"If I bought a used car and then later found the locks did not work, I might tell a friend and I'd certainly call the dealer. I wouldn't, however, put an editorial in the paper including my car's description until I had a solution to the problem."
Alright. What if it's a new car and a wheel keeps falling off? Or the locks don't work to the point that you have to get a locksmith in every time you tune the radio to 99.9 FM, put it in reverse, and adjust the rearview mirror. Would you still just tell a friend and the dealer? I certainly wouldn't. That strikes me as irresponsible. There are other customers and potential customers, like yourself, who could benefit from knowing that.
Personally I can see a few points to this argument either way, though ultimately I think the responsible thing to do is release the exploit immediately. A bit of my thinking on this:
Computers are going to become much more relevant, central, and have many more critical uses than they do now. It would make sense to make security an absolutely primary concern in development now. There are billions of hours of coding experience which do not take security into account (well enough, anyhow). It would ultimately more scalable and reusable to ensure those foundations, and any theoretical flaws in our methodologies are more likely to be discovered if every programmer and company were attempting to maximize the security of their software.
The possible, brief security holes caused by immediate disclosure are outweighed by the value of getting the industry (generally) off its ass and finally giving security the attention it deserves. This applies to everyone from kids writing junk web scripts, to blunders in SQL parsing, to ill-conceived operating system implementations.
It seems kind of naive to assume a corporation is necessarily going to provide security, considering the dismal history of many software products. The mindlessness of bureaucratic structures has provided us with enough examples of corporations giving more of a sh*t about capital than people. This is not to say the people IN that corporation don't care, but ignorance, cavalier attitudes, mindless conformity to structure, lack of accountability, incompetence, and/or irresponsibility have given us enough examples that we should know that we cannot rely on the goodwill of corporations to care about our, the customers, best interest.
Some companies do have decent track records, sure, but many don't. As customers, we should be demanding security in these products, and pressuring them to provide this security in one of the few ways we can: damaging their reputations, and ultimately sales, for putting out insecure product. There is too much inertia in a large organization to expect them to change without a serious threat to their investors' pockets. Bad press for their product is going to lead them to change a lot quicker than an occasional person complaining about their product through official channels.
The dangers of collusion, when exploits are privately shared, aren't insignificant. Depending what the exploit is, they may want it held back for months, and it may be cheaper to give the security company or its executives "incentives" to hold off the release. Bottom line: the software company is in a position where they would be making more money working at their own pace, knowing they are providing their customers with an insecure product, instead of biting the bullet and working like dogs to solve the problem as quickly as possible.
Basically, I think a little (potential) pain now, to save a lot of (potential) pain later, is the way to go. Many corporations are putting out shoddy products, and need a fire under them to change their ways.
On the other hand, I would hope like hell somebody told me about an exploit in code I've written before the rest of the world found out, but I consider that up to them, and would hope they would do so out of respect for a history of addressing such issues. Either way, it would be my screwup, and I should have to work my ass off to solve the problem, and deal with any bad publicity as a result.
You misrepresented this:
"...a committee of the National Academy of Sciences has declared that, beyond being inadmissible in court, there is no scientific basis for polygraphs."
As meaning this:
"...they are not admissible in court--having nothing to do with the science of polygraphs, but because of court standards for admission of evidence..."
This is a strawman. They never said "because", they said "beyond being".
As an example: "Beyond losing my leg, I also lost a testicle and an eyelash in the accident." Does not mean one has lost the testicle or eyelash BECAUSE of losing the leg.
As well:
"...by agreeing to be polygraphed, one thereby seriously jeopardizes his or her claim to being a scientist..."
Is not quite the same as:
"...because there is no scientific basis for polygraphs...if you agree to something this unscientific, then you cannot possibly claim to be a scientist."
These are similar, but they do not actually mean the same thing, Jeopardizing one's claim is not the same thing as "not possibly" being able to claim that thing. (Granted, this is mildly pedantic.) However, you then further misrepresent the position, stating that it doesn't consider the possibility of the individual having other motivations.
IOW, you misrepresented the statements in order to more readily attack them. AKA a strawman.
I read the parent post and assumed he either yanked it from some joke website or some particularly incompetent marketing department.
Then I looked into his posting history, and discovered it's regular, identical boilerplate. Squirting arbitrary and unsubstantiated statistics incessantly doesn't strike me as particularly reliable.
Many companies and organizations have made the shift to OSS, and have found the results beneficial. Whether or not any individual company can gain from that approach is determined by their particular needs, not by (at best) the fanatical biases of a corporate fanboy.
1. Entertainment writers will spend the last week of 2007 wracking their brains for meaningless, top-ten-list, fluff pieces in order to receive their next paychecks.
2. The apparent MS astroturfing campaign will continue on/. unabated.
3. Apologists for the upcoming Vista horrorshow will continue to denounce MS critics as zealots.
4. A new branch of mathematics (VERIZONMATH) will dominate industry calculations, leading to much hijinx, and ultimately, total economic collapse.
5. Richard Stallman will learn to levitate, leading to much hijinx, and ultimately, total economic collapse.
Slashdot Mirror
Thank god it wasn't a leap year!
"If I bought a used car and then later found the locks did not work, I might tell a friend and I'd certainly call the dealer. I wouldn't, however, put an editorial in the paper including my car's description until I had a solution to the problem."
Alright. What if it's a new car and a wheel keeps falling off? Or the locks don't work to the point that you have to get a locksmith in every time you tune the radio to 99.9 FM, put it in reverse, and adjust the rearview mirror. Would you still just tell a friend and the dealer? I certainly wouldn't. That strikes me as irresponsible. There are other customers and potential customers, like yourself, who could benefit from knowing that.
Personally I can see a few points to this argument either way, though ultimately I think the responsible thing to do is release the exploit immediately. A bit of my thinking on this:
Computers are going to become much more relevant, central, and have many more critical uses than they do now. It would make sense to make security an absolutely primary concern in development now. There are billions of hours of coding experience which do not take security into account (well enough, anyhow). It would ultimately more scalable and reusable to ensure those foundations, and any theoretical flaws in our methodologies are more likely to be discovered if every programmer and company were attempting to maximize the security of their software.
The possible, brief security holes caused by immediate disclosure are outweighed by the value of getting the industry (generally) off its ass and finally giving security the attention it deserves. This applies to everyone from kids writing junk web scripts, to blunders in SQL parsing, to ill-conceived operating system implementations.
It seems kind of naive to assume a corporation is necessarily going to provide security, considering the dismal history of many software products. The mindlessness of bureaucratic structures has provided us with enough examples of corporations giving more of a sh*t about capital than people. This is not to say the people IN that corporation don't care, but ignorance, cavalier attitudes, mindless conformity to structure, lack of accountability, incompetence, and/or irresponsibility have given us enough examples that we should know that we cannot rely on the goodwill of corporations to care about our, the customers, best interest.
Some companies do have decent track records, sure, but many don't. As customers, we should be demanding security in these products, and pressuring them to provide this security in one of the few ways we can: damaging their reputations, and ultimately sales, for putting out insecure product. There is too much inertia in a large organization to expect them to change without a serious threat to their investors' pockets. Bad press for their product is going to lead them to change a lot quicker than an occasional person complaining about their product through official channels.
The dangers of collusion, when exploits are privately shared, aren't insignificant. Depending what the exploit is, they may want it held back for months, and it may be cheaper to give the security company or its executives "incentives" to hold off the release. Bottom line: the software company is in a position where they would be making more money working at their own pace, knowing they are providing their customers with an insecure product, instead of biting the bullet and working like dogs to solve the problem as quickly as possible.
Basically, I think a little (potential) pain now, to save a lot of (potential) pain later, is the way to go. Many corporations are putting out shoddy products, and need a fire under them to change their ways.
On the other hand, I would hope like hell somebody told me about an exploit in code I've written before the rest of the world found out, but I consider that up to them, and would hope they would do so out of respect for a history of addressing such issues. Either way, it would be my screwup, and I should have to work my ass off to solve the problem, and deal with any bad publicity as a result.
Yes, it actually is a straw man.
You misrepresented this:
"...a committee of the National Academy of Sciences has declared that, beyond being inadmissible in court, there is no scientific basis for polygraphs."
As meaning this:
"...they are not admissible in court--having nothing to do with the science of polygraphs, but because of court standards for admission of evidence..."
This is a strawman. They never said "because", they said "beyond being".
As an example: "Beyond losing my leg, I also lost a testicle and an eyelash in the accident." Does not mean one has lost the testicle or eyelash BECAUSE of losing the leg.
As well:
"...by agreeing to be polygraphed, one thereby seriously jeopardizes his or her claim to being a scientist..."
Is not quite the same as:
"...because there is no scientific basis for polygraphs...if you agree to something this unscientific, then you cannot possibly claim to be a scientist."
These are similar, but they do not actually mean the same thing, Jeopardizing one's claim is not the same thing as "not possibly" being able to claim that thing. (Granted, this is mildly pedantic.)
However, you then further misrepresent the position, stating that it doesn't consider the possibility of the individual having other motivations.
IOW, you misrepresented the statements in order to more readily attack them. AKA a strawman.
I read the parent post and assumed he either yanked it from some joke website or some particularly incompetent marketing department.
Then I looked into his posting history, and discovered it's regular, identical boilerplate. Squirting arbitrary and unsubstantiated statistics incessantly doesn't strike me as particularly reliable.
Many companies and organizations have made the shift to OSS, and have found the results beneficial. Whether or not any individual company can gain from that approach is determined by their particular needs, not by (at best) the fanatical biases of a corporate fanboy.
Ugh. A couple of other predictions for 2007:
/. unabated.
1. Entertainment writers will spend the last week of 2007 wracking their brains for meaningless, top-ten-list, fluff pieces in order to receive their next paychecks.
2. The apparent MS astroturfing campaign will continue on
3. Apologists for the upcoming Vista horrorshow will continue to denounce MS critics as zealots.
4. A new branch of mathematics (VERIZONMATH) will dominate industry calculations, leading to much hijinx, and ultimately, total economic collapse.
5. Richard Stallman will learn to levitate, leading to much hijinx, and ultimately, total economic collapse.