Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier Discusses Ethics of Crypto PR Tactics

Posted by Hemos on from the drumming-up-sales dept.

vaxzilla writes "There's a really great article in Bruce Scheiner's January 15th CRYPTO-GRAM newsletter. He questions the ethics of various security companies who use announcements of security problems to bolster the sales of their products and services. When I read about the recent articles talking about the weakness of the current web browers, I pretty much thought, "Yeah, so what?" But nCipher looks to be pushing the hype to help push their product. The article is worth reading. "

6 of 54 comments (clear)

  1. Bruce's Allegations About Me by Anonymous Coward · · Score: 4

    I wrote the New York Times article that Bruce attacks in his CryptoGram. His piece would have been fairer if he had mentioned the fact that the NYT article explores the ethical quandries of the nCipher attack. I discussed,_at length_, whether nCipher's announcement amounted to blackmail and I reported, _at length_, about their reponses. I asked all of these questions weeks ago and printed their explanation, which I thought was rather reasonable. They felt that publicizing the details were more ethical than keeping silent. It's also important to realize that there was something NEW in what they reported. They had implemented their key finding attack and coupled it with a number of standard hacks around the memory protection schemes of major OSs. You might argue that there's nothing novel about a frightening practical demonstration of a theoretical concept, but I want you to try that argument out on the folks from Hiroshima and Nagasaki first. Anyone can check this out for themselves. Alas I can't give you the exact URL because I'm at the RSA conference. But if you go to www.nytimes.com and log in (sigh), actually find the search screen (sigh), and search for past documents containing the word nCipher, you'll be able to read it. Feel free to write me if you have any concerns or thoughts on this matter. Peter Wayner pcw@flyzone.com pwayner@nytimes.com

  2. Not sure I agree by Hobbex · · Score: 4


    I usually agree completely with everything that BS writes (and I was pleased to see that his first paragraph validated my Slashdot post in the nCipher string), I do think that he is being a little hypocritical about this subject. While the whole nCipher thing was obviously just "hacksationalism", it seems to me that the dividing line between cases where he is and isn't OK with publishing cracks depends competely on where party is making money or not.

    Ethics to the side, and as much as we all love being closet-Socialists here, capitalism is what makes our world go round. I wish all research could be funded for altruistic reasons, but in the real world the lure of profit IS often necessary. This is why we stand the fact that medical patents often keep poor people from being able to afford treatment, its for the greater good of having the medicines developed at all.

    It might not be perfect to have companies researching for security holes so they can validate the sales of there products, but at least the holes are being found and published, which, IMHO, is a hell of lot better then letting them linger until somebody who would rather use them than publish them finds them. Use Open Source and you can be sure you can patch around before the hackers hit you when the problem hits the press.

    I also see no mention in the article about BS own new Internet security company, Counterpane Internet Security, and how he plans to change his behaviour now (though he points fingers at LOFT for doing the same). He might have discussed this before though.

    If anything, I think one of the biggest faulty parties here is Slashdot. A lot of journalists read this site, so when the editors post a story like the nCipher one, it does a great deal to spread it further. May I recommend that the /. staff consider taking a Cypherpunk onboard to weed through stories about such issues to make sure they are real and not just sensationlist.


    -
    We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.

  3. Lack of experience in the media by 1984 · · Score: 4

    There's a critical problem with a general lack of security expertise in the media. It has lead to an unfortunate slant 'on the side of safety', where anyone highlighting an apparent security problem is instantly believed.

    This is often regardless of credentials, and I've seen some journalists maintain a tenacious grip on a flawed notion of bad security because bad security makes a good story. Copy gets churned out that all too often recites doomsaying of the original source, without reference to any independent expertise.

    It's even worse when there's actually a story in there, but it isn't the story that they're choosing to write.

    Sensible, timely reporting of security issues, and pentrating questions aimed at those who seek to deflect them are sensible and useful. Grabbing the latest 'see here security disaster!' hype isn't.

  4. Follow the Money by DreamerFi · · Score: 4

    What you should always keep in mind is Follow the Money when reading articles anywhere. Bruce makes this point very clear, but you should not limit this to cryptography. Always wonder who stands to benefit from an article.

    Including on Slashdot

    -John

  5. A question by JamesSharman · · Score: 4

    The author makes some valid points to the degree of contradicting himself. I would hope that most of the people on slashdot can spot posturing and sensationalizing when they see it.

    "I call this kind of thing a publicity attack. It's a blatant attempt by nCipher to get some free publicity for the hardware encryption accelerators, and to scare e-commerce vendors into purchasing them. And people fall for this, again and again."

    Yes nCipher didn't really point out anything new, yes it's a blatent attempt to get free publicity and yes it does stink of the whole virus scare thing we went through 10 years ago. However the issue here is where do you draw the line between a publicity stunt and genuine alerting the world to a problem. I feel that just telling those with a responsibility to fix a problem is not the solution, as the writer correctluy points out:

    "Of course, the downside is that these bugs get less attention from Microsoft and Netscape, even though they are as serious as many others that have received more press attention and thus get fixed quickly by the browser makers."

    However this causes a problem, if the only way of attacking a true problem is to make it public with all the fuss involvoed how can you expect the public to tell the difference between this and someone grabing for publicity, we maybe able to tell the difference but joe public is usualy a little out of their depth when dealing with cryptography.

    What I would like to know is if you (the person reading this post) found a gaping security whole in something large like Explorer or Navigator what would you do:

    • Just report it to the vendor.
    • Leak it to the press and make a fuss.
    • Work it into an exploit and make yourself rich
    • Something else.
    • Depends whose software it is.
  6. False Authority Syndrome by radish · · Score: 4

    As always, a great read from Bruce. Others have commented on this phenomenon, which seems very common in security/virus areas. Rob Rosenberger runs a great site called Virus Myths, which deals with all the "Good Times" stuff, as well as investigating other security stories, with the aim of getting rid of the hype and looking at the real story. He also has an article on what he calls False Authority Syndrome, basically the habit loved by certain parts of the media to totally believe someone because they assume them to be an "expert" on the subject. Essential reading...


    --

    ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"