Last week"s column on the possible ethical queasiness caused by spamming the spammers -- not to mention sending my friends George and Charlie on a perpetual snipe hunt -- apparently struck a chord.
Most readers responding to the column were more than willing to cross any possible ethical line to rid their systems of spam. If I were a spammer, I would not put out a shingle stating my trade.
Many also asked some good questions, such as why ISPs aren"t doing more to can spam when those same ISPs complain about companies like Blue Security that spam the spammers? Not a bad question.
Readers are not the only ones willing to cross some potentially wavy ethical lines to tackle security issues. On July 25, TippingPoint, 3Com"s security arm, announced it plans to reward security researchers and hackers who reveal information on newly discovered vulnerabilities as part of its Zero Day Initiative.
A "zero day" attack is when a researcher discovers a vulnerability and discloses the flaw to the public without first notifying the vendor. This puts businesses and individuals at risk from the time of the disclosure until the affected vendor issues a patch. Some patches can be made in hours, but even then it takes time for affected machines to download and apply the patches.
The idea of the Zero Day Initiative is to ensure the "responsible" disclosure of security flaws to make the technology more secure for all users, according to David Enderle, director of security research at TippingPoint. "We believe security researchers want to be recognized for their discoveries, but currently they don"t often do it in a responsible manner. They announce the vulnerability to the world, and then it is a race between the software company and the hacker community to either build a fix or exploit the code," he said.
With the Zero Day Initative, those researchers will instead alert TippingPoint to the vulnerability. TippingPoint will validate the vulnerability, inform the affected company of the vulnerability, and wait for a patch to be ready before releasing the information to the rest of the world. To report a vulnerability, go to http://www.zerodayinitiative.com. TippingPoint will pay a reported US$2,000 for a verified vulnerability.
Companies such as Microsoft have long resisted paying for information on vulnerabilities, believing a bounty will just encourage hackers to find flaws. Some security research firms, such as iDefense, will pay for vulnerability information, but they share that information only with their clients, at least initially.
TippingPoint might want to make sure it has operators standing by. The SANS Institute reported 422 new flaws uncovered in the second quarter of this year, a 10.8 percent increase over the first quarter and a nearly 20 percent increase from the second quarter of 2004. The report also notes that vendors issue plenty of patches for the flaws, but that they are often not installed quickly enough by businesses and consumers.
And according to a new report from SANS, computer hackers are now setting their sights on increasingly popular programs such as the iTunes music service and backup software programs.
Apparently, operating systems such as Windows are now far too passé for true hackers (the ol" reliable -- or is that unreliable -- Internet Explorer browser remains the primary attack target for hackers). Hackers now put their bugs in Elvis" " Burning Love," and wait for some unsuspecting fan of the King to punch "download." That"s sure to leave some music lovers all shook up -- and not in a good way.