I can imagine that the folks who have their products defeated by hackers and researchers aren't too happy having their problems aired, however it just doesn't make any sense to me to become protagonists in court with the universities or any other researchers.
For example, the current instance of the
subway tickets, these attacks require some expertise to exploit, which of course can be gained in days by anyone of above average IQ, but most of them won't want free money or free rides on the subway will they?
Secondly it requires hundreds of dollars worth of equipment, and would you be bothered spending that to save a few bucks on the subway?
It's highly likely that a close look at the attack will suggest a plan to defeat it, and meanwhile anyone considering deploying the solution has a more accurate picture of the risks.
In this case the evidence suggests that using these particular transit tickets as a stored value device may well be an act of folly, because the efforts would all become more justifiable if it enabled you to print money, on a purely investment/return basis
This should give merchants a clearer picture of what they're in for should they start accepting these tickets for stored value payments. It then follows that if a transit operator hopes to recoup some of their investment through additional features such
as using the tickets as stored value devices, they may need to reconsider.
A better solution is engagement
The reason that I get so 'passionate' about leaving the universities alone is that to do anything else is like a modern form of book-burning. We can't limit research or stop papers being published because we don't like the results. Students need to be given
the best resources and suffer no limits on their path to knowledge, after all - they're the future. Education and study are not confined to the halls of academia, many 'students' don't have access to conventional learning and qualifications.
Whatever went wrong in this latest instance is irrelevant, of course the transit people don't want everyone riding for free, but perhaps they should have thought about it a little first and we are all missing the point.
It is generally accepted that nothing is perfect, so there shouldn't be any stigma about a company fixing a problem, yet there probably should be - against revealing a problem without first constructively engaging the stakeholders. Often it's the little
guys or the consumers who wear the brunt of it anyway, not the vendor.
Perhaps if we get together and try a different approach, where the researchers get a private forum to air their discoveries to a network of experts and peers. Their 'contribution' can be assigned a monetary value, the effects of public disclosure can be weighed
and if necessary delayed, to enable the stakeholders to address the problem - with the help of the discoverers and anyone else we need.
Companies should of course be encouraged to employ the most robust testing processes and if they lack either the expertise or the will, then universities and researchers can do it for them without the inconvenience of legal shenanigans. If someone helps
fix your product they deserve recognition and compensation, and if they find where it's broken they have still performed a valuable service.
It is clear that an adversarial approach seldom succeeds.
I'd rather see a press release that the University of Wherever is assisting XYZ Ltd with a potential vulnerability in the system and are working to fix it, without necessarily exposing the substance of the flaw.
For a researcher, finding a flaw in a major system is the holy grail, because it guarantee's publicity and often leads to either employment for the individual or group. At the moment the greatest generator of publicity are the various 'conferences' where such
discoveries are unmasked before their peers and often before the vendor get's to know about it. That's not really convenient for companies and probably leads to a lot of stress and anticipation in IT departments every time a conference is on. Never mind the
companies, it's the end user who suffers the most. That means hacking may be 'noble', but it's not if you give the exploit to the dark side, by publishing it prematurely - because it's not really noble punishing the little person.
Not all issues are 'owned' by a single company, such as the DNS problem, and we also need to make sure someone is keeping an eye on the turf that nobody else is paying attention to, and that requires consideration and co-operation.
We need a mechanism to recognise and reward. One that provides incentives to improve all of our interaction processes, large or small. Sometimes the vendor simply wont have the funds to provide a monetary reward so we need another way.
Have a Digital Security Olympics - an intellectual challenge and recognise IT.
It may be a better tactic to engage with 'researchers' everywhere and incorporate the knowledge and expertise into a sort of Intellectual or Digital Olympics where the co-operative endeavours of researchers, who have found and with vendors fixed - problems,
can be recognised with awards and rewards. There could be competitions to address issues which have been spotted and fixed and see who might have fixed them differently and perhaps find even better solutions.
Award medals and prizes for the best exploits reported to a vendor, and fixed during the previous year. Awards and/or rewards could go to both the finders and the fixers. University teams can compete along with government departments and private teams, although
we probably should keep nationalism out of it. A friendly meet between individuals and teams, whoever they represent. Talent can be recruited or given scholarship and networked to help solve emerging critical threats before they become critical breakdowns.
No-one really wants to see problems exposed to the world but what choice do researchers have to publicise their talents, and universities need publicity to draw students, sponsors and benefactors.
We can do it the easy, convenient and fair way or we can do it the hard way.
At the very least we need some sort of recognition and rewards based system which brings this under-utilised expertise into mainstream education and business. It cannot be purely academic or purely corporate and must be open to any individual or group. Gold
medals would be valued in the industry. There's more to life than sport and we could gain a lot by recognising it.
Medals could be awarded, scholarships given, donations made to institutions, winning student teams fees subsidised - all in a co-operative endeavour.
Perhaps we could even have hackers 'licensed', where researchers who signed up to a code of ethics might be given tools, contacts and permission to 'test' systems and even 'artists in residence' who are sponsored for the year to test and expand our knowledge.
It's hard to express the difference this wizardry of computers represents, because although an art, it isn't just like painting, photography, literature or film and it has a significant effect on the way we live and interact in the digital age and provides
the foundation for the best medium yet to spread all forms of knowledge.
Getting together is the best plan. FI's, governments and businesses would all benefit in the long run because it could become more than just a hack-a-thon and potentially improve everyone's education and the processes we use to interact.
The foundations are there with Defcon, Blackhat, etc, and the opportunity is there to build on them to create a modern intellectual Olympics. Let's just make a bigger celebration out of finding those weaknesses and fixing them.
All we need is a code of ethics for both sides and a few sponsors and I recognise that there are companies and organisations already supporting this view with actions. Let's take it to the next level.
What do you think?
p.s. I'd say that there were a few gold medal contenders this year but Dan Kaminsky actually went out and got a lot of folks to do something positive about a really big problem (DNS flaw) which seriously undermined almost everything we do. A Herculean task.
..We have a long way to go yet.
...and some of them are already in the fold eh Andy?