Imprison The Messenger
from the how-nice dept
Why does this keep happening? Security professionals publish info on some kind of exploit, and instead of people looking to the software company that designed bad software as being the problem, everyone blames the person who outed the vulnerability. Obviously, there is a question of whether or not a security researcher should first inform the company in question of a vulnerability, but the idea of blaming the messenger is absolutely ridiculous. It's a "head in the sand" approach, which guarantees that (a) security holes stay open longer and (b) it's easier for those who want to exploit holes for malicious purposes to use them. Over in France, a researcher who published some vulnerabilities is now facing jailtime for revealing some security flaws in an anti-virus program, and noting that their claim to protect users from 100% of viruses was clearly false. The company in question isn't suing him for some sort of security breach, but for copyright infringement. Yes, apparently, the company is using copyright infringement not to protect their intellectual property, but to defend the reasons why they wanted to keep their software insecure for a longer period of time.
Reader Comments (rss)
(Flattened / Threaded)
No Subject Given by Anonymous Coward on Jan 11th, 2005 @ 6:39am
There's a law review article on this topic.
(reply to this comment) (link to this comment)
Media by Jared on Jan 11th, 2005 @ 9:37am
Why does the media explain in detail how to replicate (basically) possible terrorist attacks?
Same principal - stupid media.
(reply to this comment) (link to this comment)
hmmmm.. by Mikester on Jan 11th, 2005 @ 1:09pm
So does anyone who finds a flaw on a website using McAfee's SiteDigger tool risk going to jail too?
(reply to this comment) (link to this comment)
Add Your Comment