Hacker News new | ask | show | jobs
by jauer 1946 days ago
> Why did they published anything about the vulnerabilities before they were absolutely sure all of those has been mitigated?

Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.

An entity may not want to fix things, but at some point their users / constituents have a right to know so they can take their own protective measures.
1 comments
smlckz 1946 days ago
> Because various entities tried to exploit that to defer any publicaton, which lead to things never getting fixed.

Also understandable.

> [...] so they can take their own protective measures.

Little can the ordinary citizen do whose data is at risk of exploitation. All responsibility lies on the government because the citizens do not have any other choice, as it seems to me. What protective measure can someone take who is vulnerable?

With a thorough reading of the article, it is clear that the hackers are aware of what they are doing:

> Once threat actors catch wind of major vulnerabilities against an organization they begin poking on their own, looking for more vectors of attack.

link
bee_rider 1946 days ago
The industry standard seems to be disclosure to the entity followed by a reasonable grace period, at which point the bug is disclosed to the general public (where there's room to quibble in what the definition of "reasonable" there is).

I'm not sure that helping individuals protect themselves is the main goal, though. It is important that entities respond to these issues in a reasonable timeframe, because if a small group of researchers, academics, or whatever can find a bug, then other nations' intelligence agencies or industrial espionage groups can as well.

Realistically, in the case of companies, the best an individual can do is not do business with them. In the case of government agencies in democratic countries, public pressure is the probably the way to go.

link
vijaybritto 1946 days ago
> What protective measure can someone take who is vulnerable?

Like deleting your sensitive documents that you have uploaded already. Removing contact information and other personal details.

link