Who are the Fraudsters?
On the first of December Melanie Johnson of The UK Cards Association sent a letter to Cambridge University complaining a students exposure of a vulnerability in his thesis “overstepped the boundary of responsible disclosure” and requested it’s immediate removal from the University web site. A copy of that letter here.
“Our key concern, therefore, is that this type of research was ever considered suitable for publication by the University.”
The reply from Ross Anderson of the University could be said to … pointed. A copy of the reply here.
“… you seem to think that we might censor a students thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Eramus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”
Take a moment to read both letters because this exchange is perhaps the clearest exposition of views with regards to vulnerability disclosure. If one were to take media coverage as a pointer it would be fair to say the powerful have had the best of 2010. I’ve seen very little criticism of those who ship products that are not secure, or made claims about a system that was subsequently hacked. They seem to have largely escaped most negative consequences for what often amounts to shoddy engineering.
Remember the Google employee who, on his own time, published a Microsoft bug in June? Just look at the name calling and politics that ensued, never mind getting anything fixed. It has become more important to manage the PR of security than make things that aren’t full of bugs.
Or how about this story, where the encryption algorithm for car immobilizers has been cracked. One manufacturer was found to use the car VIN number as the supposed secret key - even though it is printed on the car. How could you call that a serious attempt to secure your customer?
Governments have taken no lead, in March the US Government Accountability Office found the IRS had not fixed 70 percent of the flaws found in the previous years audit.
So who is the fraudster here — is it the researcher who publishes a way to exploit the product you own or the company who sold you a product that can be exploited to take money out of your pocket?
Maybe this will be the year when the pendulum swings the other way, when vendors are pushed to be responsible engineers and fix the shoddy product they ship. Maybe organisations will be prosecuted for fraudulently claiming their systems are secure, or for failing in basic duty of care or being negligent of security requirements.
Comments
Post new comment