
St. Jude Heart Devices Vulnerable to Hacks - maibaum
http://www.bloomberg.com/news/articles/2016-08-25/in-an-unorthodox-move-hacking-firm-teams-up-with-short-sellers
======
kgwgk
Matt Levine wrote about this today [
[https://www.bloomberg.com/view/articles/2016-08-26/herbalife...](https://www.bloomberg.com/view/articles/2016-08-26/herbalife-
deals-and-blockchain-dreams) ]:

"One thing I wonder about is: Even if Block is right, why would you hack
someone's pacemaker? It is just so ... mean. And complicated. Like, if you
wanted to murder someone with a pacemaker, it seems like it would be easier to
walk up to him and shoot him with a gun than to buy the hardware and develop
the expertise to hack his pacemaker, get within hacking range, and then do it.
Pacemaker-hacking does not seem like an optimal method if your goal is just
regular murder. (Not legal advice!)

"I guess one reason to hack a pacemaker is financial: You could short a ton of
St. Jude's stock, hack some of its pacemakers, kill some people and wait for
the stock to crash. (This is again not legal advice, though it is a free plot
for a financial thriller if anyone's working on one.) But if you are a hacker
looking to make money by shorting St. Jude's stock, and you have figured out
how to hack its pacemakers, actually going and murdering a bunch of people
seems mean and unnecessary and really extremely illegal. You should just short
the stock and then tell people that you can hack the pacemakers."

------
jackgavigan
Seeking to profit by short-selling a company's stock before revealing that
their products have security vulnerabilities feels like a very grey ethical
area to me.

I'm mildly surprised it doesn't fall under insider trading.

~~~
StargazyPi
It's very interesting, and a complex moral issue.

On the one hand, responsible disclosure, and immediate patching would be the
ideal way forwards.

However, with a company that has a history of neglecting security, and with
such severe possible consequences, speaking the language only language that
businesses understand is sometimes the only way to make them pay attention.

Had they gone the "responsible" route with a CERT disclosure, the
vulnerability would have been published 45 days later, and would presumably be
exploitable (as St Jude doesn't seem to prioritise fixes).

As it is, we get a brief media shitstorm, and hopefully companies paying more
attention to product security as a result.

What I'd love to see is responsible disclosure with teeth. Someone like the
FDA imposing severe penalties for failure to patch security flaws, and
rewarding responsible hackers who find vulnerabilities. This means we avoid
the nasty area of effective blackmail, whilst hopefully making it likely the
'good' guys find the vulnerabilities first.

------
n3mes1s
paper: [http://d.muddywatersresearch.com/wp-
content/uploads/2016/08/...](http://d.muddywatersresearch.com/wp-
content/uploads/2016/08/MW_STJ_08252016_2.pdf)

