Opinion: Secret security stuff

Well, it seems security boffin Dan Kaminsky thought the right thing to do was let the experts in on the secret but keep the rest of us in the dark.

His logic was that if he disclosed the location of the security hole too earlier, then the bad guys would rush to exploit it before the good guys could insert their collective fingers.

Kaminsky’s plans came undone when a relative newbie stumbled on the same security risk almost by accident and blithely wrote about it with a “am I the only one who thinks this is a problem” approach.

So the security cat got out of the bag a tad earlier than originally planned. But this begs the question, was the delayed release of the information solely based on giving ISPs and others time to apply a fix?

Some people more cynical than I might think there was just a hint of glory to be gained by announcing the flaw to a large and cheering audience at the next Black Hat festival.

Regardless of whether the motives for delay were as pure as the driven snow or otherwise, no doubt anyone who’s system has been compromised by the exploitation of the flaw will be screaming they should have been told earlier.

And of course, how do we know none of the “bad guys” hadn’t already worked it out for themselves? After all, the security experts keep telling us these hackers spend all day doing just that – looking for holes we don’t know exist. So on that basis, should we demand that any and all flaws that are found get immediate disclosure?

Are there parallels with the way we deal with other potential threats? Should we not tell the inhabitants of some town in the path of a hurricane of their impending doom until the ‘experts’ have digested the problem and figured out the best response?

The world community railed against Burma for not telling anybody what was about to happen and for then pretending it hadn’t already happened. Has the Internet become so important that we need to make it compulsory to report all threats the instant they are discovered?

Then again, even if we did, who’s going to enforce it? Like they love to remind us, nobody owns the Internet. Yet.