Another full-disclosure debacle at Black Hat

Here we go again. It’s almost as if the lessons from 2005 Michael Lynn incident were completely forgotten. Granted the conference has changed ownership but the challenges to full-disclosure from over eager companies remain the same.

In this case Kim Zetter of Wired News reports that a demonstration of weaknesses in RFID proximity cards by Chris Paget of research firm IOActive was scuttled after some legal scare-mongering by HID, a vendor that produces such cards. Quote:

IOActive says it offered a few compromises after hearing from HID, including allowing an HID representative to appear on stage with Paget to discuss its product — but HID wouldn’t agree not to sue.

The incredible part of this is that the vulnerability was already demonstrated at another conference (RSA 2007) earlier in February. And just like the remote code execution in Cisco routers that the company tried to suppress in 2005 (ever wondered why the conference proceedings are missing an entire section of pages from that year?) the incident only served to increase awareness of the problem and draw more attention.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s