Heads in the SandHeads in the Sand
Everyone loses when threats of legal action get made to forestall vulnerability disclosure
February 28, 2007
In the latest rounds of the Ostrich Security Game, HID Global Corp. has become an active player. Threatening legal action, they forced the cancellation of a session from the Black Hat agenda. They claim patent infringement, while the company discussing the vulnerability says it lacks the resources to fight any legal battle. (See HID, IOActive Butt Heads Again and Black Hat Cancels RFID Demo.)
The big loser? Companies and individuals who care about security, especially security that concerns RFID used in identification systems. Who wins? No one, not even HID Global.
The idea that, by squelching discussion of a flaw, you can eliminate exploitation of the flaw, is ridiculous. No one thinks that HID Global has made its system, or any other RFID system, even fractionally safer by this act. I can imagine that someone in the corporation thought they'd save themselves some embarrassment, but by this time so many words have been spent on their efforts that even the PR goal is lost.
It's not as though HID Global is the first company to do something like this. A couple of years ago, Cisco pulled the same sort of trick at Black Hat in Las Vegas, when a researcher showed how to successfully attack Cisco routers. In this case, things worked out, sort of, between the parties, but none of the companies involved ended up adding protection for their users or saving themselves embarrassment from their acts.
No one likes it when their faults are exposed. That's human nature. When faults exist, though, especially in systems that involve critical private data or the operation of critical systems, the responsible thing is to work with the researcher who finds the flaw, let your customers know that it exists, then fix it as rapidly as possible. Shoving your head deep into the sand and trying to pull your customers in after you is no path to security -- and no path to customer confidence.
— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.
Read more about:2007
About the Author(s)
Tricks to Boost Your Threat Hunting GameNov 06, 2023
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
AI in Cybersecurity: Using artificial intelligence to mitigate emerging security risks
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report