Posted by Hillary Cheng at 12:40 PM
The MBTA, U.S. Customs, Apple, and Cisco would like you not to know that their data was or is insecure. Yes, I repeat, their data was, or is, insecure, and they don’t want you to know. Rather than promoting information security by working with security researchers, the MBTA, U.S. Customs, and Cisco would rather file criminal complaints against researchers who find vulnerabilities in their security.
With the advent of the Internet, data stored on computers with access to the Web are prone to access by hackers. Infosec specialists and researchers work hard to protect our data, but the policies that make hacking a criminal activity sometimes also encompasses the work of security researchers. While some organizations agree to have their security measures inspected by researchers, other researchers find vulnerabilities in a company’s security without their express consent. In the name of research, infosec specialists often disseminate their findings at security conferences for the benefit of other researcher’s knowledge and development of techniques.
However, this well-meaning effort to develop better information security has met extreme pushback from companies wishing to maintain their bottom line and avoid bad publicity. Companies with security vulnerabilities may threaten researchers with legal action and filing of criminal complaints in efforts to suppress their findings. This is counterproductive to improving data security, and policy should be construed in favor of promoting more security and public awareness of security breaches.