Hacker News new | comments | show | ask | jobs | submit login

My capacity for shock was run dry by the original engineering decisions made by Onity.

Everyone messes up. Every exploit can be made into an easy to distribute tool. As an industry, the idea is to help the people who make these mistakes fix it as soon as possible so users don't get hurt.

The problem is that the incentive here is for Onity to NOT disclose anything and keep on going like nothing happened. They'll get around to replacing them one day, and it hasn't caused any huge scandal yet, so what the hell right? It can wait! The alternative: a lot of bad press and millions of dollars in hardware fixes. Contrast that with a software fix delivered through the internet, instantly fixing the hole.

Then there's the matter whether Onity seems like a trustworthy company, that would do the right thing. A company whose ONE job is to make electronic locks, but still has an obvious security hole in their system is either 1. really stupid or 2. knows about it and has done nothing. A security whole in a beast like Windows (which main purpose is not security btw) I could understand and sympathize with. A lock is not nearly as complex. Either way I wouldn't trust them to do the right thing.

If you make hotel locks, it's your job to not mess up and if you do, to find it and fix it before anyone else. Other people's safety is relying on you.

"Everyone messes up" is fine if your job is creating systems where security is largely a secondary concern. If security is the whole point of your product in the first place, and your product is actually completely insecure, that's not messing up, that's gross incompetence.

Except users can(and likely did) get hurt regardless of how the disclosure was preformed.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact