Do cyber vigilantes make the computing world safer?

Over the past week, hacker group Goatse Security revealed thousands of email addresses of iPad users it had mined via a hole in AT&T’s Website, including addresses belonging to high-profile military leaders, politicians, and business execs. Meanwhile, a security engineer at Google made public a vulnerability in Windows XP, before Microsoft had a chance to fix it, and it’s being exploited even as I type this.

There are striking similarities between the two occurrences, most notably the justification that Goatse and Google’s Tavis Ormandy provided for sharing their findings with the world — and potentially putting innocent users at risk. Both are effectively claiming the moral high ground, arguing that they had to share their findings for the greater good because Microsoft, AT&T, and indirectly Apple weren’t taking the appropriate steps quickly enough to protect users.

[ Also on InfoWorld.com: The AT&T data leak is no big deal — really | Discover the latest in wannabe iPad killers. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Their arguments raise an interesting question: Should we view Goatse and Ormandy as heroic Batman-esque vigilantes who are taking computer security into their own hands, causing a little collateral damage along the way? Or are they more of the Joker-like megalomanic variety, stirring up chaos for laughs?

Google’s Ormandy publicized the hole in Windows XP just five days after sharing it with Microsoft. Ormandy claims he released the information because Redmond refused to create a patch within 60 days. “I’m getting pretty tired of all the ‘5 days’ hate mail. Those five days were spent trying to negotiate a fix within 60 days,” Ormandy tweeted on Saturday.

Meanwhile, Goatse Security member Escher Auernheimer said in a recent blog post AT&T deserved what it had coming for failing to promptly alert users that their information had been stolen. “AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate — within the hour. Days afterward is not acceptable,” he wrote. “It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old data set to exploit users before the users could be enlightened about the vulnerability.”

That data set, combined with a hole in Safari for iPad that the group says Apple has failed to fix since March, could put iPad users at serious risk against foreign cyber criminals, Auernheimer argued: “When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare.”

The question, again, is whether or not Ormandy and Goatse did the right thing. On the one hand, their actions have equipped would-be bad guys with tools to take advantage of innocent end-users. Perhaps Microsoft, AT&T, and Apple have compelling reasons to work at their own pace in addressing security issues and to ensure those fixes are done properly.

Yet on the other hand, two months is a long time to wait for a patch of a security hole, whether it’s in Windows XP or Safari for the iPad. If a white hat hacker group knows about a vulnerability or if a security engineer knows about a vulnerability, it’s entirely possible that a professional cyber criminal or an entire syndicate knows about the hole as well.

The real difference is now the public knows about the problem, which means two things: First, users can be more vigilant and take steps to protect their data as best they can. Second, AT&T, Microsoft, and Apple are (or should be) feeling heavy pressure from customers, shareholders, and the public at large to fix the problem. And bad PR, combined with potentially lost business revenue, can spur a company to do the right thing.

The bottom line, end-users and organizations alike rely on technology companies such as Microsoft, Apple, and AT&T to keep their data safe — or as safe as possible. Yes, it’s tough to keep up with the bad guys who work 24/7 to uncover security holes. The question is, do Microsoft, Apple, and AT&T similarly work 24/7 to close those holes when they’re revealed? My inner cynic says no, they’re putting their resources toward more profitable endeavors; for the time being, white hat dark knights do serve a useful purpose.

This article, “Do cyber vigilantes make the computing world safer?,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.