Security Experts

Hackers will read security advisories from the Computer Emergency Response Team and other security organizations. They will monitor security news groups and mailing lists. They will pore through security patches from vendors and read security books. Information is a double-edged sword: Any information about computer security can be used by hackers to their benefit. Many of the same tools used by system managers are also used by hackers.

However, security by obscurity does not work. It is shortsighted to think that hackers will not be able to discover flaws in your security just because you don't tell them. Hackers are much more creative about obtaining information and have the time to spend doing it, while system administrators are busy doing their jobs taking care of the system and its users. Security professionals' policy of keeping security issues to themselves tends to penalize the administrators of small systems and systems in small businesses who do not have access to these security professionals. These are the system managers who need security assistance most.

Mailing Lists

Security mailing lists and other broadcast forums are used to announce security vulnerabilities and solutions. These have been used as jumping-off points for creating attack tools and locating vulnerable systems. There is truly no need to disclose the vulnerability which has been discovered to the public. Only the process to eliminate the vulnerability is needed.

For security to improve, a move must be made from announcing vulnerabilities to a more efficient process of patching vulnerable systems to remove the security issues.

Customer Support

Support organizations exist to help users who are having trouble. These troubles can often be related to issues which are system vulnerabilities. Support personnel will often supply details of security issues in the support person's desire to solve problems beyond the normal scope of user issues. Hackers will contact support groups by impersonating a user and requesting help or information. This information may be used to develop exploit tools or to clarify how a vulnerability can be used to the hacker's advantage.

Self-help discussion groups have been frequented by hackers to identify vulnerable systems or to convince users with troubles that they can help if given more information or access. Users of these support group systems have been exploited by hackers.