Daily Archives: August 29, 2008

Full Disclosure

Posted on by

Full Disclosure and the Boston Farecard Hack

This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don’t do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won’t leak out even if the research results are suppressed. These assumptions are all incorrect.

The problem isn’t the researchers; it’s the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”

Just Do It?

Posted on by

The question asked at incoherently scattered ponderings: Why would anyone want to get a PhD in sciences?

[T]he bottom line is that 10 years later non-PhD path can provide on the order of 0.5 million more in earnings than the PhD path. And one could argue that the career options after completing PhD and 1 or 2 postdocs are still quite bleak.

No, a PhD doesn’t get you more money. What it tends to get you is interesting work — there are opportunities that become possible with a doctorate that won’t be there without treading that path.