Over the past week, hacker group Goatse Security revealed thousands of email addresses of iPad users it had mined via a hole in AT&T's Website, including addresses belonging to high-profile military leaders, politicians, and business execs. Meanwhile, a security engineer at Google made public a vulnerability in Windows XP, before Microsoft had a chance to fix it, and it's being exploited even as I type this.
There are striking similarities between the two occurrences, most notably the justification that Goatse and Google's Tavis Ormandy provided for sharing their findings with the world -- and potentially putting innocent users at risk. Both are effectively claiming the moral high ground, arguing that they had to share their findings for the greater good because Microsoft, AT&T, and indirectly Apple weren't taking the appropriate steps quickly enough to protect users.
[ Also on InfoWorld.com: The AT&T data leak is no big deal -- really | Discover the latest in wannabe iPad killers. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Their arguments raise an interesting question: Should we view Goatse and Ormandy as heroic Batman-esque vigilantes who are taking computer security into their own hands, causing a little collateral damage along the way? Or are they more of the Joker-like megalomanic variety, stirring up chaos for laughs?
Google's Ormandy publicized the hole in Windows XP just five days after sharing it with Microsoft. Ormandy claims he released the information because Redmond refused to create a patch within 60 days. "I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days," Ormandy tweeted on Saturday.
Meanwhile, Goatse Security member Escher Auernheimer said in a recent blog post AT&T deserved what it had coming for failing to promptly alert users that their information had been stolen. "AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate -- within the hour. Days afterward is not acceptable," he wrote. "It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old data set to exploit users before the users could be enlightened about the vulnerability."