The Importance of Security Research in a Connected World
Security researcher Mike Davis shares insights on the challenges faced in uncovering vulnerabilities, facing legal threats, and the impact on global safety and prosperity. His experiences highlight the need for a balanced approach to security research, encouraging dialogue and cooperation in a rapidly evolving tech landscape.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello Andrea, I appreciate you asking for my perspective on this, I believe that this issue is important not only to the researchers that perform the work, but to the consumers and indirect beneficiaries of the technologies that we increasingly depend on. As you may know, I recently published an advisory on a high security electronic lock produced by a company known as Cyberlock which had been specifically marketed and sold into government facilities (US and non) that required a high level of assurance and auditability for high value and/or sensitive areas. After examining the lock in detail, which involved examining the firmware in detail, we discovered the that the devices were Incapable of providing the level of protection as required as their encryption algorithm turned out to be little more then an easily defeated XOR encoding. After contacting the company to report the issues and being ignored for a month, IOActive was contacted by a law firm which attempted to intimidate first by insinuating that our reason for contacting Cyberlock was to pressure them into a sales aspect , then proceeded to casually ask about a co-workers non-existent felony conviction and finally after the call had completed I was sent a threatening letter suggesting I may have violated the DMCA anti-circumvention provision and that the company needed to protect their property, something that could be a career ending prospect for me if successful. While I wish legal thuggery like this were the exception, it has become the rule, At least this has been my experience with a series of companies like Merlincryption who ostensibly sell encryption products for SCADA, medical and M2M devices and attempted legal threats after I exposed their encryption algorithm (ASBE) as snake-oil. I also received similar threats after publishing research on vulnerabilities found in EAS (emergency broadcast/amber alert) system. I believe it to be a consensus among security researchers that even though the work we do is critical to our countries long term safety and prosperity we are simultaneously having to put ourselves as researchers at ever increasing personal risk of not only long term imprisonment and financial hardship, but it simultaneously creates an environment where its safer to sell a vulnerability on the black market then it is to report them to the vendor and the public making a connected world a much more dangerous place then it needs to be. If there is anything I can do to help inform this debate I m at your disposal. Mike Davis Principal Research Scientist
