In The News: Do cyber vigilantes make the computing world safer?

ScalesThis InfoWorld article examines whether “cyber vigilantes” (CVs), those folks who uncover security vulnerabilities in well known popular software and bring the vulnerability to the software manufacturer to be corrected, are good guys or bad guys.  As the article points out, the two sides of the issue are 1. that these folks are doing a good thing because: by bringing the problem to the company’s (and sometimes the public’s) attention for correction helps the company and all the users of the software by avoiding widespread exploitation of it and creating havoc.  Or, 2. doing a bad thing by making the vulnerability public and jeopardizing the company and the public safety by bringing the problem to the attention of the hackers.

I suggest you read the article and form your own opinion, but here’s mine.  I’m not sure whether these guys are wearing white hats or black ones, probably some of both.  The practice of some of the CVs is to pressure the company into making a quick modification to the software to close the vulnerable “hole” in the software and this almost always causes a confrontation.  The company usually doesn’t move quickly enough to satisfy the CV.  This could be because they don’t think the vulnerability is as great a risk as the CV does, or they may not be able, because of the complexity of the software, to produce a patch that is of high quality in a very short period of time.  It seems to me that many times the CV is unreasonable in their demand (perhaps justified) and when the company reacts as above, the confrontation escalates to the point that the CV threatens to, and sometimes does, go public with the vulnerability information.  This relationship between the CVs and the software companies could be a very productive one if the above scenario of confrontation was ratcheted down a notch or two…or three.

The source of this ongoing problem of software vulnerabilities is that the software companies don’t design and develop their software with enough emphasis on security.  In order to improve, they must make an investment in education of their development staff…writing software to avoid vulnerabilities that can be exploited, and in quality assurance…testing for vulnerabilities.  Perhaps if the number of vulnerabilities are reduced; the number of CV/software company confrontations will be reduced. 

However, the cynic in me believes that the companies won’t spend the money necessary to improve the software security and the CVs will continue to get an ego pump by pushing the software companies around…and consequently, this situation will be around for a long time.

What is your opinion on this issue?  Are these guys wearing white or black hats?  Are the companies doing all they can to improve their software?  Are you sick and tired of all these software vulnerabilities and their inherent danger?  Let me know.  Please comment on this article; we all learn from each other when our views and opinions are shared.

I hope you enjoyed this article.  If you enter your email address in the Email Subscriptions box on the home page, I’ll send you an email when a new article is posted.  I don’t share your email address with anyone…no one; I hate spam too.  Please share my site with your friends and family.  Thanks.

Remember, home computing is a blast…keep it productive and enjoyable.

Best regards,

Paul
Advertisements

2 Comments

Filed under In the News, Internet, security, software

2 responses to “In The News: Do cyber vigilantes make the computing world safer?

  1. A hacker by any other name is a hacker. The basic objective of a hacker is to obtain unauthorized access to information, unauthorized control of a device, or enable a unintended feature/capability. What a hacker does with the information derived from attaining their objectives determines if they are good or evil. If a hacker uses the information for personal gain, personal gain of others and/or to intentionally inflict damages onto others (loss of productivity, revenue, customers, confidence, money, identify, etc.), then it is safe to assume that a hacker is evil. If a hacker reveals a vulnerability to the public with good intentions, but something bad happens as a result, then a hacker has definitely done something bad, but it doesn’t make him good or evil.

    Things to consider:

    1. Good Samaritan hackers feel compelled to save the world from evil. I can’t fault them for that.

    2. Many companies fail to acknowledge a vulnerability brought to their attention. In other words, as far as the company is concerned, there is no vulnerability.

    3. A hacker wants to tell a company about a vulnerability, but there are no means for the hacker to contact the company, the company refuses communications, or the company just refuses to acknowledge the hackers communication.

    4. Pro and top tier hackers already know about some of these so called “newly discovered” vulnerabilities, so when someone “spills the beans”, they are alerted to the fact that they need to change their tactics or risk being discovered.

    5. There needs to be a better process for reporting vulnerabilities. Perhaps vulnerabilities need to be reported to an intelligence agency first and then that agency can deal with the software company. This takes the hacker out of the loop and “may” shield him from legal action by the company.

    • Mr. Reiner,
      Thanks for this thoughtful comment. I think the idea of a third party, perhaps government agency’s, involvement may solve the problem of confrontation between the good samaritan hacker and the software company. However, it would have to be designed in such a way as to be able to move the information between these parties in an expeditious manner. I’m glad you stopped by my blog.
      Best,
      Paul

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s