Last post Sep 22, 2010 08:23 AM by jamescd
Sep 20, 2010 06:31 AM|jamescd|LINK
Who picks up the tab for all this?
Surely stunts in which someone might have knowingly published details of weaknesses in security without regard for consequences, are a violation of some law? Disregard for the consequences of one's actions cannot be regarded as fulfilling one's social responsibility,
or as acceptable behavior. This is not journalism, its key distribution.
So, gee, thanks for the heads up. A quick goog suggests that the very same people made the tool and revealed the exploit. And it seems it's 'open source' and has been freely available for some time. If this turns out to be true, is there any accountability?
Sep 20, 2010 08:45 AM|frez|LINK
If you publish how to make TNT on the internet and someone makes a bomb with it and kills a lot of people you are not responsible, why should the technical equivalent of TNT be any different?
Sep 22, 2010 06:52 AM|jamescd|LINK
I thought about this for a while, and while your response is interesting, it is not an adequate response.
It's true that distributing recipes for explosives could fall under free speech, but this is hardly benign, and would expose the source to scrutiny.
What if I reveal an exploit against PKI? What if I bust the RSA cipher wide open? Just spill it out on the net? The consequences of such an action would be devastating to the global economy, and I suspect such an individual would have to take responsibility
for the consequences of such an action. Scratch that - I DEMAND that such an individual be held accountable.
Is this is the same as a TNT recipe?
Sep 22, 2010 07:40 AM|Rovastar|LINK
Who Sir are you demanding takes this action? The whole of the Internet?
Sep 22, 2010 07:48 AM|frez|LINK
You mean like this:
Perhaps not the best examples, but I am sure you could find better ones if you spent more than 2 minutes with Google.
It is only by publishing problems with security that we can act to prevent the problems.
Now you might argue that the moral thing to do would be to give the 'owners' of the security mechanism the details first so that they can work to resolve the issues before they become public knowledge, but how would you feel if you suffered a loss during
this period when if it had been public knowledge you could have taken preventative steps? And how does someone go about raising a security issue with the confidence that it will receive attention? Would you know who to contact? Shouldn't your anger be aimed
at the 'owners' instead for delivering something that is insecure?
How do you know that the loophole has not been known for sometime by unscrupulous hackers using it for their own profit? Wouldn't you rather know immediately so that you can act to prevent an exploit if there is one?
Banks are always working on improving their security and data encryption. They know that the algorithms are under continuous scrutiny and attack which become easier as technology advances. But like an onion has many layers, banks do not simply rely on one
particular software solution for security. So a successful attack on RSA would not be, as you put it, devestating to the global economy.
You have to live with the fact that harmful information will find its way onto the internet, even if it was made illegal in some countries there will always be countries where it is not and the internet is global.
Sep 22, 2010 08:23 AM|jamescd|LINK
Some nice responses!