Think about it: You found a way of breaking into my house (would not be too hard though but let's just use this as an example) and you are selling this knowledge to intruders. Is this legal? Is this ethical? I mean, my home has vulnerabilities and if you discover a easy way to get in. Are you really allowed to sell that knowledge?

If we bring it to the next level: You have the knowledge of how to break into a specific branch of a bank and get to their money. May you sell it or would you not be part of the robbery that way?

In my personal opinion, these questions are easy to answer, aren't they? Most of us will for answer with a "no" to all these questions (where we probably could argue about legality but not about ethics). So, why do we have to have this kind of discussions with software vulnerabilities? The argument I hear often is that it takes a lot of work to find those vulnerabilities - well, why do you have to find a way to get into this bank, then?

Articles like the following are scaring for me: http://www.iht.com/articles/2007/01/29/business/bugs.php

Let's rather jointly work to get the Internet a safer place instead of making money of vulnerabilities. Often, this is linked to Microsoft - the problem is much, much bigger than "just" Microsoft. Let's come back to the statement with the bank above - now n the Cyberspave :-(

I would love to get your comments on this 

Greetings from Amman

Roger

You know that feeling, don't you: Your neighbor has set up a wireless network, you switch on your PC and see it. It is completely open and unsecured - as they are out of the box. Now you have two options: Ignore it and leave your neighbor vulnerable or give him/her a call - and loose one of your precious evenings to configure yet another wireless LAN.

Well, there is a pretty good article on how to secure a wireless LAN, you could point your neighbors or friends to: http://www.dailywireless.com/features/secure-wireless-lan-021507/

Roger

We are talking a lot of security issues in the infrastructure or with the users. We often overlook the application as a possible source for vulnerabilities. Pretty often, as an example, vulnerabilities in backup software cause major problems.

Here you find a collection of the "Top Ten" Application Security vulnerabilities: http://www.owasp.org/index.php/OWASP_Top_Ten_Project

A pretty interesting list

Roger

Well, a lot of time when I talk to people about Windows Vista, two things pop up: User Account Control and Digital Rights Management. I will save DRM for an other post but I think that there are two blog posts you could read with regards to UAC:

Jeff Jones wrote an excellent article about how he uses it: http://blogs.technet.com/security/archive/2007/02/12/the-value-of-uac-in-windows-vista.aspx

And then, if you want to get technical, it is (once more) Mark's blog that is worth reading. http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx

For me it comes down to the number of pop-ups with UAC and this really has to be put into perspective: I am working as a standard user on my Vista box and rarely need any elevation at all - unless I have to install stuff (and then I want UAC to ask me for elevation). The challenge with UAC is, to survive the first few days - the time during the setup of the machine. There you get a certain amount of prompts (obviously). Once, your machine is set-up and running, well there is barley any need for elevation.

Roger

It is interesting to see, how the threats and problems move over time - but basically the core problems remain the same: Standard passwords that have not been changed, poorly configured systems, unpatched computers, and - last but not least - no "Secure by Default". And all of a sudden you do not own your router anymore and you router is used for a pharming attack.

If you ready the following article, take a special look at the end: Do not use Windows 95, 98 or Windows XP SP1 anymore! Upgrade to supported versions of Windows in order to make sure that the Operating System is able to defend attacks that are common today (and were not, when the OS was developed).

http://www.itwire.com.au/content/view/9803/1103/

Roger