Yesterday I presented at Maine Law about my security vulnerability disclosure research. It was great to be back at Maine Law, but this time as a lecturer. I spent so many hours in the moot court room as a student that, just for a split second, I has a fleeting feeling of "OMG, am I going to get cold called on," when I entered the room. Some things from law school never leave you.
I have made some changes to the disclosure presentation I gave at Pumpcon a few weeks ago. For instance, Juliet (aka, Victoria) said that I had too much stuff on my slides, so I tried to par that down. She was totally right about that.
Also, I changed the title from "How to Responsibly Disclose," to a title that didn't reflect the ethical ramifications of the word "responsible." Using the industry practice of what is called "responsible disclosure," is not always the most responsible way to disclose vulnerabilities. The more research I do and the more well known security researchers with whom I discuss this topic, I find that sometimes other types of disclosures (full or partial) is what's needed for better security. My legalese peers may not agree with me, but from the computer researcher's perspective, the name "responsible disclosure" is not always as the ethical implications of that word suggest.
Last, but not least, I added a lot more about disclosing physical/electronic security vulnerabilities. I did a lot of research into lock picking laws and industry practices. Really fascinating and it makes me want to do more lock picking should the opportunity present itself.
However, are electronic biometric locks with cryptographic keys the future of the lock industry? I think they may be. That's good and bad--like all technology, isn't it? I've always been interested in the idea of faking biometric scans. For example, I know that a retina scan is really hard to fake, but mirrored or cloudy contact lenses mess up the scan. So, if you're getting your initial scan (such as going through the international terminal in Frankfurt, Germany) and you get scanned with these contact lenses in, will the computer reject the scan or will that base line scan, albeit "fake", be "yours"? I'll have to do a post about biometric scans because I did a lot of related research about that when I was working on RFID technologies and legislation.