The Norwegian Government hacked my start-up
This is not something you hear every day, but this really happened to Colleen Wong and her team at TechSixtyFour! Check out this very thought-provoking blog written by the cybersecurity team she hired after getting hacked by the Norwegian Consumer Council.
CommentsAdd a comment
Much of the objection raised by the blog was to the short (in the blogger's view) amount of time between the time the start-up was notified by the Norwegian Government and the presence of vulnerability was announced to the press. He doesn't indicate how the start-up responded in the month between the initial notice and release to the press. Nor does he state how much the government revealed about the attack mechanisms in the statement to the press.
Depending on these two pieces of information, I might sympathize, or I might not. Did the start-up promptly reply to the initial notice, immediately start efforts to close the vulnerability, and ask for time to address it before any government statement? That would earn some sympathy.
Did the government release details of the vulnerabilities found, or just the fact that vulnerabilities were found in the product(s). I'd have more sympathy in the former case than the latter case.
Some product categories and technologies used to implement them are subject to tighter regulations for good reasons - to protect user safety, and to protect against interfering with operation of other products.
I am strongly in favor STEM programs and the maker movements encouraging innovation and problem solving. But even innovative product development needs to address the safety and interoperability aspects of the product. And by the time a start-up has retail distribution already set up, they should be serious enough to be address these less glamorous aspects of development.
So apps allowing kids to be tracked by third parties should not need fixing because the engineering team is not doing their due diligence?
If you read the other side of the case, even after the specialists had "fixed" the product, the next test still found vulnerabilities. How many chances should you get?