In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.

The U.S. court has since seen the error of its ways -- but the damage is done. The MIT security researchers who were prepared to discuss their Boston findings at the DefCon security conference were prevented from giving their talk.

The ethics of full disclosure are intimately familiar to those of us in the computer-security field. Before full disclosure became the norm, researchers would quietly disclose vulnerabilities to the vendors -- who would routinely ignore them. Sometimes vendors would even threaten researchers with legal action if they disclosed the vulnerabilities.

Later on, researchers started disclosing the existence of a vulnerability but not the details. Vendors responded by denying the security holes' existence, or calling them just theoretical. It wasn't until full disclosure became the norm that vendors began consistently fixing vulnerabilities quickly. Now that vendors routinely patch vulnerabilities, researchers generally give them advance notice to allow them to patch their systems before the vulnerability is published. But even with this "responsible disclosure" protocol, it's the threat of disclosure that motivates them to patch their systems. Full disclosure is the mechanism (.pdf) by which computer security improves.

Outside of computer security, secrecy is much more the norm. Some security communities, like locksmiths, behave much like medieval guilds, divulging the secrets of their profession only to those within it. These communities hate open research, and have responded with surprising vitriol to researchers who have found serious vulnerabilities in bicycle locks, combination safes (.pdf), master-key systems and many other security devices.

Researchers have received a similar reaction from other communities more used to secrecy than openness. Researchers -- sometimes young students -- who discovered and published flaws in copyright-protection schemes, voting-machine security and now wireless access cards have all suffered recriminations and sometimes lawsuits for not keeping the vulnerabilities secret. When Christopher Soghoian created a website allowing people to print fake airline boarding passes, he got several unpleasant visits from the FBI.

This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don't do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won't leak out even if the research results are suppressed. These assumptions are all incorrect.

The problem isn't the researchers; it's the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

In a world of forced secrecy, vendors make inflated claims about their products, vulnerabilities don't get fixed, and customers are no wiser. Security research is stifled, and security technology doesn't improve. The only beneficiaries are the bad guys.

If you'll forgive the analogy, the ethics of full disclosure parallel the ethics of not paying kidnapping ransoms. We all know why we don't pay kidnappers: It encourages more kidnappings. Yet in every kidnapping case, there's someone -- a spouse, a parent, an employer -- with a good reason why, in this one case, we should make an exception.

The reason we want researchers to publish vulnerabilities is because that's how security improves. But in every case there's someone -- the Massachusetts Bay Transit Authority, the locksmiths, an election machine manufacturer -- who argues that, in this one case, we should make an exception.

We shouldn't. The benefits of responsibly publishing attacks greatly outweigh the potential harm. Disclosure encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers. It's how we learn about security, and how we improve future security.

---

Bruce Schneier is Chief Security Technology Officer of BT Global Services and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can read more of his writings on his website.

1986: A deadly cloud of carbon dioxide sweeps down the slopes of an African volcano, smothering more than 1,700 people.

Volcanoes can kill in many ways, but this one is pretty weird. A volcanic lake in the West African nation of Cameroon degassed violently (you could say it burped, or worse) in the middle of the night. Carbon dioxide is odorless and heavier than air. Most of the victims died in their sleep.

Lake Nyos sits in the crater of a volcano that hadn't erupted in centuries ... and probably didn't actually erupt the night of Aug. 21, 1986.

Magma deep underneath the lake releases carbon dioxide into its depths. Lake Nyos is 690-feet deep, enough for the water pressure to keep the CO2 dissolved in the lake water, rather than letting it bubble up and escape to the surface. And the crater rim towers above the lake, blocking winds which could otherwise stir the surface and create convection currents that would circulate the deep, CO2-saturated water upward to areas of lower pressure. The lack of seasonal variation less than seven degrees north of the equator also contributes to the lake's placidity.

Volcanic rumbling or other seismic activity could have triggered the sudden release of the gas that deadly night, but there's no record of any tremors and no evidence that anything shook off the shelves of homes in nearby villages. It's possible the gas at the lake's bottom just got so concentrated that even under pressure it came out of solution and formed bubbles. Once the bubbles started rising, a "chimney effect" would have rapidly siphoned huge amounts of gas to the surface.

The gas burst through the surface with a rumble, generating a giant wave that scoured vegetation from the shores. The CO2 cloud was at least 300-feet high, because it suffocated cattle on hillsides that far above lake level. Iron from the deep water oxidized and stained the lake waters with rust.

Then the gas crept down the mountain valleys, invading homes. It extinguished oil lamps and suffocated people in their sleep. Some who were awakened by the loud gas bubble stood up and lived, because their heads were above the invisible gas near the ground. But many who went outside paid with their lives.

Few survived. Those from neighboring villages who discovered the devastation recalled with terror the legends about evil demons living in mountain lakes.

Had this happened before? Yes, at least on a smaller scale. A CO2 cloud released by Lake Monoun, about 60 miles south, killed 37 people two years earlier. (The much larger Lake Kivu -- on the Congo-Rwanda border -- harbors not only carbon dioxide, but methane, in its depths.) And Cameroonians frequently find frogs suffocated by CO2 in low-lying mud puddles.

Engineers hope to prevent a recurrence of the tragedy by continuously degassing Lake Nyos. They've sunk a pipe from a floating platform into the depths of the lake. It shoots a geyser of carbonated water high into the air.

Source: Google Earth; National Geographic, September 1987

Volcanoes inspire awe and terror because they can kill in so many ways -- flowing lava, suffocating ash, flood from a released lake, landslides, mudslides, burning gas, shockwaves, earthquakes and tsunamis. A volcano can kill even when it's not erupting, as happened at Lake Nyos in 1986.

We start here with three famous eruptions, modern and ancient, and then show the seven deadliest eruptions of the last 500 years, as listed by the U.S. Geological Survey.

St. Helens Blows Its Top, 1980

Mount St. Helens steamed to life in March 1980 and volcanologists knew it was ready to blow; they just didn't know exactly when. Officials closed the surrounding national forest areas to the public, but some people, like resort-owner Harry Truman, said they'd rather stay put. Others, like volcanologist David Johnston, were at observation posts deemed sufficiently far from the peak to be relatively safe.

But when the volcano erupted at 8:32 a.m. PDT on May 18, 1980, it didn't just send steam and ash up its existing crater, it blew its top off, 1,300 feet of it. And it didn't blow straight up: A whole side of the mountain that was made of fissured, rotten rock broke loose. That created a massive landslide and released a deadly cloud of pulverized rock that killed Johnston, Truman and 55 others, most of them by asphyxiation. When the ash combined with lake and stream water, the surging volcanic debris, or lahar, stormed down nearby valleys wreaking havoc.

The Philippines' Mount Pinatubo ejected about 1.2 cubic miles of magma, sending a giant ash cloud more than 20 miles up into the stratosphere in June 1991. Ten times larger than Mount St. Helens' 1980 eruption, it was second in the 20th century only to Alaska's 1912 Katmai eruption. A million people's lives were at risk, but a good warning system saved thousands. The Philippine government evacuated 60,000 from the most dangerous slopes and valleys, and the U.S. evacuated 18,000 from nearby Clark Air Base.

The eruption shortened the volcano by 850 feet and created a new collapse caldera, or crater, 1½ miles in diameter. Ash deposits 2-inches thick covered 1,500 square miles of land, burying crops and weighing down roofs. Rain from typhoon Yunya made it even heavier, and the accumulated weight, along with the typhoon's wind and seismic shaking from the summit collapse caused roofs to cave in ... the major cause of death from the eruption. Around 350 people died.

In one of the most famous eruptions in history, Italy's Mount Vesuvius erupted suddenly in the early afternoon of August 24, A.D. 79. Glassy lava fragments, rocks, crystal and ash fell from the sky for a week, burying the Roman cities of Pompeii, Herculaneum and Stabiae on the Bay of Naples -- killing at least 3,360 people, but perhaps as many as 16,000. Among the dead was the Roman historian Pliny the Elder, who -- so great was his fascination with observing the event -- could not bring himself to flee from the danger.

So vast was the layer of volcanic debris left on the three cities that their ruins were not rediscovered until 1748. The "bodies" at left are plaster casts made in 1961 from cavities left in the debris by decomposed bodies that had been sealed in rock and dirt for 19 centuries.

Iceland's Laki volcano produced the largest lava flow in historic times when a fissure 16-miles long sent a flow of pahoehoe (fast-moving, smooth or ropy lava) more than 40 miles in 1783. The 2.9 cubic miles of lava covered 218 square miles. The eruption continued intermittently for four months.

Fluorine gas fell to the land as hydrofluoric acid in Iceland, dissolving the flesh off livestock. Fully half the horses and cattle, as well as three-quarters of the sheep died. Famine set in, the social order broke down, and looting was rampant. Eventually, a quarter of Iceland's people died of starvation.

Sulfur dioxide gas released by the eruption traveled farther. Throughout Europe a heavy haze filtered the sun and a "dry fog" sat on the land. Excess heat caused scores of thousands of deaths. The hot summer was followed by a long, cold winter. Much of the Northern Hemisphere was 4 to 9 degrees (Fahrenheit) below normal. Siberia and Alaska had their coldest summer in half a millennium. Crop failure and famine were reported everywhere.

Iceland lost about 9,300 people, but the eventual global death toll may well have been 10 times that … or more.

Mount Kelut (or Kelud), in East Java, Indonesia, has erupted more than 30 times in the last thousand years, including a 1586 eruption that killed 10,000 people. The 1919 eruption disgorged a crater lake into nearby valleys, drowning 5,500 people. Starting in 1926, engineers built tunnels to drain the lake to prevent such catastrophes.

Steam and hot gasses rise above Mount Kelut in this photo from November 2007.

Unzen Volcano on the island of Kyushu is about 25 miles east of Nagasaki. A month after a 1792 eruption from its current summit, the slopes of an older part of the volcanic complex, Mount Mayuyama, gave way. The resulting landslide swept through Shimabara City. It entered the sea, causing a tsunami. The landslide and tsunami together killed more than 15,000 people in Japan's worst volcanic disaster. You can still see the landslide scar above Shimabara.

Unzen erupted again in 1991, sending ash flows down its slopes at 125 mph.

Colombia's snow-capped Nevada del Ruiz volcano exploded Nov. 13, 1985. The hot volcanic gas and ash melted the glacier and mixed with the meltwater. As the slurry tumbled downstream, it added dirt and rocks, gaining volume and density. Debris flows up to 130-feet thick swept into some inhabited river valleys at 30 mph, destroying everything in their path.

The town of Armero (left) was 46 miles from the crater, but the crush of mud and boulders hit it two-and-a-half hours after the eruption began. The river of concrete swept Armero away in a matter of minutes, killing three-quarters of its population. All together, the eruption claimed 25,000 lives.

The 1902 eruption of Mount Pelée in Martinique, West Indies, sent a glowing cloud of burning, poisonous gas laced with ash down the slopes of the volcano. It swept into the town of St. Pierre at 100 mph and burned or suffocated the entire population in a matter of minutes. Of the 30,000 people in town, only two (or perhaps four, depending on the account) survived. Three nearby towns suffered the same fate, as did the crews of 16 ships in the harbor. In the 10 square miles of burned-over land, as many as 36,000 people may have died, and only 30 survived.

This group of refugees in Fort de France had the apparent good fortune not to be in the path of the glowing cloud.

: Photo: flydime/Flickr

Krakatau (aka Krakatoa), in Indonesia's Sunda Strait west of Java and east of Sumatra, exploded in August 1883 with 26 times the power of the biggest H-bomb test. The collapse of the volcano into the sea generated 100-foot tidal waves that wiped out hundreds of villages and more than 36,000 lives. Much reduced, the sea wave swept around the world.

Four hours after the massive explosion, it was heard 3,000 miles away as the "roar of heavy guns." The sound was audible over 1/13 the surface of the globe, according to the Guinness Book of World Records.

The eruption also threw pumice 34 miles into the sky. Dust fell 3,000 miles away 10 days later. Islands of pumice floated on the oceans for months, and airborne particles caused vivid red sunsets around the world.

Half a century after Krakatau's epic explosion, a new volcano broke through the surface of the ocean. Anak Krakatau, for "child of Krakatau," (left) remains active and grows about five inches a week.

Tambora, which is east of Java, produced the most-powerful eruption in recorded history in April 1815. It lowered the height of the island 4,100 feet. Heavy ash fall on nearby islands killed crops, resulting in the starvation of a probable 92,000 people.

The eruption of more than 36 cubic miles of pulverized rock produced a volcanic cloud that lowered global temperatures by as much as 5 degrees Fahrenheit. The effects continued for more than a year, and some Europeans and North Americans called 1816 "the year without a summer." Further famine-related deaths almost certainly occurred.