In addition to what I said above, there's another growing demographic that's sort of the elephant in the room here: The basement dweller who spends his days playing World of Warcraft while his parents work. I've seen a lot of these, and IMO they're the biggest cause of the obesity epidemic. If you give these people free money, believe me, they don't move on unless they are literally evicted. I'm sure you guys have heard the horror stories about video game addiction where such and such person loses their job, their wife, and their house, while they were playing video games.
A term used in parts of Europe, heavily in Japan (especially within the last 10 years or so), but that's virtually non-existent in the US is "NEET" -- "Not in Education, Employment, or Training (school)". There's a little bit of overlap with the Hikikomori.
The take-away is that we really do have to consider there there's a higher case of actual psychological dysfunction associated with these groups (including "Failure-to-launch" Millennials in the US, etc...) . Whether it's caused by, exacerbated by, or simply correlates with the unemployment is almost beside the point -- once afflicted, any social policy for "fixing" the problem needs to take this into account.
Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.
Newsflash: Fixing a problem like this in the field is harder than making a git commit and telling people to recompile.
Also, only a dipshit with no ethics equates "vendor" with "customer" when life or limb is on the line.
Whistle-blowing is releasing information. Without it, your consolation prize is a hat made of tinfoil and a ruined reputation.
Whistle-blowing is releasing information about the internal process, and *PERHAPS* demonstrating it opaquely. Not releasing the exploit itself.
Releasing an exploit down the road may be ethical for a generic security issue or bug. Not when lives are on the line.
It seems to me that it is similar to a whistle-blower, than the security through obscurity model of not releasing the information.
I question your ability to know that no one is actively doing this. Proving a negative is difficult at best.
I'm all for whistle-blowing. But if sufficient results are not achieved, the response should be *more whistle-blowing*... NOT releasing the information.
The latter may (may!) be ethically justified in other situations; not here.
This is the kind of problem that doesn't get solved unless you have people demanding answers on mass.
If your answer to "How do we get people demanding answers en masse?" is "demonstrate to unethical 12 year olds how to easily kill people", then allowing the aforementioned dead people as a cause for more action, then you should probably re-evaluate your ethics.
Find another way besides treating "Crashing a car" the same way you treat "crashing a computer"
Frankly, I'd put this more along the lines of the folks who DoS'd 911 PNAPs. The fact that its possible doesn't excuse your doing it, and doesn't excuse intentional efforts to make it easier for others to do so.
Pressed, yes. More pressure = call your Congressman.
When "more pressure" = "demonstrate to script kiddies how to easily kill people", the value judgement changes.
... unethical to be releasing detailed information on an exploit.
It doesn't matter that the argument is that "Without exposure, car companies won't fix it!"... At the moment, no one is actively *doing* this or using this exploit. Simply being told that it's possible should be the limits of what an ethical hacker should release.
The cost-benefit analysis going into the value judgement of a release of more details for hacks is VERY different from the analysis of some HTTP flaw or kernel bug. Actual lives are at risk, and the ability of your work to be used to cause accidents and kill people by remote control changes things.
"Pok pok pok, P'kok!" -- Superchicken