Having just written a post on cognitive dissonance in security, I was anxious to try to find an example. Lo and behold, Bruce Schneier’s blog has an interesting piece on how the police are "marking" cars that have exposed packages  (ahem, holiday packages, that is) with a  bright yellow  sticker. A-ha!

I scrolled down the comments from people commenting on how stupid this was until I came to a comment from "Joseph":

I fail to see how this differs substantially from advertising
vulnerabilities in software to force software vendors to fix their
security holes. I’m amazed at how much venom is being sprayed at police
in the comments, when if a security researcher took the same approach
with vendors about obvious security vulnerabilities, they would be
hailed as heros.

It’s the exact same argument: "If you publish vulnerabilities, you are helping the bad guys."

Now, I am not sure this is cognitive dissonance, but the point is well-made (I know, because it was exactly what I was thinking ). It happens that further comments also pointed out some differences (no, the two cases aren’t exactly the same, but it is close). The primary differences are:

1. One is about software, the other is about cars. (Okay, I made this one up )
2. Exploits of software vulnerabilities are externalities to the vendor; i.e. many users bear the risk. (from "ARM").
3. Software vulnerability notices are not directed against specific instances of a vulnerability, only the notion that one might exist. (from "Paul").

Presumably, this means that it is still okay to say that the police are stupid and bugfinders are heroes. But there is a problem with these reasons. The first one (number 2 in my list) describes the fact that the risk increases for many people, not just the ones that the police put stickers on, because the second one (number 3 in my list) completely ignores the cost of target acquisition in both cases, to the detriment of the point being made. That is, it is much, much simpler to find/exploit many specific instances of vulnerable software (around the world) after disclosure than it would be for folks to get within geographic proximity to a yellow sticker (where is Conyers anyway?).

Yes, there are differences… in all the wrong ways. Now that is cognitive dissonance.