News this week that Juniper Networks had pulled Barnaby Jack's planned Black Hat presentation and demo
on ATM software vulnerabilities was met with dismay by the security community.
Is anyone else tired of this already? It seems not a year passes when a researcher isn't threatened with a lawsuit for plans to expose flaws in a particular technology. (This one probably struck most people harder than others because Jack actually planned to wheel an ATM on stage and make it spew out twenties).
I know that if the craps table had been mean to me the night before -- everyone else always seems to have the luck
-- I would've been running for the cash and worried about getting quotes later.
All kidding aside, I just wish this "responsible disclosure" debate was just sorted out already by the courts so we wouldn't have these same issues year after year. Wouldn't it be easier if, say, there was a Nevada law that required researchers to supply affected vendors with X number of days notice prior to presenting flaw findings. And if they didn't have the problem fixed by then, then it's game on?
Because, as it stands now, it sounds as if companies such as Juniper, where Jack works, immediately cave to any semblance of resistance from the affected technology manufacturer.
ISS, IOActive, they've all done it in recent years.
Researcher Alexander Sotirov suggests that this epidemic of nixed presentations likely can be blamed on overly sensitive researcher's employers. He tweeted on Tuesday:
Barnaby should quit Juniper and join me in being an independent consultant. The corporate environment stifles interesting security research.
For me, I think the right answer is telling these software and hardware makers to build their product secure from the start, so smart researchers like Jack can't figure out a way to exploit them.
At the minimum, vendors should get their act together to issue a patch in time for the researcher to present his or her findings. That's the least they can do for someone who likely saved them a fortune before the bad guys figured out the security hole.