Without this type of "expose," we are in the position of the king in the children's story "The Emperor's New Clothes." We know that there are problems, but they are never fixed, because no one is allowed to talk about the problems, thus Adobe--or any other company--has no reason to improve, thus killing the innovation that I mentioned in my first paragraph.
I agree with this, but it might become even worse, people might not know there are problems at all:
Last year a TV program showed the insecurity of the home banking program (I'm not sure that's the right the english term) of the ABN Amro bank.
It turned out that any commands were stored in a plain text before they were send to the bank's computer.
Somebody wrote a program that changed the account number to which a user wanted money to be send. The TV program demonstrated how this program could be posted on a newsgroup as an update or patch.
After that it showed how an unsuspecting user (and if we look at the spreading of e-mail viruses, there are many unsuspecting users) could open the file. The program showed the banks logo and a progress meter while it was installing itself. After that the TV program showed that trying to send money to account A would instead be send to account B. Even worse, because the program by default shows only a name (unaltered) and not an (altered) account number, the error would be hard to detect.
Needless to say the ABN Amro wasn't happy, they would fix this problem ASAP.
A few days later I saw this story in our local University newspaper (the story is halfway down the page and it's in dutch). Two students from our university had detected the flaw almost a year before and reported it to the bank. The bank told them they would get back to them...
My point is, without actually writing a program that shows a security flaw, nobody might get to know about the flaw. The media isn't willing to do a special report on how someone might theoretically some day circumvent some security. They're only interested if they can show something to their audience.
And I think many companies a perfectly happy to let security risks exist if it saves them money.
--
Xagnix
(Xinix actually, but that username was already in use)
Slashdot Mirror
I agree with this, but it might become even worse, people might not know there are problems at all:
Last year a TV program showed the insecurity of the home banking program (I'm not sure that's the right the english term) of the ABN Amro bank. It turned out that any commands were stored in a plain text before they were send to the bank's computer. Somebody wrote a program that changed the account number to which a user wanted money to be send. The TV program demonstrated how this program could be posted on a newsgroup as an update or patch.
After that it showed how an unsuspecting user (and if we look at the spreading of e-mail viruses, there are many unsuspecting users) could open the file. The program showed the banks logo and a progress meter while it was installing itself. After that the TV program showed that trying to send money to account A would instead be send to account B. Even worse, because the program by default shows only a name (unaltered) and not an (altered) account number, the error would be hard to detect.
Needless to say the ABN Amro wasn't happy, they would fix this problem ASAP.
A few days later I saw this story in our local University newspaper (the story is halfway down the page and it's in dutch). Two students from our university had detected the flaw almost a year before and reported it to the bank. The bank told them they would get back to them...
My point is, without actually writing a program that shows a security flaw, nobody might get to know about the flaw. The media isn't willing to do a special report on how someone might theoretically some day circumvent some security. They're only interested if they can show something to their audience.
And I think many companies a perfectly happy to let security risks exist if it saves them money.
--
Xagnix
(Xinix actually, but that username was already in use)