Found this article on MSNBC. A college is going to start holding classes for writing virii. They say it is justified because the more you know about how a virus works, the better you will be able to fight them in the wild. There was also mention of the Wired article where they listed a play by play of a virus with source code. Of course the AntiVirus companies are up in arms about all of this. All of the talks break down to the simple question: Full disclosure...Yes or No? Do we keep exploits and virii a secret from the population / customers in the hopes of minimizing the impact or do we release all we know about everything and hope people will use the knowledge to help protect themselves?
I use to be on the side of full disclosure. I felt that information wants to be free and it should be available to everyone. Now I am not so sure. I began to really use computers in 1983 and back then, most of the users seemed to have a clue. Now...well for those of you who have worked at a help desk know the score. Businesses make choices by looking at the bottom line. If I invest x, what will be my return on the investment? Engineers see things differently and know that protecting the systems are critical. Managment does not see things this way and more often that not, becuase of IT cut backs, vendor choices etc... the systems tend to be left more vulnerable than they should. If all exploits were made public, who would read them. Some system admins, researchers, security companies and people who want to use the exploits for non-legal reasons. Business managment would not read the information and even if they did, they would not understand it. Their focus is on the business, not on the systems. That is why they have IT on the payroll but of course there are cutbacks, etc... It becomes a cycle.
I do see good changes in the business world. More and more, the managment end is starting to see their IT solutions as a crital part of the venture and not as a drain on their resources. I hope this trend will continue.
So, we come to the main issue: Full disclosure or Silence. Hold back the information and hope few people use it or release it and hope that no many people use it? I know that if the information is not released to the public, it will still be available on the 'net' but it is one thing for a script kiddie to try and figure out how to configure and compile an exploit he got from a web site, with minimal comments in the source, and having a step by step howto in a major publication like Wired.
I am still on the fence.

Read the article here: http://www.msnbc.com/news/925527.asp?0dm=C15LT