Shouting ‘bug’ on a crowded Internet…

[As ever you can read this on the BBC News website, and it’s also on CircleID]

In the last few weeks we’ve seen two very different approaches to the full disclosure of security flaws in large-scale computer systems.

Problems in the domain name system have been kept quiet long enough for vendors to find and fix their software, while details of how to hack Transport for London’s Oyster card will soon be available to anyone with a laptop computer and a desire to break the law.

These two cases highlight a major problem facing the computing industry, one that goes back many years and is still far from being resolved.  Given that there are inevitably bugs, flaws and unexpected interactions in complex systems, how much information about them should be made public by researchers when the details could be helpful to criminals or malicious hackers.

Continue reading “Shouting ‘bug’ on a crowded Internet…”