Comment Re:This is what happens... (Score 1) 156
I would say it was only amoral if exploited for one's own gain or to others' detriment.
So if a hack gives reputation to a security researcher while embarrassing the website owners - how is this not exploitation for the researchers gain to the website owners detriment? You go there and pull off an I-am-smart-and-you-are-a-moron on these folks that are trying to make a living. How is that different from being an asshole?
The argument that security researchers are actually doing good is just an unsubstantiated assumption that needs closer scrutiny, and it is quite likely not true in many situations. For example, the SCADA vulnerabilities have not led to any major or even minor problem, yet they have generated a lot of FUD and maybe even given ideas to criminals and terrorists. Researchers have gotten their nice reputation out of this, but what has the world gained? And look at how the credit card industry works. A lot of their shit is fundamentally flawed from a security point of view, yet it works and is quite convenient. How can that be?
Security researchers make a nuisance of themselves in many situations, and don't even realize it. Their "told you so" can be extremely costly to a company when there is trouble, because of how it affects liability issues. Most companies would not be viable if they had to fix every bug unearthed by researchers or face full liability claims when their unfixed code fails. The kind of talent needed to get security stuff right is just not available in the needed quantities at a reasonable price (i.e. hourly rates comparable to that of a janitor) so it is unreasonable to expect things to be secure. The alternative to insecure stuff is no stuff. Everybody who's not a propellerhead knows this.