[Dave Birch] A thought experiment. Suppose you found a flaw in a widely-used payment scheme, such as EMV. Suppose the flaw had come about because of a mistaken interpretation of a specification and would take some time to fix. Would you keep the flaw secret, and hope that the criminals didn’t find it, or would you tell the banks, or would you tell the banks about the flaw and tell them that the flaw will be made public in six months. I’m genuinely curious: what would you do? I’m sure that the first option is the most wrong: not exploring how to break a payment scheme means that the criminals will break it and you won’t know what to do. Consider the recent example of SIM card cloning in India, which the police apparently had difficulty responding to:
The experts said no one has actually done any research on SIM card cloning because the activity is illegal in the country.
If the good guys can’t even participate, the bad guys will always win.
[From Schneier on Security: The Ill Effects of Banning Security Research]
Bruce is, as is generally the case, right. Banning research means that only the bad guys will do the research. Hoping that the bad guys won’t find the flaw is a ridiculous strategy: it’s much better to come clean, bite the bullet and then fix it. What does “fix” mean though?
Continue reading “Good vs. bad”
