Researchers Stuck in the Middle

Want to be a security researcher? You're a better person than I am

1:00 PM -- It can't be fun to be a security researcher these days.

No matter which way they turn, researchers are constantly being criticized, threatened, ignored, or yelled at. When you think about it, it's really a wonder that there are any left.

First, security researchers are criticized for finding vulnerabilities in the first place. Some critics say that if the researchers weren't constantly turning up new attack vectors and flaws, there would be fewer attacks. Others criticize researchers for the sneaky ("unethical") methods they employ to find vulnerabilities, or for the way they report them (e.g., hiding them from the public until the vendor has a chance to fix them).

Then, when a researcher finds a legitimate vulnerability, many vendors complain, obfuscate, or threaten the discoverers. Today's Black Hat conference in DC, for example, will be one presentation short, because a researcher who found a flaw in RFID-based security proximity badges and tokens was threatened with a lawsuit by the products' manufacturer. (See Black Hat Cancels RFID Demo.) Other vendors, including Apple and Cisco, have taken similar issue with researchers' findings in the last year or so.

After navigating all of these dark waters, many researchers finally publish their discoveries, only to find that vendors and/or users ignore them and do nothing. Patches sometimes lag the discoveries by a year or more. Then, when the patches become available, users fail to install them. What must it be like to discover the fatal flaw in the Ford Pinto, then stand by and watch while the cars explode on the highway?

And what do they get for their troubles? A little notoriety, perhaps, and maybe a little money for disclosing the flaw. They get the satisfaction of knowing that they've found a trap door in what was supposed to be a solid steel wall, and they're helping to weld it shut. And in, the end, that seal might prevent a company from being breached, or an individual from suffering identity theft.

Such ethereal rewards may be enough for some people, but it wouldn't be for me. I understand the allure of cracking a system that was supposed to be uncrackable, and I understand the value of fixing critical security holes in computer hardware and software. But when vendors and critics hand them so much grief, will researchers find those rewards to be enough? I wonder how long it will be before more researchers skip past their morals and find work where it can be more remunerative: on the Dark Side.

I can tell you this much: if it were my RFID discovery that wasn't being presented today -- all because some vendor put the legal screws to me and my company -- I'd be seriously ticked. And I'm not sure I'd feel much like coming back to work again.

— Tim Wilson, Site Editor, Dark Reading

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing