I posted earlier about a story in which Sensus filed a request for a temporary restraining order to prevent Seattle City Light from releasing documents submitted in an RFP. Under Washington state law, when Sensus submitted to the RFP, their documents became public record. Now they want to undo that, claiming in part that releasing details of the encryption used to "protect" the smart meters would lead to security compromises. Infosec professionals know this probably means that they rolled their own encryption. Separately, we've known for years that the only good encryption is that which is independently audited.
A copy of the temporary injunction is here. A hearing is scheduled for June 9th to determine whether the injunction shall be made permanent.
I hope the EFF will file an amicus brief in this case to at least get security details of the devices released. Sensus is trying to get pricing details redacted as well, calling that data a trade secret. There are almost certainly other trade secrets detailed in the bid, but the moment at which Sensus placed those in a document that is publicly available, they lost trade secret protection as I understand it (of course I am not a lawyer).
If you live in Seattle or Washington, now is a fine time to talk to your elected officials about this case. The outcome will likely have national effects on the on security research, particularly for anything that can reasonably be called "critical infrastructure."
Bottom Line
As with much of the public debate around security research, we need to remember that only the good guys follow laws. The bad guys will obtain these devices and the data about these devices without the help of a public records release. The public is not served by allowing these black box devices to be installed without proper independent security reviews.
A copy of the temporary injunction is here. A hearing is scheduled for June 9th to determine whether the injunction shall be made permanent.
I hope the EFF will file an amicus brief in this case to at least get security details of the devices released. Sensus is trying to get pricing details redacted as well, calling that data a trade secret. There are almost certainly other trade secrets detailed in the bid, but the moment at which Sensus placed those in a document that is publicly available, they lost trade secret protection as I understand it (of course I am not a lawyer).
If you live in Seattle or Washington, now is a fine time to talk to your elected officials about this case. The outcome will likely have national effects on the on security research, particularly for anything that can reasonably be called "critical infrastructure."
Bottom Line
As with much of the public debate around security research, we need to remember that only the good guys follow laws. The bad guys will obtain these devices and the data about these devices without the help of a public records release. The public is not served by allowing these black box devices to be installed without proper independent security reviews.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.