This is not a case of "eliminate all left-handed." You might argue that some ethical systems are not sound, and maybe you would be right, but the crux of this issue (which you seemed to miss in your generalized rant), is that I disagree with his idea of 'ethical.'
Ethically, this is like pushing someone out of the road so they don't get hit by a car. The pushing might hurt them a bit, but it's way better than getting hit by the car.
So many people are internet roadkill, they just don't know it yet.
The reality is most companies don't care about security.
When was the last time your boss added a security audit to your sprint? When was the last time someone said, "make sure you add enough time on this task to make it secure."? Security is not a priority for companies, so we don't spend time thinking about it.
Even if the software developer took every precaution and followed current methodologies to prevent vulnerabilities in their software, there is still a chance that a vulnerability exists.
My point is that when disclosing, you should take into consideration whether the software developers were following best practices or not. 99% of the time, the answer is: not.
"Arguably" being the operative word. That attitude is extremely naive and borderline criminal.
The criminal was the company that wrote the vulnerability in the first place.
If you disagree, and you're a programmer, then answer this: do your managers give you extra time on your tasks to make sure your code is secure? Have they ever encouraged you to care about security, or is it the opposite? Do the encourage you to treat user-input carefully, and as a potential exploit? If your company doesn't do this, then they are negligent.
Remember there are companies who store passwords in plaintext. That is not only idiotic, anyone with half a brain knows not to do that.
Whenever a change is made to the software, especially something as complicated as an OS, you need to allow time for regression testing to make sure the modification doesn't introduce a different vulnerability elsewhere.
Whenever you have a vulnerability as serious as this one, you better make sure that those regression tests go quickly.....faster than five months.
Not that I care, iOS should be liberated from its walled garden, and privilege escalation exploits are the way to do that.
Counterargument. Essentially, there is no way to know that this exploit wasn't being actively exploited (and let's be honest: five months to fix the bug means they aren't taking security seriously).
Slashdot Mirror
That's how it should be. The only way we can ever get corporations to be more secure is by hurting them. A little ransom doesn't hurt.
Oh look, an apologist.
It doesn't matter. There are plenty of bugs in systemd.
The basic ethical principle is to not interfere with another's well-being.
That's your suggested ethical code. It's not everyone's. Is it ethical to pirate music? To violate copyright?
Now systemd isn't fool proof and probably not bugfree either,
That's understating it. A simple tweet can crash systemd.
The 'principles' which you choose to base your ethics on are entirely subjective.
Submit it! (after March 1st).
I favor that approach. When was the last time a company asked you (during a sprint or otherwise) to look at the code and make sure it was secure?
This is not a case of "eliminate all left-handed." You might argue that some ethical systems are not sound, and maybe you would be right, but the crux of this issue (which you seemed to miss in your generalized rant), is that I disagree with his idea of 'ethical.'
Relative to me, my ethics are absolute.
Ethically, this is like pushing someone out of the road so they don't get hit by a car. The pushing might hurt them a bit, but it's way better than getting hit by the car.
So many people are internet roadkill, they just don't know it yet.
but there is never an ethically appropriate way to damage or steal information that isn't yours on equipment that isn't yours
It's never legal to do something like this, but ethical? Absolutely. Different people have different ethics, you shouldn't push yours on other people.
The world needs more education opportunities like this, where they can have a chance to change without actually getting hurt.
It's a good idea, you should have a router protecting devices from the raw internet, but can you really trust Norton to do anything right? Ironically, anti-virus companies don't have a culture of security.
Is systemd insecure? Oh yes, yes it is. It can be crashed in one tweet.
The reality is most companies don't care about security.
When was the last time your boss added a security audit to your sprint? When was the last time someone said, "make sure you add enough time on this task to make it secure."? Security is not a priority for companies, so we don't spend time thinking about it.
For these reasons I advocate irresponsible disclosure: we need to give companies motivation to improve their code.
It's why we need full and embarrassing disclosure, to motivate companies to take security seriously.
When companies start failing because of lack of security, then we will see them take it seriously. Not before.
If only the implementation had been written as carefully as the specification. But it won't be, because companies are lazy.
Even if the software developer took every precaution and followed current methodologies to prevent vulnerabilities in their software, there is still a chance that a vulnerability exists.
My point is that when disclosing, you should take into consideration whether the software developers were following best practices or not. 99% of the time, the answer is: not.
"Arguably" being the operative word. That attitude is extremely naive and borderline criminal.
The criminal was the company that wrote the vulnerability in the first place.
If you disagree, and you're a programmer, then answer this: do your managers give you extra time on your tasks to make sure your code is secure? Have they ever encouraged you to care about security, or is it the opposite? Do the encourage you to treat user-input carefully, and as a potential exploit? If your company doesn't do this, then they are negligent.
Remember there are companies who store passwords in plaintext. That is not only idiotic, anyone with half a brain knows not to do that.
What exactly is a cybercrisis? A ddos on a major dns server? Or is it a hack of the DOD? Or is it a hack of the DoJ and DHS?
At this point, nothing short of poisoning a water supply would be called a 'crisis.' It would be called, "been there, done that."
Not only that, the arguably ethical thing to do is to always disclose. In most cases the exploits are being actively used (see previous link).
Whenever a change is made to the software, especially something as complicated as an OS, you need to allow time for regression testing to make sure the modification doesn't introduce a different vulnerability elsewhere.
Whenever you have a vulnerability as serious as this one, you better make sure that those regression tests go quickly.....faster than five months.
Not that I care, iOS should be liberated from its walled garden, and privilege escalation exploits are the way to do that.
Counterargument. Essentially, there is no way to know that this exploit wasn't being actively exploited (and let's be honest: five months to fix the bug means they aren't taking security seriously).
Yeah whatever dude, like you've ever built something that can't be DDOSed. Some security flaws are sloppy but this is hard stuff.
This story is deficient: it doesn't have the IP address of the server.
Why, you don't think he's gay? :)