There have been a lot of stories in the news about transportation hacks, from planes to automobiles (and I’m waiting on the train). Security threats in transportation have become both more frequent, more threatening, and – as increasingly more of our transportation becomes “hackable” – more important. Recently, very high-risk vulnerabilities were discovered in these various methods of transportation and this time, they were presented loudly and in the public eye.
My thoughts on this are simple: 1.4 million cars are recalled, but not because there was a security vulnerability that was discovered and reported to the car manufacturer. The recall happened because the general public was made aware of this flaw through the media, and it was something that they could actually see and experience.
We can be told that the stove is hot.
We can be shown that the stove is hot.
But unfortunately, it sometimes takes a more memorable incident for us to remember that – wait for it – the stove is hot.
Would I say that this more “memorable incident” should be irresponsible reporting, or irresponsible disclosure? Am I advocating a “yell first think later” stance? No, but I would like for organizations, industries, and governments to take security more seriously not just because it has become painfully clear that human lives are at risk. Not just because the direct result of inaction is a company going under. But because a security researcher has done responsible disclosure, has tried to help, without the need for a blatantly public example or demonstration needed.
We are quickly approaching a state in this society where security research and the actual discovery of these vulnerabilities is thought of as and treated as an actual crime. This brings up the question – are we trying to kill dissent, hide the truth? Or are we really trying to discover these vulnerabilities? By keeping quiet and not reacting to security researchers, we’re not helping the public. Hiding the danger from people does not keep them protected. We’re just making the stove look like it’s off – which might make it even more dangerous when they find out the hard way that it’s not.