ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Do 'irresponsible' security researchers help or hinder?

Published: 26 Jan 2005 16:20 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

To many software makers and security consultants, flaw finder David Aitel is irresponsible.

The 20-something founder of vulnerability assessment company Immunity hunts down security problems in widely used software products. But unlike an increasing number of researchers, he does not share his findings with the makers of the programs he examines.

Last week, Immunity published an advisory highlighting four security holes in Apple Computer's Mac OS X -- vulnerabilities that the company had known about for seven months but had kept to itself and its customers.

"I don't believe that anyone has an obligation to do quality control for another company," Aitel said. "If you find out some information, we believe you should be able to use that information as you wish."

Despite efforts from Microsoft and other companies to direct how and when security alerts are sent out, independent researchers like Aitel are sticking to their own vision of flaw disclosure.

For them, software companies have become too comfortable in dealing with vulnerabilities -- a situation that has resulted in longer times between the discovery of security holes and the release of patches.

At the heart of the issue is the software industry push for "responsible" disclosure, which calls on researchers to delay the announcement of security holes so that manufacturers have time to patch them. That way, people who use flawed products are protected from attack, the argument goes. But the approach also has benefits for software makers, a security expert pointed out.

"As long as the public doesn't know the flaws are there, why spend the money to fix them quickly?" said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring company. "Only full disclosure keeps the vendors honest."

Next

Previous

1 2 3


  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
211 out of 382 people found this useful


Talkback

Post a comment


Full Talkback thread

5 comments

  1. I'm afraid my take on the whole disclosure uproar... Todd Knarr
  2. In my view it's OK to give the vendors some t... Arthur B.
  3. Here are a few key points: 1st: The guys who write... Michael
  4. Mitsubishi Motors in Japan hid critical informatio... Anonymous
  5. Let's face the issue head on! When a company knows... Anonymous

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

Exception Java Developer Hedgefund Algo Execution Trading - DMA/FIX

Links/messaging protocols for order execution both direct to exchanges and via prime brokers through FIX connectivity. Exception Algorithmic Trading. ...

Emebdded Engineer - Linux Kernel Specialist - England/Germany l

My Exclusive world-renowned client is currently seeking a Linux Kernel Specialist. This is to design and develop complete Linux solutions requiring ...

Equities & FIX Application Support Specialist - Contract

Working knowledge of the FIX protocol (versions 4.0; 4.2 and 4.4). My Client has a requirement for an Equity and Exchange Connectivity Support ...

Featured Talkback

What was achieved there is recognised to be of fundamental importance to both winning the war (Churchill visited to say 'thank you' to them) and the development of the computer. Maybe Bill Gates doesn't want to support this museum because it underlines where electronic computing started i.e. here, not the U.S.

By: 1000103773

Read full story:
Bletchley Park faces bleak future

Sentry Posts Blog

Mobile Security Expert: Your Camera Ph...

Mobile Security Expert: Your Camera Phone Got Hacked Author: Eric Everson, Founder MyMobiSafe.com Have you ever heard someone say “I’d like to be a fly on the wall in that room.”?... More

Post a comment

Skype - The Roach Motel

Here is an interesting article from The National Business Review, pointing out once again that you can never delete a Skype account. Never. Period. This is something I am familiar... More

Post a comment

The vPhone: Why Visa Should Go Mobile

The vPhone: Why Visa Should Go Mobile Author: Eric Everson, Founder MyMobiSafe.com With all of the success of Apple’s iPhone, there is a growing case to support a company like Visa... More

Post a comment

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers