Once upon a time, companies were able to insist — with a straight face — that the real problem with the security defects in their products was the researchers who went public with them, warning customers and users that the products they were trusting were not trustworthy.
Then came the modern infosec movement, in which hactivists and researchers started to give companies a little grace period before going public, while still rejecting the whole idea of “security through obscurity.” If your security depends on no one else independently rediscovering the defects you’ve identified, you’re going to be very disappointed — just ask all those American cities that are paying out to ransomware creeps who got hold of a defect that the NSA kept secret so they could use it against “bad guys.”
Infosec’s watchword is “sunlight is the best disinfectant.” If you want to prove that a product is genuinely defective, it’s not enough to make the claim: you have to back it up with demos that anyone else can replicate — otherwise the companies will straight up call you a liar and assure their customers that there’s nothing to worry about.
Yesterday, Youtube froze Kody Kinzie’s longrunning Cyber Weapons Lab channel, citing a policy that bans “Instructional hacking and phishing: Showing users how to bypass secure computer systems.” He now has a “strike,” which prevents him from uploading any new videos.
This may sound like a commonsense measure, but consider: the “bad guys” can figure this stuff out on their own. The two groups that really benefit from these disclosures are:
1. Users, who get to know which systems they should and should not trust; and
2. Developers, who learn from other developers’ blunders and improve their own security.
Youtube banning security disclosures doesn’t make products more secure, nor will it prevent attackers from exploiting defects — but it will mean that users will be the last to know that they’ve been trusting the wrong companies, and that developers will keep on making the same stupid mistakes…forever.
We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it.
YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"
— Kody (@KodyKinzie) July 2, 2019
(via Four Short Links)