Hacker News new | comments | show | ask | jobs | submit login

I think that making this public is not a very good example of responsible disclosure and I hope there will be a lawsuit before the presentation to prevent the details from being exposed.

I am all about exposing vulnerabilities but I honestly think there needs to be a dialog with the vendor first. Specially for exploits like this where there is a lot at stake.

I find the excuse of 'there is nothing they can do anyway' very poor. I have no doubt that this technique is known to locksmiths and law enforcement and maybe a smaller group of criminals. But making this public and exposing it to the world will allow any criminal with a soldering iron and an Arduino to start exploiting this.

Daeken, you have done an awesome job making this known. Maybe that it enough to get the ball rolling. Or do you just want to do damage for fame and profit?




This argument has been going around for as long as I can remember, and I think it's incredibly harmful to researchers (whether they be security or other).

Upon discovering the vulnerability, the only real action he could take which would be universally considered unacceptable would be to use that research to go around breaking into hotel rooms (which is illegal).

If he decided to go into business selling devices to bypass hotel room locks, there would also probably be a majority opinion that that isn't really "above-board". Even that isn't necessarily universally agreed on though (as there are a lot of people who argue that providing access to tools isn't criminal)

But he didn't do that either.

He decided that this was a pretty severe vulnerability (made worse by the fact that remediating it isn't trivial), and that he wanted people to know about it.

Hoping that the vendor will sue him to prevent that information from being disseminated is about the worst possible outcome from research of any kind; ignoring the fact that you don't seem to posit any rationale for what exactly they'd be suing about (protected trade secrets? violation of a license agreement?)

The thing about "responsible disclosure" is that it isn't something that exists by fiat. It's an intentional reframing of disclosure policies by vendors to attempt to steer the research community towards doing what's in the vendors best interests.

I understand their desire to reframe that policy, but that doesn't make it "the only ethically responsible way to conduct vulnerability disclosures".

Recently, there's been a lot of news about BMW's being able to be stolen trivially through access to the OBD port on certain models. There's an OSVDB entry for it and everything‡.

That's another example where providing information to the public was considered to be very important (like the issue Cody discovered, it's also not something that can be easily fixed. It's also been ignored by the vendor).

In virtually all other regards, making research public is considered the responsible thing to do.

While I'm not a card-carrying member of the full-disclosure sentiment, I strongly disagree that releasing research publicly is boolean irresponsible.

‡ http://osvdb.org/83707


I'm not saying he should not publish this at all. I just think it will be more responsible to try to work with the vendor. Right now he has not even made that effort.


And he hasn't released the source code and hardware specs yet. So, although I think he should have contacted the vendor (even if that could have been inconvenient for him) before going public, he still hasn't made it trivial for a third party to go around robbing unattended hotel rooms. It's his choice but I would appeal to him to not do that.

Full disclosure is a lot of fun, and it increases the status of geeks like us, so it's really to approve of it. I did when I was in college.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: