Just because the word "security" appears in a company name or person's title, it doesn't necessarily mean those entities are really trying to help protect you against danger, loss, and criminals. Sometimes, they become the danger, loss, and criminals. Two examples of that this week:
Goatse Security manipulated an AT&T Web server and stole ICC IDs and email addresses of iPad users that they knew were not intended for public consumption. They then hawked the stolen data to gawker.com to make a big PR pitch for themselves.
Even worse:
Tavis Ormandy, a security researcher for Google, went to incredible lengths to first find and then exploit an obscure vulnerability in Windows. I say incredible lengths because in Tavis' own words: "Without access to extremely smart colleagues, I would likely have given up". (Hmmm...does this mean other Google employees helped?)
Tavis reported the discovery to Microsoft on Saturday, June 5th, a weekend. But even though "they confirmed receipt of my report on the same day", Tavis impatiently released the full exploit code 2 working days later. Now, thanks to Tavis, the vulnerability and its exploit are fully discoverable and clearly documented for anyone to easily use for attacks.
Both Goatse and Tavis would have us believe their efforts were noble, but in both cases it was their own actions that have put users at risk. Reminds me of that old saying "with friends like this, who needs enemies".
There was nothing irresponsible about Goatse’s disclosure. They made sure AT&T was notified, waited until the flaw was fixed, and everything Gawker put out was redacted.
Ok, true. Irresponsible was a very kind term for a group that broke in, stole data, then fenced the stolen data for bragging rights.