Down the rabbit hole: No protection for security whistle-blowers? May 10, 2006
Posted by Matsu in Information Technology, Management, Security, Technology.trackback
Welcome to Wonderland, Alice.
This morning Cory Doctorow posted this message on boing boing about how people who discover security flaws and make it public knowledge are getting arrested for breaking federal laws governing information technology and privacy. Here's some of what he had to say:
Why it's dumb to bust people for pointing out security flaws
Jennifer Granick's column in today's Wired News, "Spot a Bug, Go to Jail" covers the insane trend to suing and punishing whistle-blowers who report on security vulnerabilities.It's a truism among security practitioners that there is no security in obscurity — in other words, that a system is made less secure if you keep its workings and failings secret.
It's only by the disclosure of failings that systems can be improved, and this disclosure also lets users of security systems make good decisions about whether a given system is adequate. If your bike lock can be picked with a ball-point pen, don't you want to know that?
First of all, did you know you could pick a bike lock with a ball-point pen? Now, that's amazing and amusing.
Secondly, how do you think IT professionals should respond when they accidentally discover system or network vulnerabilities? Should they just ignore them and tell nobody about it? Or, should they tell the organization that is responsible for securing the system or network? Or, should they go public with what they discovered and tell others exactly how the system or network vulnerability works and how it can be exploited?
I am not sure that we (as a society) should be prosecuting those people who discover and make public what they know about a security hole in either systems or networks. Now, if they act maliciously or exploit the vulnerability for some personal gain, then they should be prosecuted. But, if they are just trying to call attention to a problem so that some real damage can be avoided, then they should not be punished.
What do you think?
Matsu's World: The One Less Traveled 
[…] Matsu posted about locks, indirectly, in reference to folks getting sued for exposing vulnerabilities. Fortunately, my bike lock isn’t susceptible to this vulnerability. […]
What would you do if a student discovered a hole and reported it?
Curious – I must assume you are suggesting that there is either a hole in the network where I work or some server/service on that network. What would I do if a vulnerability was discovered and reported by a student? First, I would hope that the student would be kind enough to let me or someone on my staff know about the problem so we could address it. That could be done anonymously, I think, and so there should be no fear of repercussions. But, even if it was not reported anonymously, I don’t think that just discovering and reporting a hole should cause any problems for the student.
Does that answer your question?
Now, about that hole… is this a hypothetical question, or is there something I should know?