Why Sharing Ransomware Code For Educational Purposes Is Asking For Trouble

Mark Wilson writes: Trend Micro may still be smarting from the revelation that there was a serious vulnerability in its Password Manager tool, but today the security company warns of the dangers of sharing ransomware source code. The company says that those who discover vulnerabilities need to think carefully about sharing details of their findings with the wider public as there is great potential for this information to be misused, even if it is released for educational purposes. It says that 'even with the best intentions, improper disclosure of sensitive information can lead to complicated, and sometimes even troublesome scenarios'. The warning may seem like an exercise in stating the bleeding obvious, but it does serve as an important reminder of how the vulnerability disclosure process should work.

Corporate greed and stupidity is the only problem

[gweihir]

Most people that find vulnerabilities want to tell the manufacturer. But after a long history of being ignored or even being threatened, many have reverted to giving the corporations responsible a fixed, short time to fix things, because otherwise nothing happens. Giving time more time just makes them drag their feet, because fixing vulnerabilities costs money. Those complaining here are at the very root of the problem. I should also point out that this corporate fuck-up has been going on for a few decades now.

Re:Corporate greed and stupidity is the only probl

[Etcetera]

Most people that find vulnerabilities want to tell the manufacturer. But after a long history of being ignored or even being threatened, many have reverted to giving the corporations responsible a fixed, short time to fix things, because otherwise nothing happens. Giving time more time just makes them drag their feet, because fixing vulnerabilities costs money. Those complaining here are at the very root of the problem. I should also point out that this corporate fuck-up has been going on for a few decades now.

You're confusing the goal with the process.

More secure software is the goal.

If a temporary process of punishing a product's users by spreading details on how to hurt them is deemed necessary in order for a company to "start treating security seriously", then that's an argument one might make.

If a company is (arguably) already treating security reasonably seriously, then spreading details on how to hurt their customers does not achieve anything. It just spreads misery.

"For educational use" is as ludicrous and beside the point as "for backup purposes only" was for Hotline servers 15 years ago. If the company has or is in the process of acting reasonably fast, actually spreading the details (as opposed to threatening to spread the details) on how to hack someone just makes you a d-bag whose name will be cursed alongside that of the script kiddie who uses your info to hack someone.

Re:Corporate greed and stupidity is the only probl

[chipschap]

>Businesses don't just sit on their ass and let defects sit around, and security holes they know of wide open. They fix them. If, and when, they can.

Is this the case, though? We've seen Microsoft, Google, and others take the approach of "I won't fix it until it's discovered" or worse, "I won't fix that at all." (See many /. stories for examples.) Or say something closely related like "well then you better upgrade to Windows 10" which on its face seems reasonable but ....