Op Ed: Crypto Pundit Emin Gün Sirer Clueless on Responsible Disclosure
If you’ve been following Cornell Professor Emin Gün Sirer on Twitter for his crypto punditry, just note who you’re dealing with. In response to a series of vulnerability disclosures for the TREZOR Wallet, Sirer — the man famous for selling his bitcoin at a low price years back — found it appropriate to drag the company for being transparent about a since-patched vulnerability that affects their hardware-based bitcoin security devices.
Subscribe to the Bitsonline YouTube channel for more great interviews featuring industry insiders & experts
Low Blow, Emin, Low Blow
I cautioned you all about trusting "two people and a dog" from the Czech Republic with your assets. This is an old article, but there are lots of new people coming in. https://t.co/Idpy5EI6GL
— Emin Gün Sirer (@el33th4xor) December 21, 2017
For those that don’t see any issue with the tweet above, let me break it down for you.
An academic is deriding a company for upholding transparency and peer review when a vulnerability is found in their devices, which is unfortunately not a standard practice in the entire tech field.
The alternative approaches TREZOR could have legally taken, including hostility to vulnerability disclosures, are all tangibly worse outcomes than the courses of action TREZOR chose in both the short and long term.
How come other hardware wallets have not suffered from such problems?
— Emin Gün Sirer (@el33th4xor) December 22, 2017
The vulnerabilities outlined in the article Emin sources have since been patched by TREZOR — and thus completely irrelevant to the users that update their firmwares regularly.
And Ledger is having firmware patch woes of its own, right now. So other hardware wallets have in fact suffered from similar problems. On the flip side, researcher Saleem Rashid argues Ledger is not being forthright about the true gravity of its new firmware fix.
I’ll happily take transparency over the alternatives, then.
We Should Applaud Transparency in Crypto, Not Chide
Emin dragged a company for implementing best security practices and doing as much due diligence as possible.
He’s angry that the hardware wallet manufacturer researchers found problems in the first place, apparently, which is a bit like being mad at your plumber because a heavy snow burst one of your pipes. Tech security is never a space of absolutes.
There are vulnerabilities in every piece of software and hardware on the market, and what matters is how the people that developed them act when they’re found.
The only incentive to be secretive about a vulnerability patch is the off-chance that an an otherwise ignorant person with a platform (e.g Emin Gün Sirer) whips up a media circus about something you’ve done everything you can to fix. By tweeting this out, Emin is contributing to the security disclosure problem, and indirectly, to the coffers of bad actors that benefit from undisclosed vulnerabilities.
What’s your take? Do you think people should be more careful about what they say in the cryptocurrency space in general? Sound off below.
Images via StartUpTown, TREZOR