Re: Media Publish Hacks? Not so simple...
The comments previously posted on this topic all make basically the same response:
Yes, because exposing weakness makes for stronger security in the long run.
This is a simple, logical argument - and on the face of it, easy to agree
However, by exercising a little responsibility the media can do much more
to keep the internet secure. By recklessly publishing exploits as soon as
they are in the hands on media, the doors are open to hackers to take advantage.
The responsible thing to do is to inform the creators of the insecure code
to give them a chance to develop a fix and THEN publish the story, safe in
the knowledge that the public humiliation isn't making things worse.
By taking this course, instead of further risking the security of innocent
users of insecure systems and grabbing a headline, you are making the internet
a safer place. The cost to the media? They risk someone else beating them
to a headline.
The sad thing is, that's probably too high a price. Most publishers would
rather make money on a headline than protect the security of people they
are claiming to protect by publishing such stories in the first place.
It would also be nice if the media announced *FIXES* for exposed security
flaws. A huge percentage of compromised web sites fall victim to holes for
which patches are already available. People complain about patches - if you
think there are too many you are crazy - they are the sign of a healthy and
active response to constantly improving and evolving hacker threats.
The fact is, developing 100% secure code is impossible. Period. Is there
lots of room for improvement? Yes. Do the published antics of bragging hackers
and script kiddies provide an environment which drives that improvement?
Yes. But I urge the media to think carefully how they manage a story : they
might be fuelling a brush fire that burns everyone.
-- Android Development Center
-- Cloud Development Project Center
-- HTML5 Development Center
-- Windows Mobile Development Center