Disclaimer & tl;dr:
I want to be perfectly clear. This is my opinion, nothing more. You are welcome to disagree with my opinion.
1.) I support security researchers. I love their work, I appreciate their efforts, and I wish more organizations would support more researchers with bounties.
2.) Whether you like it or not, the media is in the business of “selling” news. They have to sensationalize everything.
3.) If your research potentially involves physical destruction or harm to a person, place, or thing, the media (as outlined in #2) will blow it out of proportion.
4.) We need to be smart in the way we release research to lesson the impact of a sensationalized media coverage.
My View on Security Research
Curiosity. No, not the Mars rover. I am speaking of our own internal drive which makes us love what we do in Security and Technology. I mean, if we didn’t have curiosity we most likely wouldn’t be in this line of work. We ask ourselves, “how does this work?”, “can I get past this security control?”, “is there another way?”, “how can I make this work outside of it’s original design?” I’d posit the original scientists and engineers who worked on the Apollo 11 mission asked themselves similar questions. These questions are important, and necessary in security research. Without these questions and researchers, most security controls we have today would probably not be implemented.
Now, I love reading about security research. Most of the information is beyond my expertise; and while I understand the basic premise, I may not truly fully grasp the technical aspects of what I am reading. I believe security researchers are essential to securing our technology; especially when the technology is connected to human transportation vehicles, equipment, and systems. In short, I <3 you security researchers. Thank you for all of your work!
Most Media is a For-Profit Organization
I have a healthy level of distrust with any media source. Whether it’s the mainstream news of CNN, BBC, FOX, ABC, NBC, or the small local media, they are all guilty of sensationalist exploitation of the news, as well as misreporting or leaving important details out of the article. While some are better than others, and some do retract or apologize, the simple fact is: they are in the business of “selling” the news. Just as that sales person is trying to sell you their blinky box, service, or support.
I believe, for the most part, we have seen the damage a media source can have on one of our own. I know people, personally, who have been the target of immense wrath from the security community when they took the media’s report at face value instead of vetting the source. I opine that we are often quick to become armchair experts after only reading a news article; but that is a topic for another discussion.
Having said all of this, we know that any news article on security research, especially which has the potential to cause physical harm or damage, will most likely be blown out of proportion.
Responsible Research Disclosure
In the past few months we have seen research released around transportation. In April of this year, Chris Roberts‘ research on airline entertainment systems and vulnerabilities was discussed in the mainstream media. This week, we see the research from Charlie Miller and Chris Valasek on the vulnerabilities with uConnect systems in Jeep, Chrysler, and some Dodge vehicles. Remembering what we just discussed about the media, these are the stories that sell!
I can not count the number of news articles that got the information wrong around these disclosures. Some were more than wrong. They didn’t even read the article. For example, this was the way the uConnect story was announced on PzFeed’s twitter stream.
First, they used “hackers” instead of security researchers. I am not going to debate the terminology here. The mainstream public has a negative connotation with the word hacker. It is the way it is. Second, they took a picture of a parking lot demonstration and made it appear as though this happened on a highway! Ugh. As you can see, I attempted to clarify this.
Here’s my point. If you want people to focus on your research, do not disclose the research in a way that can be viewed as though you disregarded the safety of others. In both disclosures, everyone is focusing on the potential for human harm during the research. While both situations may have been controlled, and no one was actually injured, no one cares. They only care that the research was, potentially or intentionally, done in a non-controlled environment.
You may celebrate that your research is being seen and everyone is talking about what you did. However, I would posit that the discussions are more on your endangerment of human life during your research or testing compared to the risks you were hoping to reveal. You may have stymied the overall impact of your research due to the way you disclosed or the way you conducted your research and testing.
Go ahead, ask any one in security about the conversations they have had with friends, family, and acquaintances about these two research disclosures. I know all of mine have been about the risk to human life, not about the vulnerability that was disclosed. You know why? Because the media only focused on that piece, and most people will not vet the news media.
If it is your intent to inspire change in what you are researching, then be sure to disclose your research in a way that does not allow people to focus on your endangerment of others. Think of Mythbusters. They do crazy research that could potentially harm someone. Yet all of their research and testing is done in a controlled environment and they take careful measures to ensure this is communicated.
I am sad to say this, but the way this research has been disclosed lately has done more harm than good. Do not be surprised if legislation is drafted around these disclosures that may very well negatively impact everyone’s ability to do future research. We need to be aware of the media’s sensationalism and know that any research we release will be sensationalized. Taking care to offset this in our disclosure is only responsible on our parts.
If our goal is to freak people out, with these types of research disclosures, we’ve succeeded. However, if our goal is to inspire people to take security seriously and to convince manufacturing companies to release secure technology, we’ve failed.
And that’s just my opinion.