Everyone loses when threats of legal action get made to forestall vulnerability disclosure
In the latest rounds of the Ostrich Security Game, HID Global Corp. has become an active player. Threatening legal action, they forced the cancellation of a session from the Black Hat agenda. They claim patent infringement, while the company discussing the vulnerability says it lacks the resources to fight any legal battle. (See HID, IOActive Butt Heads Again and Black Hat Cancels RFID Demo.)
The big loser? Companies and individuals who care about security, especially security that concerns RFID used in identification systems. Who wins? No one, not even HID Global.
The idea that, by squelching discussion of a flaw, you can eliminate exploitation of the flaw, is ridiculous. No one thinks that HID Global has made its system, or any other RFID system, even fractionally safer by this act. I can imagine that someone in the corporation thought they'd save themselves some embarrassment, but by this time so many words have been spent on their efforts that even the PR goal is lost.
It's not as though HID Global is the first company to do something like this. A couple of years ago, Cisco pulled the same sort of trick at Black Hat in Las Vegas, when a researcher showed how to successfully attack Cisco routers. In this case, things worked out, sort of, between the parties, but none of the companies involved ended up adding protection for their users or saving themselves embarrassment from their acts.
No one likes it when their faults are exposed. That's human nature. When faults exist, though, especially in systems that involve critical private data or the operation of critical systems, the responsible thing is to work with the researcher who finds the flaw, let your customers know that it exists, then fix it as rapidly as possible. Shoving your head deep into the sand and trying to pull your customers in after you is no path to security -- and no path to customer confidence.
— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.
Cisco Systems Inc. (Nasdaq: CSCO)
Read more about:
2007About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024