Forget Disclosure -- Hackers Should Keep Security Holes to Themselves

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/

By Andrew Auernheimer
Opinion
Wired.com
11.29.12

Editor’s Note: The author of this opinion piece, aka "weev," was found 
guilty last week of computer intrusion for obtaining the unprotected 
e-mail addresses of more than 100,000 iPad owners from AT&T’s website, 
and passing them to a journalist. His sentencing is set for February 25, 
2013.

Right now there’s a hacker out there somewhere producing a zero-day 
attack. When he’s done, his “exploit” will enable whatever parties 
possess it to access thousands -- even millions -- of computer systems.

But the critical moment isn’t production -- it’s distribution. What will 
the hacker do with his exploit? Here’s what could happen next:

The hacker decides to sell it to a third party. The hacker could sell 
the exploit to unscrupulous information-security vendors running a 
protection racket, offering their product as the “protection.” Or the 
hacker could sell the exploit to repressive governments who can use it 
to spy on activists protesting their authority. (It’s not unheard of for 
governments, including that of the U.S., to use exploits to gather both 
foreign and domestic intelligence.)

The hacker notifies the vendor, who may -- or may not -- patch. The 
vendor may patch mission-critical customers (read: those paying more 
money) before other users. Or, the vendor may decide not to release a 
patch because a cost/benefit analysis conducted by an in-house MBA 
determines that it’s cheaper to simply do ... nothing.

[...]

______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org