Researchers Stuck in the Middle - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity

Researchers Stuck in the Middle

Want to be a security researcher? You're a better person than I am

1:00 PM -- It can't be fun to be a security researcher these days.

No matter which way they turn, researchers are constantly being criticized, threatened, ignored, or yelled at. When you think about it, it's really a wonder that there are any left.

First, security researchers are criticized for finding vulnerabilities in the first place. Some critics say that if the researchers weren't constantly turning up new attack vectors and flaws, there would be fewer attacks. Others criticize researchers for the sneaky ("unethical") methods they employ to find vulnerabilities, or for the way they report them (e.g., hiding them from the public until the vendor has a chance to fix them).

Then, when a researcher finds a legitimate vulnerability, many vendors complain, obfuscate, or threaten the discoverers. Today's Black Hat conference in DC, for example, will be one presentation short, because a researcher who found a flaw in RFID-based security proximity badges and tokens was threatened with a lawsuit by the products' manufacturer. (See Black Hat Cancels RFID Demo.) Other vendors, including Apple and Cisco, have taken similar issue with researchers' findings in the last year or so.

After navigating all of these dark waters, many researchers finally publish their discoveries, only to find that vendors and/or users ignore them and do nothing. Patches sometimes lag the discoveries by a year or more. Then, when the patches become available, users fail to install them. What must it be like to discover the fatal flaw in the Ford Pinto, then stand by and watch while the cars explode on the highway?

And what do they get for their troubles? A little notoriety, perhaps, and maybe a little money for disclosing the flaw. They get the satisfaction of knowing that they've found a trap door in what was supposed to be a solid steel wall, and they're helping to weld it shut. And in, the end, that seal might prevent a company from being breached, or an individual from suffering identity theft.

Such ethereal rewards may be enough for some people, but it wouldn't be for me. I understand the allure of cracking a system that was supposed to be uncrackable, and I understand the value of fixing critical security holes in computer hardware and software. But when vendors and critics hand them so much grief, will researchers find those rewards to be enough? I wonder how long it will be before more researchers skip past their morals and find work where it can be more remunerative: on the Dark Side.

I can tell you this much: if it were my RFID discovery that wasn't being presented today -- all because some vendor put the legal screws to me and my company -- I'd be seriously ticked. And I'm not sure I'd feel much like coming back to work again.

— Tim Wilson, Site Editor, Dark Reading

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll