http://www.theregister.co.uk/2010/04/23/verizon_narcissistic_vulnerability_pimps/ By Dan Goodin in San Francisco The Register 23rd April 2010 Updated - In an official blog post, an employee in Verizon's Risk Intelligence unit has taken aim at researchers who disclose security flaws, calling them "Narcissistic vulnerability pimps" and comparing them to criminals. "Have you ever heard of a terrorist referred to as a 'demolition engineer?'" the unnamed author of the rant asked, one presumes rhetorically. "How about a thief as a 'locksmith?' No? Well, that's because most fields don't share the InfoSec industry's ridiculous yet long-standing inability to distinguish the good guys from the bad guys." The post goes on to propose that a person who discloses security flaws henceforth be labeled a "narcissistic vulnerability pimp," which the writer defines as "One who - solely for the purpose of self-glorification and self-gratification - harms business and society by irresponsibly disclosing information that makes things less secure." Besides befuddling all the men in leopard fur coats and feather-laced hats, this comparison is problematic for other reasons. As the recent Pwn2Own contest made abundantly clear, software makers can't be counted on to secure their products, at least not on their own. Security researchers armed with real-world vulnerabilities provide an important check on internal security teams and give them a powerful incentive to be thorough in finding bugs and swift in fixing them. [...] _______________________________________________ Best Selling Security Books and More! Shop InfoSec News http://www.shopinfosecnews.org/Received on Sun Apr 25 2010 - 22:41:43 PDT
This archive was generated by hypermail 2.2.0 : Sun Apr 25 2010 - 22:51:34 PDT