[dcminter]

I find your view bizarre.

If I buy a physical product, take it home, and then publish the various issues I find with it then ... nobody has a problem with that

I'm as sad as the next guy that the safe and trusting internet of academia is long gone, but the generally accepted view nowadays is that it's absolutely full to the gills with opportunistic criminals. Letting people know that their software is insecure so they don't get absolutely screwed by that ravening horde is a public service and should be appreciated as such.

Pen testing third party systems is a grey area. Pen testing publicly available software in your own environment and warning of the issues is not, particularly when the disclosure is done with care.

[whatnow37373]

I agree and conforming to HN rules, guidelines and established practices I did not, in fact, read or engage with the article at all (and I apologize).

Your view is one I agree with completely for a device bought to bring into your own home.

What I find less understandable is how finding (and exploiting) security flaws in publicly facing structures is normalized to the degree that it is. I can easily analyze some public stucture and publish detailed records on how you would most efficiently break into my local hardware store. I'm not sure I'm seeing the net win for society.

[dcminter]

How is it better to not look into or share such information when we know that a vast army of assholes are doing the same thing for nefarious purposes?

Yes, they might not spot it themselves, but we know that in practice they often do and the results are horrible. If we stop looking then they will definitely be the first to find vulnerabilities - as it is they are only sometimes the first (and the vulnerabilities they find are likely to be the lesser appalling ones).

Privately sharing the issue with the authors lets them fix it in a timely way, publicly announcing the issue after a reasonable period of time incentivises them to do so - corporate authors often won't bother unless their arms are twisted.

If those black-hat hackers were not really out there then I might agree with you, but they are, and they don't care that we don't like it.

[whatnow37373]

In a way I am definitely seeing your perspective here. Letting "good guys" win this race ocassionally is an improvement over never letting them win.

It's just that I think we can do better, because I think the web is a hostile, vitriolic open sewer and must be governed properly before civilized business can be conducted on it. It was perhaps a great innovative place, but it now is a dumpster fire causing endless headaches and beyond redemption. I think it's time to face this reality instead of trying to dress up the turd.

[dcminter]

That's an equivalent demand to expecting the world as a whole to be "governed properly" and thus won't be achieved for exactly the same reasons.

[whatnow37373]

Not the world, our patch on it. We more or less succeeded in the physical world depending on who you ask. Don’t see the problem with the digital.

[dcminter]

Are you not aware that the internet is an international artefact? Will you institute a Great Firewall to prevent your citizens from seeing outside your borders?

An inconvenient question I often ask about proposed architecture changes is: "How will you get there from here?" - if you can't answer it then it's not going to happen.