I love listening to podcasts, and the “Down the Security Rabbithole” is a favourite. Rafal & crew do a good job of balancing technical and business content, and while I may not agree with everything, it’s a great listen, well worth your time.
I was driving today and listening to episode #140, recorded at the wonderful AtlSecCon (which I happened to miss this year… 😦 ). Rafal had a good chat with Mark Nunnikhoven, Kellman Meghu and Keren Elezari. The topic was the ethics of disclosure, particularly when lives are at stake. Interesting topic and I wanted to chime in on it.
The topic is still fallout from the now infamous Chris Roberts tweet, but rather than focus on that particular tweet (that ship has sailed or, dare I say, that plane has departed 🙂 ), the group discusses several topics as they relate to vulnerability disclosure, the fine line between what constitutes ‘research’ or not, and other topics. Still, there’s a broad agreement that ‘fortune and glory should not apply when people could die.”
What I wanted to chime in is that while ‘hacking’ an airplane is much more likely to be recognized as a proximate cause in case of an accident, I think pretty much any disruption to the ‘cyber’ systems people now depend on can potentially have lethal [side] effects. My focus nowadays is anti-fraud. While not as cool as hacking avionics, it shows me how much of an effect fraud has on consumers, to the point of potentially causing stress, injuries and, in my opinion, even death. Hyperbole? Perhaps. But I wanted to get my point across that the ‘sensational’ events are often less impactful than the mundane but much, much more frequent stuff that no longer makes the news in the first place…
Also, I agree with Keren’s point about the word ‘cyber’. It means something and I think we should embrace it, not look down on those who choose to use it. This ties in with a comment from Allan Friedman during his recent BSidesSF talk, that for those in government, cyber means something specific and helps them define it when compared to other domains.
Also, hacker movies… Sneakers (1992) or Hackers (1995)? Showing my age here, but neither: WarGames (1983) FTW… 😉 It even plugs into the theme of the podcast (lives affected by cyber incident. You can’t do much more than global thermonuclear war…)
And Mark, YES there is cyber in Die Hard 1 (1988): don’t you remember witty Theo and his charming personality? ‘Red Castle’? 😉