Down the rabbit hole: No protection for security whistle-blowers? May 10, 2006Posted by Matsu in Information Technology, Management, Security, Technology.
Welcome to Wonderland, Alice.
This morning Cory Doctorow posted this message on boing boing about how people who discover security flaws and make it public knowledge are getting arrested for breaking federal laws governing information technology and privacy. Here's some of what he had to say:
Why it's dumb to bust people for pointing out security flaws
Jennifer Granick's column in today's Wired News, "Spot a Bug, Go to Jail" covers the insane trend to suing and punishing whistle-blowers who report on security vulnerabilities.
It's a truism among security practitioners that there is no security in obscurity — in other words, that a system is made less secure if you keep its workings and failings secret.
It's only by the disclosure of failings that systems can be improved, and this disclosure also lets users of security systems make good decisions about whether a given system is adequate. If your bike lock can be picked with a ball-point pen, don't you want to know that?
First of all, did you know you could pick a bike lock with a ball-point pen? Now, that's amazing and amusing.
Secondly, how do you think IT professionals should respond when they accidentally discover system or network vulnerabilities? Should they just ignore them and tell nobody about it? Or, should they tell the organization that is responsible for securing the system or network? Or, should they go public with what they discovered and tell others exactly how the system or network vulnerability works and how it can be exploited?
I am not sure that we (as a society) should be prosecuting those people who discover and make public what they know about a security hole in either systems or networks. Now, if they act maliciously or exploit the vulnerability for some personal gain, then they should be prosecuted. But, if they are just trying to call attention to a problem so that some real damage can be avoided, then they should not be punished.
What do you think?