undefined | Better HN

0 pointsandor11y ago0 comments

I don't see who is in a position to even want to stop this talk

A government agency that wants to stay a step ahead of the competition or of its targets?

0 comments

5 comments · 2 top-level

toyg11y ago· 3 in thread

Or a University who doesn't want to get sued / get bad publicity for screwing with a tool used by government agencies...

MacsHeadroom11y ago

Legality aside, I'm surprised this wasn't pulled on ethical grounds. Does Black Hat not require "researchers" to follow responsible/coordinated disclosure?

What about the political dissidents who use Tor? They could be at risk of certain death if caught by the authoritarian regimes they live under. Without coordinated disclosure, the "researchers" might as well have been signing death warrants.

tptacek11y ago

Black Hat is a venue for presenting research. They don't influence the procedures used by researchers at all. And the Black Hat review board is not stuffed full of people who buy into "responsible disclosure".

In fact: I'm not aware of a vulnerability research conference that does get nosy about this stuff. I even reviewed for Usenix WOOT one year, and we didn't vet research for "coordinated disclosure". Not even Usenix works the way you want BH to.

dllthomas11y ago

"at risk of certain death"

That's an odd construction...

x1798DE11y ago

It's possible, but I think that's the paranoid / Hollywood spy version of this. Not saying that this sort of thing doesn't happen - the spy agencies take themselves very seriously but aren't big on effective policies anyway, but unless there's a specific operation that is relying on this specific exploit, and someone in the government got advance details of the nature of the exploit, it doesn't seem to have a particularly high prior probability. Anyone with a significant budget can probably pay for any number of zero days so they don't have a single weak point like "if anyone fixes this bug in the software our operation / malware will stop working".

Generally when you see some outside force trying to suppress security research and the presentation thereof, it comes from the companies who will actually have to fix the problems and deal with support calls (or companies who feel that security through obscurity is sufficient and are hoping to somehow suppress the information from ever getting out). In this case, that would be maybe the Tor Project, but they generally are very receptive to this kind of thing.

j / k navigate · click thread line to collapse