I know I am a little late to this game, but I have to say that it absolutely drives me insane that HID is trying to push Chris Paget around. Just like it drove me nuts last year that ISS caved to pressure and caused one of their last real talents (Michael Lynn) to quit because he dared to reveal a Cisco flaw.
I am all about responsible disclosure. I am all about letting the manufacturer know of the issue before revealing it to the public. But neither of these cases involve something that is not known already. So basically this is effectively doing nothing but hampering security research. And the reason is because security has become uber-productized. Everyone has a product they want to sell to everyone to make a buck, and you will be strung up with red tape and lawyers’ neckties if you find a flaw and try to disseminate it to the public.
Don’t get me wrong. I am a capitalist to the core. I am all about making the money. I don’t work for free. If I was smart enough to start a company and make a few million, I would have already done it. But I will say that if I made a security widget of some sort and Mr. Paget or Mr. Lynn or Mr. Whoever told me there was a problem with my product, could demonstrate it to me, and that they were going to show it at BlackHat, I would walk on the frickin’ stage with them, put my arm around them, and say this guy is da’ bomb. I would push out a damn press release that said what I was doing to fix the problem, and I would probably try to hire the guy who found the flaw so I could get some better QA.
AAAAAAAAAAAHHHHHHHHHH!!!!!
This is the height of ridiculousness. People that do security research such as these two gentlemen deserve praise, respect, and adoration, not lawsuits.
And sorry to Alan and all other bloggers about the little bit of cursing. I am not a guy normally driven to expletives, but this has me fired up.
Vet
