• -----BEGIN PGP SIGNED MESSAGE-----• Hash: SHA512• • Hello Andrea, • • I appreciate you asking for my perspective on this, I believe that this issue is important not only to the researchers that perform the work, but to the

consumers and indirect beneficiaries of the technologies that we increasingly depend on. • • As you may know, I recently published an “advisory” on a “high security” electronic lock produced by a company known as “Cyberlock” which had been

specifically marketed and sold into government facilities (US and non) that required a high level of assurance and auditability for high value and/or sensitive areas. After examining the lock in detail, which involved examining the firmware in detail, we discovered the that the devices were Incapable of providing the level of protection as required as their “encryption” algorithm turned out to be little more then an easily defeated “XOR” encoding.

• • After contacting the company to report the issues and being ignored for a month, IOActive was contacted by a law firm which attempted to intimidate

first by insinuating that our reason for contacting Cyberlock was to pressure them into a “sales aspect”, then proceeded to casually ask about a co-workers non-existent “felony conviction” and finally after the call had completed I was sent a threatening letter suggesting I may have violated the DMCA anti-circumvention provision and that the company needed to protect their property, something that could be a career ending prospect for me if successful.

• • While I wish legal thuggery like this were the exception, it has become the rule, At least this has been my experience with a series of companies like

Merlincryption who ostensibly sell encryption products for SCADA, medical and M2M devices and attempted legal threats after I exposed their encryption algorithm (ASBE) as snake-oil. I also received similar threats after publishing research on vulnerabilities found in EAS (emergency broadcast/amber alert) system.

• • I believe it to be a consensus among security researchers that even though the work we do is critical to our countries long term safety and prosperity we

are simultaneously having to put ourselves as researchers at ever increasing personal risk of not only long term imprisonment and financial hardship, but it simultaneously creates an environment where its safer to sell a vulnerability on the black market then it is to report them to the vendor and the public making a connected world a much more dangerous place then it needs to be.

• • If there is anything I can do to help inform this debate I’m at your disposal. • • Mike Davis• Principal Research Scientist