The matter of data centre security was raised recently on a network mailing list I subscribe to. Someone was wondering if data centres checked incoming equipment for “bad stuff” – explosives and what-not.
The reaction from some was “don’t talk about that, we don’t want to give people ideas”. What a muddle-headed response!
The idea that “if the good people don’t mention it, the bad people won’t think of it” is a thoroughly discredited approach. Why? Because some good people are bad people and some good people become bad people. That’s why any good security approach assumes that the bad people know at least as much as the good people do.
Public discussion about vulnerabilities means the good people get to fix them, guard against them or at very least know about them and plan for them.
It’s the same for physical holes in security as it is for software vulnerabilities. For actual holes, inform the affected party first, giving them time to act, then inform the world. For theoretical holes, just inform the world as soon as you think of it.
That’s what the original poster did – thought of a hole and asked what others thought of it. And the response was “Shh! They might hear you!”
Public discussion of vulnerabilities is the IT equivalent of vaccination. Secrecy around vulnerabilities is the IT equivalent of anti-vaxxing. Selfish, and ultimately self-defeating.