Government // Cybersecurity
News
2/28/2007
03:00 AM
50%
50%

Researchers Stuck in the Middle

Want to be a security researcher? You're a better person than I am

1:00 PM -- It can't be fun to be a security researcher these days.

No matter which way they turn, researchers are constantly being criticized, threatened, ignored, or yelled at. When you think about it, it's really a wonder that there are any left.

First, security researchers are criticized for finding vulnerabilities in the first place. Some critics say that if the researchers weren't constantly turning up new attack vectors and flaws, there would be fewer attacks. Others criticize researchers for the sneaky ("unethical") methods they employ to find vulnerabilities, or for the way they report them (e.g., hiding them from the public until the vendor has a chance to fix them).

Then, when a researcher finds a legitimate vulnerability, many vendors complain, obfuscate, or threaten the discoverers. Today's Black Hat conference in DC, for example, will be one presentation short, because a researcher who found a flaw in RFID-based security proximity badges and tokens was threatened with a lawsuit by the products' manufacturer. (See Black Hat Cancels RFID Demo.) Other vendors, including Apple and Cisco, have taken similar issue with researchers' findings in the last year or so.

After navigating all of these dark waters, many researchers finally publish their discoveries, only to find that vendors and/or users ignore them and do nothing. Patches sometimes lag the discoveries by a year or more. Then, when the patches become available, users fail to install them. What must it be like to discover the fatal flaw in the Ford Pinto, then stand by and watch while the cars explode on the highway?

And what do they get for their troubles? A little notoriety, perhaps, and maybe a little money for disclosing the flaw. They get the satisfaction of knowing that they've found a trap door in what was supposed to be a solid steel wall, and they're helping to weld it shut. And in, the end, that seal might prevent a company from being breached, or an individual from suffering identity theft.

Such ethereal rewards may be enough for some people, but it wouldn't be for me. I understand the allure of cracking a system that was supposed to be uncrackable, and I understand the value of fixing critical security holes in computer hardware and software. But when vendors and critics hand them so much grief, will researchers find those rewards to be enough? I wonder how long it will be before more researchers skip past their morals and find work where it can be more remunerative: on the Dark Side.

I can tell you this much: if it were my RFID discovery that wasn't being presented today -- all because some vendor put the legal screws to me and my company -- I'd be seriously ticked. And I'm not sure I'd feel much like coming back to work again.

— Tim Wilson, Site Editor, Dark Reading

Comment  | 
Print  | 
More Insights
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.