|You forgot the third type - the guy that walked past afterwards or even watched the lil' old lady unpack her things and leave her purse there. For a sum of just $5, he offers to tell her something that would be very much to her advantage. (Personally, I'd pay the b@stard then follow them home, but that's another matter)
Look, I agree - if the world was filled with #2 type of people then it would be a truly awe-inspiring, wonderful place to live. I think it's entirely impossible to have too many of them.
It's the #2s that make CodeProject and other sites like it flourish. Each of us benefits from that.
However as far as I'm concerned, your analogy while quite good, falls short of accurately modelling the situation being discussed.
Neither person #1 nor person #2 could have _their_ privacy breached as a result of the lady's forgetfulness. Many millions of people stand to suffer as a result of these flaws Microsoft keeps asking us to beta test.
The little old lady is not only unlikely, but also not suspected to be building Molotov cocktails in her garden shed, ready to assault the neighbourhood. With that in mind, there is no perceivable benefit for the community at large by failing to reveal to her that she's left her purse out - and in so doing so, granted access to her home to anybody with her details.
Furthermore, do you think the little old lady would then stroll out to collect her purse at a time that was convenient to her, regardless of the harm that may be caused to her neighbours/people in her phone-book in the time that the purse is not in her hands?
Some companies have a history of being very slow to implement fixes, even after the exploits have been made public - I'm looking right at you Adobe..
Until such a time that Microsoft, Adobe et al try to buy the exploit details AND are refused, I think they're simply reaping what they've already sown. It's our data and our lives they're elephanting with - if they can't be bothered doing it in a secure manner, and are to bull-headed (stubborn) to pay for someone else to do their homework for them, elephant em.
I equally curious as to just why it is that wish them to die a horrible death.
Is it any of the following:
a) They search for exploits
b) They charge for their time and work
c) They do it in part as a way of beating the offending company.
How about releasing info on how to gain root-access to your Android or iPhone? Is that done by those deserving a death in brimstone too? What about those that are reported to be in possession for the master-decrypt key for PS3s? Is it disgusting that some people would love to have it in a heartbeat, so they could take advantage of the power inside, without being artificially retarded by the Hypervisor? I'm certain some governments around the world would prefer not to have to enter special arrangements with Sony to get such access - e.g the US Navy, that has a supercomputer built out of (I believe) series I PS3s, since they allowed "Other OS" as an option. New ones are more power efficient, but have had this feature removed.
Me thinks that this is an issues nuanced by at least 24 bits of greyscale. I think there's a minuscule portion of the entire issue that is either black or white, the majority of the remainder being a matter of point of view or personal preference. Some things while morally okay, are illegal in some parts of the world - while yet other things are legal, yet they're morally reprehensible.
But in closing, I'll rephrase what I wrote earlier - when the companies concerned attempt to purchase the exploit in their own product and are refused, THEN and ONLY then would I consider the exploit-finders a bunch of sunshines. If there isn't even an approach made by the software company, I think they're being cheap, callous and calculating with our privacy and security. If someone else buys the info and shames/embarrasses MS/Adobe, etc - then great! If that then leads to a higher level of security in the products we pay so dearly for - what's the problem?
Make it work. Then do it better - Andrei Straut
modified 6-Nov-12 9:30am.