As a computer professional (whatever that means) I feel we all have a responsibility to educate people about these issues. You cannot have a moral standard for cyberspace because there is not a good enough public understanding about how cyberspace works.

"Hackers" have been demonized due to the sins of the few and the misunderstanding of the many. Your average person doesn't understand how a server works, but knows they depend on it. The average person is being scared to death by the identity theft public campaign. If you take it from their point of view it is a very powerless stand point. They can't install a dead bolt or buy a gun to protect their bank account. They don't know how to defend their livelihood but are being told that sinister "hackers" lurk in dark corners waiting to take all they own.

I constantly correct people for using the term "hacker" to refer to computer crime. I explain to them how they are offending many people with that term. Much the way people used to (and still do) casually refer to a police wagon as a Paddy Wagon. I was unaware until it was pointed out what an offensive term that is. True hackers should not be demonized for their curiousity because the press has decided to mislabel a few script kiddies.

There should be a resource for people like "Brookbond" who discover a hole in a system. Had someone exploited that hole and published sensitibe info about the applicants then this would be a whole different issue. That person would be held accountable if found, but would ApplyYourself be?

A standard should be set for "reasonable" security much like there is for keep out signs and such. If a company is not living up to that standard then they should be responsible for data breaches. Of course this standard would be evolving and fluid, but so are many other legal standards. Along with this a system for reporting these holes without fear of reprisal should be established. If I know my bank has got a gaping hole in their system I shouldn't have to keep my mouth shut (as I close my account). I should be able to report it and either get it fixed or warn the public.

I believe that is another dilemma in this case. As a person who has discovered and exploit which reveals sensitive information about people, what is my moral obligation? Do I have a moral responsibility to warn the public? And if I do why then am I in fear of being arrested for doing so?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/309/31190#31190