Thursday, March 28, 2013

When Journalists are Going Deaf

Hi to all

Recently I have answered to a journalist from the Economist about the Vupen case, to explain to him the different aspects of the vulnerabilities market (history, prices, strategic and tactical issues, what to think about vulnerabililties...). I have just discovered his article today and I would like to react to some of his claims that are totally wrong. I have explained to him that contrary to Vupen and companies working in this area, we are not working nor using vulnerabilities at all, except for teaching purposes (in our Master course for example) and very seldom to validate part of our results regarding defense techniques.
All of our research deals with algorithmics and design concept weaknesses. So we are absolutely not interested in this kind of research since we mostly focus on mathematical aspects. For implementation vulnerabilities, there are companies that do the job very nicely. 

I am heading a R&D lab not a business and whenever we find some security issues we publish it for free in hacking conferences or on the present blog after having contacted the editor (like in this recent case). Implementation flaws are not interesting from my point of view since they can be patched and therefore their lifetime is very limited contrary to mathematical flaws or conceptual backdoors. Anyone who knows about our research can confirm that we do not work on implementation flaws and that we have never taken part to any reversing challenge.
I am fed up with journalist whose only interest is to make buzz while we simply try to educate people.
Eric Filiol