Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Lets Call Stunt Hacking What it is, Media Whoring.

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 18 May 2015 14:17:14 +0000 (UTC)
http://carnal0wnage.attackresearch.com/2015/05/normal-0-false-false-false-en-us-x-none.html

By Valsmith
carnal0wnage.attackresearch.com
May 16, 2015
I recently read this article: http://www.foxnews.com/tech/2015/03/17/ground-control-analysts-warn-airplane-communications-systems-vulnerable-to/ and it brought to mind some thoughts that have been percolating for quite a while. Sometime last year I believe Dave Aitel coined the term Stunt Hacking, which I think is a pretty good way to describe it. We often see these media blitzes about someone hacking a car, or an airplane, or some other device. The public who has a limited understanding of the technology, and the media who has a worse understanding, get in a frenzy or outrage, the security company hopes this translates into sales leads, and the researcher hopes this translates into name recognition leading to jobs, raises, conference talks, etc.
A question that I think we should keep in mind is: Why would a company hire someone who just publicly displayed how little they understand about the technology and made their desired potential client look bad.
There are two problems with this: 1.) The research is often FUD or based on a very limited understanding of real world deployment or 2.) Any actually valuable technical research gets lost in the hype.
Let me be clear, I am not saying that researchers like Charlie Miller or Barnaby Jack haven't contributed meaningful or ground breaking research to the community, (they have), but many ride a hype wave that is often unwarranted. Unscrupulous infosec companies take advantage of such researchers work to drive sales of mediocre consulting services as well.
The practice of companies pushing their best researchers to drop and overhype controversial or gimmicky bugs makes no sense from a business perspective either from the security vendor or the services purchaser point of view. Who wins in the long run? The vendor loses credibility and the purchaser suffers in the PR space. 

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
Previous By Date Next
Previous By Thread Next

Current thread: