A couple years ago Blackhat (http://www.blackhat.com) was embroiled in a legal battle between Cisco Systems and Mike Lynn about a presentation he was giving on breaking into Cisco's IOS. We won't go into the details about that here but you can go read Jennifer Granick's journal for the details.
And now Blackhat looks like it might be in the middle again. InfoWorld report that HID, the proximity RFID card maker may be going up against IOActive, Inc. to stop a similar presentation that targets their technology, as well as similar technology from other vendors in the same field.
What really gets to me in this case is a quote attributed to HID from InfoWorld:
"These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.
Where is the responsibility in a security company selling a product that they know has a vulnerability in it? That their customers might be susceptible to an attack which is mostly public already? That apparently one researcher took less than a month to put together?
I'm tired of this, I'm tired of hearing about security companies that fail in some major aspect of securing their own devices, working with customers to alleviate or understand problems with the technology they are selling or have sold. Security in a black box of "trust us this will work" is worthless to the customer. Why am I tired of this? Because I see to many examples of it, including:
Default installations of security web applications that leave themselves open to the world.
Security appliances that converse via SSL that you can't update the certificate.
Security appliances that offer no secured communications channel for device management.
I think, if you're are selling or creating any security device you need to at least hold yourself to a higher standard for protecting it and protecting your customers. Though I hate to create new legislation, perhaps we need some in this arena. I envision something where a researcher that finds a flaw is protected by whistleblower style legislation (even if they don't work at the company) and the company must to a notification to customers affected by the problem.
Can I get a hell yeah?
-- decaf out (poor editing and writing attributed to my current fever)
You can find my take on this latest intellectual property vs. vulnerability disclosure bout here: http://www.granick.com/blog/?p=552 and
here: http://www.wired.com/news/columns/0,72819-0.html?tw=wn_index_5