Wednesday, February 28, 2007

Responsibility runs both ways

If you read Emergent Chaos (and if you don't, you need to add it to your reading list right now) you've already seen that the RFID talk Chris Paget was scheduled to deliver at Black Hat Federal is back on.

Apparently HID doesn't have a Webster's dictionary, because they now claim they didn't demand that the talk be pulled.

"HID Global did not threaten IOActive or Chris Paget, its Director of Research and Development, to stop its presentation at the Black Hat event being held in Washington, DC on Wednesday, February 28, 2007."


"Under no circumstance has HID asked IOActive or Mr. Paget to cancel their presentation. In fact, we were surprised by their decision to cancel the presentation and to attribute the cancellation to a threat from HID. This was not, and never was, HID’s position."

*cough* *cough* bullshit *cough*

You can read the entire letter HID sent here, but here are a couple snippets:

We understand … that you intend to publicly present and publish additional information about your spoofer at the Black Hat convention … We believe such presentation will subject you to further liability …

…hereby demand that you refrain from publishing any information at any public forum including the upcoming Black Hat convention…

that sounds like a demand/threat to me...

Anyway, this is all very interesting but it is distracting us from the real issue of responsibility. I personally believe that researchers have a responsibility to work with vendors to resolve security issues in a way that protects customers. But I also believe that vendors have a responsibility too, a responsibility to make sure that they are doing everything they can to stay on top of known vulnerabilities in their products, provide customers with workarounds and mitigations, and ultimately create more secure products. RFID vulnerabilities have been publicly known since 2005, Paget's presentation is not really NEW (even Jeff Moss calls it "largely a rehash of known issues, intended more as an introduction").

And remember, HID claims “cloning is simply not a credible threat”.

Long ago (in a galaxy far, far away) the only way to get vendors to fix security problems was to report them publicly and shame them into a fix. Today, vendors (most of them anyway) try to work with researchers to fix vulnerabilities and protect their customers. What keeps me up at night after events like this is the fear that more vendors will choose to ignore vulnerabilities and try to strong arm researchers into silence about the flaws in their products, and that will be used to further justify full disclosure. I don't want to live in a world where only way to get a vulnerability fixed is to drop it anonymously to a mailing list and hope the good guys fix it before the bad guys leverage it.

yearning for utopia,

Labels: , , ,


Post a Comment

<< Home