I’ll Bite – Feel Free Not to be so Helpful

I really can’t figure out why people say things like this regarding bugfinding:

"Finally: nobody has made any case for why "opposition research" (Jaquith‘s term) is anything other than helpful to the community as a whole. Snort is widely deployed and perfectly fair game, by which I mean, people who take the time to improve its code are doing the community a service, regardless of what you think their motives are."

One of the big differences between physical world vulnerabilities and ‘Net vulnerabilities is that it is trivial to find specific targets. A second is that these targets can be halfway around the world. What these two things do is make the attacker’s costs trivial. And what that means is that bugfinders (let’s face it, they really aren’t "researchers" when all they do is look for buffer overflows) are FORCING their "helpfulness" on a bunch of unsuspecting netizens. Thanks, but no thanks.

It is incredibly presumptuous for any bugfinder to think s/he can randomly pick a target (that "fair game" foolishness), find a bug, and decide it is a good thing for the ENTIRE INTERNET. What’s more, it is irrational to actually believe it. Maybe bugfinders don’t realize that every new bug found increases the threat level for everyone and even a prevented attack costs money. I can only surmise that they are ruled by their emotions.

Security is about tradeoffs. People have scarce resources to apply to the problem. Bugfinding forces people to apply resources in areas that they may not want to, by creating virtual hotspots in areas where there were no previous indications of a problem, and we know that anytime in the future, problems can crop up out of nowhere.

Motives drive intent; it is silly to think that they don’t matter, and it is contradictory to precede it by assigning a motive of benevolence.