Researchers Stuck in the Middle - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Researchers Stuck in the Middle

Want to be a security researcher? You're a better person than I am

1:00 PM -- It can't be fun to be a security researcher these days.

No matter which way they turn, researchers are constantly being criticized, threatened, ignored, or yelled at. When you think about it, it's really a wonder that there are any left.

First, security researchers are criticized for finding vulnerabilities in the first place. Some critics say that if the researchers weren't constantly turning up new attack vectors and flaws, there would be fewer attacks. Others criticize researchers for the sneaky ("unethical") methods they employ to find vulnerabilities, or for the way they report them (e.g., hiding them from the public until the vendor has a chance to fix them).

Then, when a researcher finds a legitimate vulnerability, many vendors complain, obfuscate, or threaten the discoverers. Today's Black Hat conference in DC, for example, will be one presentation short, because a researcher who found a flaw in RFID-based security proximity badges and tokens was threatened with a lawsuit by the products' manufacturer. (See Black Hat Cancels RFID Demo.) Other vendors, including Apple and Cisco, have taken similar issue with researchers' findings in the last year or so.

After navigating all of these dark waters, many researchers finally publish their discoveries, only to find that vendors and/or users ignore them and do nothing. Patches sometimes lag the discoveries by a year or more. Then, when the patches become available, users fail to install them. What must it be like to discover the fatal flaw in the Ford Pinto, then stand by and watch while the cars explode on the highway?

And what do they get for their troubles? A little notoriety, perhaps, and maybe a little money for disclosing the flaw. They get the satisfaction of knowing that they've found a trap door in what was supposed to be a solid steel wall, and they're helping to weld it shut. And in, the end, that seal might prevent a company from being breached, or an individual from suffering identity theft.

Such ethereal rewards may be enough for some people, but it wouldn't be for me. I understand the allure of cracking a system that was supposed to be uncrackable, and I understand the value of fixing critical security holes in computer hardware and software. But when vendors and critics hand them so much grief, will researchers find those rewards to be enough? I wonder how long it will be before more researchers skip past their morals and find work where it can be more remunerative: on the Dark Side.

I can tell you this much: if it were my RFID discovery that wasn't being presented today -- all because some vendor put the legal screws to me and my company -- I'd be seriously ticked. And I'm not sure I'd feel much like coming back to work again.

— Tim Wilson, Site Editor, Dark Reading

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll