Sorry for the late post.

The law who's traditional stance on the definitions of trespass and property have not fully adapted to apply to technology is taking a lop-sided balance of power to prosecute those who attempt to penetrate a system, but does nothing to those who do not protect the system. The laws must be changed and cannot apply to this argument, therefore this becomes an ethical argument.

In an online world similar to the Wild West with little rules and little law, it can sometimes be necessary for Good Samaritans to force others to perform the actions beneficial to the majority of society. Pen testing and reporting to companies/news media the issues found is therefore necessary to protect the whole of society. Banks (who never report security breaches) should be obligated to fix vulnerabilities to protect customer's data. It is unreasonable for banks to expect crackers to stay out, while customers expect banks to ensure their data is safe.

Security Focus (and as the owner Symantec) is about the furthering of security. Simply ignoring the issue isn't going to fix the underlying problems of companies not closing security holes. The law is slow to adapt, and the business world would rather make money than spend it to fix the problems. That is what this article is about, and Security Focus & Carr should be applauded for educating others of these lapses society.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/481/35231#35231