Researchers Stuck in the Middle - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Researchers Stuck in the Middle

Want to be a security researcher? You're a better person than I am

1:00 PM -- It can't be fun to be a security researcher these days.

No matter which way they turn, researchers are constantly being criticized, threatened, ignored, or yelled at. When you think about it, it's really a wonder that there are any left.

First, security researchers are criticized for finding vulnerabilities in the first place. Some critics say that if the researchers weren't constantly turning up new attack vectors and flaws, there would be fewer attacks. Others criticize researchers for the sneaky ("unethical") methods they employ to find vulnerabilities, or for the way they report them (e.g., hiding them from the public until the vendor has a chance to fix them).

Then, when a researcher finds a legitimate vulnerability, many vendors complain, obfuscate, or threaten the discoverers. Today's Black Hat conference in DC, for example, will be one presentation short, because a researcher who found a flaw in RFID-based security proximity badges and tokens was threatened with a lawsuit by the products' manufacturer. (See Black Hat Cancels RFID Demo.) Other vendors, including Apple and Cisco, have taken similar issue with researchers' findings in the last year or so.

After navigating all of these dark waters, many researchers finally publish their discoveries, only to find that vendors and/or users ignore them and do nothing. Patches sometimes lag the discoveries by a year or more. Then, when the patches become available, users fail to install them. What must it be like to discover the fatal flaw in the Ford Pinto, then stand by and watch while the cars explode on the highway?

And what do they get for their troubles? A little notoriety, perhaps, and maybe a little money for disclosing the flaw. They get the satisfaction of knowing that they've found a trap door in what was supposed to be a solid steel wall, and they're helping to weld it shut. And in, the end, that seal might prevent a company from being breached, or an individual from suffering identity theft.

Such ethereal rewards may be enough for some people, but it wouldn't be for me. I understand the allure of cracking a system that was supposed to be uncrackable, and I understand the value of fixing critical security holes in computer hardware and software. But when vendors and critics hand them so much grief, will researchers find those rewards to be enough? I wonder how long it will be before more researchers skip past their morals and find work where it can be more remunerative: on the Dark Side.

I can tell you this much: if it were my RFID discovery that wasn't being presented today -- all because some vendor put the legal screws to me and my company -- I'd be seriously ticked. And I'm not sure I'd feel much like coming back to work again.

— Tim Wilson, Site Editor, Dark Reading

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll