In the latest rounds of the Ostrich Security Game, HID Global Corp. has become an active player. Threatening legal action, they forced the cancellation of a session from the Black Hat agenda. They claim patent infringement, while the company discussing the vulnerability says it lacks the resources to fight any legal battle. (See HID, IOActive Butt Heads Again and Black Hat Cancels RFID Demo.)
The big loser? Companies and individuals who care about security, especially security that concerns RFID used in identification systems. Who wins? No one, not even HID Global.
The idea that, by squelching discussion of a flaw, you can eliminate exploitation of the flaw, is ridiculous. No one thinks that HID Global has made its system, or any other RFID system, even fractionally safer by this act. I can imagine that someone in the corporation thought they'd save themselves some embarrassment, but by this time so many words have been spent on their efforts that even the PR goal is lost.
It's not as though HID Global is the first company to do something like this. A couple of years ago, Cisco pulled the same sort of trick at Black Hat in Las Vegas, when a researcher showed how to successfully attack Cisco routers. In this case, things worked out, sort of, between the parties, but none of the companies involved ended up adding protection for their users or saving themselves embarrassment from their acts.
No one likes it when their faults are exposed. That's human nature. When faults exist, though, especially in systems that involve critical private data or the operation of critical systems, the responsible thing is to work with the researcher who finds the flaw, let your customers know that it exists, then fix it as rapidly as possible. Shoving your head deep into the sand and trying to pull your customers in after you is no path to security -- and no path to customer confidence.
Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.