Editorial - A Month of Continuous Foolishness

Sooner or later you are going to hear about a project by two fellows to bypass the normal channels of security bug reporting and openly publish previously "undocumented" security bugs in Mac OS X every day for a month. The justification for this appears to be a craze started by H.D. Mooreis Month of Browser Bugs and some kind of desire for notoriety.

There are some problems with this approach.

First, not all security bugs can be turned into effective exploits. As weive seen over the last year, many security flaws are proclaimed in Mac OS X, but few see effective exploitation for technical reasons. Second, the idea that using forceful methods combined with a convenient bit of publicity as a justification is unwarranted, even if the security researcher remains anonymous for now. Third, there are appropriate channels to handle these discoveries that are professional and protect everyone. Finally, the supposition that there are some people who take the security of Mac OS X more seriously than the BSD professionals and Apple engineers is stupendously arrogant and self-serving.

There are many technical professionals working behind the scenes to secure Mac OS X. As weive seen with Windows, the reputation of a company can stand or fall on this issue. If a security researcher bangs on Apple about a flaw and doesnit seem to get invited to dinner with Phil Schiller, thatis just too bad. In this case the needs of the one are outweighed by the needs of the many.

So when you read about this, the best thing to do is feel sorry for these wannabes and move on to the next story.