Order of the Bath

If someone you passed in the street stopped you to point out that your trousers were undone, you might get a bit embarrassed as you quickly did them up and you might stutter a bit as you thanked them. What you would certainly not do is flag down a police car and report your informant as a pervert for looking in the first place.

So why, when someone with a bit of knowledge discovers and reports a weakness in a web site, do some major organisations immediately call in the lawyers and take them to court on “hacking” charges. This has got so bad that security researchers, even professionals, are now wary of reporting such flaws direct to the owners. Instead they must publish publicly and anonymously to protect themselves. That means that the criminals have access to the information at the same time as the administrators making them much more vulnerable to attack. To be convicted of theft it has to be shown that you not only took something but also intended to permanently deprive the owner of it. Something similar needs to be added to the various computer misuse laws around the world.

However, in a far sighted move, Microsoft have said publicly that they will not take action in cases like this. Indeed they positively welcome being told.

This entry was posted on 22 Apr 2008 at 10:04 by Rick and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.