Friday, March 02, 2007

How to hype your security vulnerability

It seems that HID Global, a manufacturer of access-control devices, has a security vulnerability in its RFID proximity cards. Via Adam Shostak, we learn that Chris Paget of IOActive was planning on explaining the vulnerability at the Black Hat DC 2007 conference. Instead of fixing the vulnerability, HID Global threatened Paget with a patent infringement lawsuit. So now, instead of a small group of elite security specialists knowing about this, everyone who reads tech news knows about this.

Furthermore, we also know that HID Global has not announced any plans to fix the vulnerability, just suppress any discussion of it. Yeah, that’ll work. Brian Krebs has responses from both Chris Paget and Kathleen Carroll, director of government relations for HID. I don’t think HID’s response is adequate to the situation.

As of this writing Google News shows 69 items on this story. Slashdot has a spirited debate about the incident.

Incidentally, according to Security Tracker the largest number of reported malware attacks come not after public report of a vulnerability, but after the patch has been announced and offered, which I don’t understand at all.

No comments: