blog, since I have more control over it (and comments here are moderated): http://kuza55.blogspot.com/2007/02/on-disclosure.html
ReplyDeleteI just wanted to clarify that comments are only moderated as a spam prevention measure. All and every non-spam comments will be published in a maximum of 48 hours (and usually much sooner). So feel free to comment away.
ReplyDelete