January 24, 2007

Full Disclosure

There's a theme I've discussed, argued and debated lots and lots of times, from since... what? ten years or so? It doesn't matter - the issue isn't solved and it just gets worse and worse. As the Free Hackers Manifest state, and well, once upon a time there was an hacker scene - where hackers "were just a bunch of young pranksters eager for technology", looking after "sweets for the brain". Soon enough they got older, got suits, ties and jobs, and traded sweets for money. And, suddenly, hackers were no fun anymore. So, and because full disclosure can't be just shutted up, they tried to regulate it. From RFPolicy to IETF's Internet Draft, that soon enough was shutted up, corporations tried more and more to regulate what can't be extinguished, because from regulation comes control. Now, at least according to the subtitle of this article, the act of discovering vulnerabilities can possibly be ilegal.

*sigh*

Now, COME ON! Are you kidding who? Who's to blame if your software is so crappy and full of bugs that you let anyone see your costumers' sensible data? It's better not to know? Let me use Bruce Schniers' words:
Full disclosure -- the practice of making the details of security vulnerabilities public -- is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure.


Security is a hard game to play - but, come on, YOU chose to play it. You can even destroy a scene, redifine words like 'legal' and 'ethic'. You can't control the hackers' mind.

No comments:

Post a Comment