http://carnal0wnage.attackresearch.com/2015/05/normal-0-false-false-false-en-us-x-none.html
By Valsmith
carnal0wnage.attackresearch.com
May 16, 2015
I recently read this article:
http://www.foxnews.com/tech/2015/03/17/ground-control-analysts-warn-airplane-communications-systems-vulnerable-to/
and it brought to mind some thoughts that have been percolating for quite
a while. Sometime last year I believe Dave Aitel coined the term Stunt
Hacking, which I think is a pretty good way to describe it. We often see
these media blitzes about someone hacking a car, or an airplane, or some
other device. The public who has a limited understanding of the
technology, and the media who has a worse understanding, get in a frenzy
or outrage, the security company hopes this translates into sales leads,
and the researcher hopes this translates into name recognition leading to
jobs, raises, conference talks, etc.
A question that I think we should keep in mind is: Why would a company
hire someone who just publicly displayed how little they understand about
the technology and made their desired potential client look bad.
There are two problems with this: 1.) The research is often FUD or based
on a very limited understanding of real world deployment or 2.) Any
actually valuable technical research gets lost in the hype.
Let me be clear, I am not saying that researchers like Charlie Miller or
Barnaby Jack haven't contributed meaningful or ground breaking research to
the community, (they have), but many ride a hype wave that is often
unwarranted. Unscrupulous infosec companies take advantage of such
researchers work to drive sales of mediocre consulting services as well.
The practice of companies pushing their best researchers to drop and
overhype controversial or gimmicky bugs makes no sense from a business
perspective either from the security vendor or the services purchaser
point of view. Who wins in the long run? The vendor loses credibility and
the purchaser suffers in the PR space.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
