Forget Disclosure — Hackers Should Keep Security Holes to Themselves

By Andrew Auernheimer Opinion 11.29.12

Editor’s Note: The author of this opinion piece, aka “weev,” was found guilty last week of computer intrusion for obtaining the unprotected e-mail addresses of more than 100,000 iPad owners from AT&T’s website, and passing them to a journalist. His sentencing is set for February 25, 2013.

Right now there’s a hacker out there somewhere producing a zero-day attack. When he’s done, his “exploit” will enable whatever parties possess it to access thousands — even millions — of computer systems.

But the critical moment isn’t production — it’s distribution. What will the hacker do with his exploit? Here’s what could happen next:

The hacker decides to sell it to a third party. The hacker could sell the exploit to unscrupulous information-security vendors running a protection racket, offering their product as the “protection.” Or the hacker could sell the exploit to repressive governments who can use it to spy on activists protesting their authority. (It’s not unheard of for governments, including that of the U.S., to use exploits to gather both foreign and domestic intelligence.)

The hacker notifies the vendor, who may — or may not — patch. The vendor may patch mission-critical customers (read: those paying more money) before other users. Or, the vendor may decide not to release a patch because a cost/benefit analysis conducted by an in-house MBA determines that it’s cheaper to simply do … nothing.


______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More!