informa
2 min read
article

Apple, Security, And Disturbing Questions

Troubling questions are being raised by one of the few meaningful security issues to impact Apple. As InformationWeek's Larry Greenemeier points out in a blog entry, "Some say the security research community is more dangerous than the hackers they warn against" because Mac exploits are being placed directly o
Troubling questions are being raised by one of the few meaningful security issues to impact Apple. As InformationWeek's Larry Greenemeier points out in a blog entry, "Some say the security research community is more dangerous than the hackers they warn against" because Mac exploits are being placed directly on the Web soon after the vulnerabilities are discovered. He quotes a security expert as saying that advisories sometimes serve as more of a publicity machine for the issuers than as a service to IT organizations.Meanwhile, analyst Rob Enderle--one of the IT industry's chief pot stirrers--asserts that the security vendor community is, in effect, feeding itself with all the warnings it issues, Apple merely being the latest example. "By telling people about an exposure, you're telling someone else how to [exploit] it. I think security companies should spend more time catching criminals than telling them how to become one," the ever-provocative Enderle says. His view is, in turn, dismissed by Gartner security expert John Pescatore as so much old news. But if security vendors didn't derive at least some benefit from all the publicity surrounding vulnerabilities, they'd be far less proactive in dishing out the information, advice, and expertise every time a new one comes to light.

So all the disclosure of vulnerabilities that's come about in recent years does raise a legitimate issue of whether the availability of too much information--from researchers, vendors, blogs, and news stories by swarming journalists--only makes matters worse. What's your view? Would corporate (and personal) IT security be better served if researchers and vendors weren't so trigger-happy with the bulletins and reports? Or do we need all that information to keep even a half step ahead of the hackers? Weigh in at the comments field below, or respond to our poll.