Doug's Mailbag: Public Disclosure of Flaws -- Redmondmag.com

Barney's Blog

Doug's Mailbag: Public Disclosure of Flaws

Are security firms doing us a favor by letting us know about vulnerabilities? Or does the practice only give uninformed hackers another tool to attack us? Here's what some readers have to say:

I completely agree with you here. Rapid7 is acting in the best interests of the hackers by publicizing this before a fix is in place. Working in IT for the last 20 years has taught me that no matter how tight your security is, there is always a hole. I used to ask pupils at a school I worked at to actively try and hack the network (Novell Netware and Windows 95) in return for letting me know where the holes were. This earned such enterprising individuals extra credit and a nice, warm, fuzzy feeling inside. Not to mention my gratitude. If they had let all the other kids know before giving me chance to plug any gaping holes, there would have been chaos.

Rapid7 is an idiot, in my opinion
.-Roy

Well Barney, I must agree with you. TOTALLY irresponsible to broadcast specifics of a flaw to everyone on the face of the planet. It just enables the hackers that didn't already know about it to go about exploiting the vulnerability before the fix is available.

It would be like the news media reporting on how many U.S. troops are being deployed to which country and how many U.S. ships are being deployed to which body of water and...oh wait, that's being done too.

In a day and age when the media cares more about a 'hot' story than they do about national security why should we expect them to sit on IE flaws?

Geesh, what a wonderful world we live in, eh?
-Jim

The reasons are quite simple why these are publically disclosed.

One, it gets your firms name out there. Two, it puts pressure on software designers to hurry and create a patch. And three, as a security firm it generates more income as new clients will want testing done to see if they are affected.

Who would pay top dollar for testing on an issue that already has a patch successfully deployed? Also who better to test for a flaw than the ones who reported it in the first place?

It's morally bad. But from a business mentality, what's bad for you is always good for the corporations. If you want a business to survive in times like these you MUST be ruthless and throw morals to the side. Your competition will not give you any slack. So why should you give them any?

All in all I don't blame them for doing it. I just don't agree with the ethics behind it.
-Jonathan

Share your thoughts with the editors of this newsletter! Write to [email protected]. Letters printed in this newsletter may be edited for length and clarity, and will be credited by first name only (we do NOT print last names or e-mail addresses).

Posted by Doug Barney on 09/26/2012 at 1:19 PM

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.