Are security firms anything more than hackers trying to wear a white Hat?

Recently AT&T’s network was hacked into which resulted in 114,000 iPad email addresses along with the device’s unique identifier (ICC-ID).  After this company notified AT&T (This part is still a little foggy), they then sold the story to Gizmodo. This article is not about the details of this particular incident, which you can read more about on CNET: It should be known that I’m no lover of AT&T, and the vulnerability that was discovered was a very simple mistake on their network.  Here are some common scenario’s that are employed by these so-called Security Companies. Scenario 1: Security Company A finds a vulnerability in Company B’s network.  They contact Company B and offer to fix it for a price.  Company B says no, and then Security Company A releases to the public. Scenario 2: Same as above except the security company tells Company B about the vulnerability and gives them time to fix it before they sell the information to a 3rd party. Either of these seems like extortion!  Of course the premise of these companies is that by uncovering vulnerabilities they are doing us all a service and justifies their actions. Wrap Up: From my point of view, hacking is hacking and unless AT&T had given this company permission to check their network for problems then what they did was steal private property and then sold this to a 3rd party.  Unfortunately, until corporations like AT&T who we provide our information to starts to do their own housekeeping these companies will continue to thrive.

It seems that for networks the size of AT&T not to have hackers on staff or contracted borders on incompetence.  In an age where identity theft is rampant, these networks need to ensure their (our) data is secure and safe from simple scripting attacks such as this one.

Update: iPad/AT&T Hacker Arrested on Drug Charges: According to several reports, at least one of the people involved with the recent iPad/AT&T security breach has been arrested.