| Assignment | Points Earned |
| This Site | 34,000,000 |
With the rise of the World Wide Web, new ethical and legal issues are being brought up that could never be addressed or maybe even conceived of before (See references 1-3 at the bottom of the page). People are able to plagiarize the work of other with unheard of ease. Hackers can do great damage to almost any computer system. Large numbers of people are pushing for stringent anti-spam legislation, but laws we have are having little effect. Compounding the problem is that computer security issues and vulnerabilities are increasing rapidly, growing 200% in 2001. For this article I would like to center on a specific issue: If a hacker finds a security flaw and is unable to contact the company that has it, does he have a right to disclose the information to the public? (See reference 5).
Some hackers genuinely want to help the security scene, and think the best means to do so is to find the nature of security holes that can be exploited, then publicizing this information so that everyone can patch up their security. This, however, is a double-edged sword. If the holes are released, inexperienced hackers can and probably will exploit them. But, if the holes are kept secret, some hackers will most likely find them anyway and then the damage would be far greater since the companies must then try and find the flaw in security while the hacker is doing damage. My position on the issue is that if a security hole is found, hackers should do everything in their ability to alert the company of it before all else. In this manner, the company is protected and the security patch can be then sent to others. If the company absolutely cannot be reached, the hacker may then disclose the nature of the flaw, but not the code of the exploit involved.
Allow me to elaborate on that last bit. Many people think that when it is reported that code was released, the hackers actually publicized the code for the exploit, so that just anyone can use it. This is not always the case. For instance, one group of hackers who call themselves w00w00 Security Development found a vulnerability in AOL's instant messaging software. They released the code revealing the vulnerability soon afterwards. Some find that very irresponsible, but w00w00 defended their actions, explaining that all they released was proof-of-concept code, not the exploit itself. This would still point the way for malicious hackers, but it would take some considerable expertise to bridge the gap between the two.
One might think that the actions off w00w00 are conflicting with my own position since the hackers did not contact AOL, but the editor of NTBugtraq Russ Cooper explained, "AOL made it very difficult for anyone to contact them with this type of information. They only provided a feedback forum, which looked like it was for marketing, not for technical purposes. So AOL needs to make a better effort at making themselves available to groups like w00w00 if they expect to find the information directly out of the discoverers as opposed to through the media".
So as you can see, w00w00 was unable to contact AOL due to AOL's own fault. I believe that in this instance, w00w00 acted admirably.
But the situation will certainly get worse than this relatively minor problem. If a group of good hackers finds a very subtle but very important security hole, they would have a greater dilemma. Experienced hackers do exist, and with proof-of-concept code they would be able to find the hole and exploit it, possibly devastating the company. The problem isn't even limited to companies. Plans are being put forth for internet voting. If people found a hole for this, elections could be manipulated to devastating effect. Some have even considered that hacking will be a means of terrorism in the future. For instance, what would happen if a terrorist-hacker got into the New York Stock Exchange? He could potentially trigger a massive recession. Now what if a group like w00w00 found that exploit first? Who do you call to alert about that kind of thing? I must conclude that the government, companies, and anyone who uses computer systems should have a way for groups like w00w00 to reach them. Otherwise, we may not realize the need for it until someone releases code and a malevolent hacker exploits it to hurt others.