posted 14 November 2001
An interesting argument and counter-argument about how computer security should work. One side argues that publishing information about security problems, including step-by-step code on how to exploit them, increases the number of attacks, although publicising the problem means that more users will hear about it and apply a patch when it becomes available. The other side says that keeping security flaws secret means that people find out by other means, but because the flaw isn't publicised, fewer people fix it, so you get a greater number of attacks but spread over a greater time. I'm not sure what the answer is, but I think both approaches are extreme. The vulnerability should certainly be publicised, but I think providing five-step guides to causing damage to systems are also a bad idea.