Full Disclosure and the Boston Farecard Hack
This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don’t do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won’t leak out even if the research results are suppressed. These assumptions are all incorrect.
The problem isn’t the researchers; it’s the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”
A Kryptonite bicycle lock is the sin qua non of strong protection for modest inconvenience. Its only weakness is that a Bic stick pen was its universal master key. General “Buck” Turgidson, “Well, I don’t think it’s quite fair to condemn the whole program because of a single slip-up, sir.” Dr. Strangelove