As I write this on a peaceful Palm Sunday afternoon, my Facebook feed is ablaze with outrage over a keynote Lookout Co-Founder and CTO Kevin Mahaffey gave at the CeBIT Global Conferences.
The talk was about research he and CloudFlare Principal Security Researcher Marc Rogers conducted into security vulnerabilities in the Tesla Model S.
Why the outrage? If you watch the video, Mahaffey seems to take most of the credit for hacking the vehicle.
I don’t know Mahaffey personally, but I’m very familiar with Rogers, who has proven his worth in the security industry many times over. If Rogers had been the one giving this keynote, I have no doubt he would have gone out of his way to mention his collaborator more than once.
To be fair, Mahaffey has given a shout out to Rogers in the past, particularly in the Lookout Blog. In this post from August, he writes:
My colleague Marc Rogers and I set out to audit the security of the Tesla Model S because we wanted to shine a light on a car that we hypothesized would have a strong security architecture, given the Tesla’s team’s deep software experience. Out of this research, we hoped to be start a conversation about simple and clear security best practices for the automotive industry.
In the keynote, which you can watch here, Mahaffey still uses the word “we” throughout, and names Rogers once, around the 2:53 mark. But those things are easy to miss when your talk title is “Why I Hacked The Tesla Model S.”
What I really found unfortunate about his talk: He plays up the dangers of the hack as if the sky were shattering, the shards impaling innocents on the ground.
The fact of the matter is that Tesla has welcomed this kind of research and has eagerly addressed vulnerabilities as they’ve been found. Researchers find vulnerabilities in technology all the time, and while they are serious problems that need to be fixed, the world doesn’t end over it all.
Had Rogers given this talk, I’m confident he would have used a more realistic, down-to-earth tone.
I see this whole affair as a teachable moment: There’s a protocol that must be followed in the world of security research. If someone is involved in an important bit of research, it’s important to spread around the credit — often.
Few big finds are the work of one person alone. I’ve written about countless vulnerabilities as a journalist and in my current role as part of a corporate research team. Most of the time, it’s a team effort.
Even when someone makes a discovery on their own, chances are better than average that someone else in the world has made the same discovery or something similar.
The lesson: No matter how good you feel about the work you have done, it’s important to be humble about it. At the very least, it’s only decent to mention the help you received every single time the topic comes up.
Mahaffey could have done better here.
Update: Mahaffey sent me the following response:
Hi Bill, don’t believe we know each other, but wanted to share my $0.02. If you go to 2:53 in the talk, I give credit to Marc as my research partner and use we throughout the talk. Also, if you check out the podcast here, you can see how I introduce Marc and my research: http://www.cebit.de/en/news/news-details_28036.xhtml
Title of the talk sucks (I didn’t do the submission, unfortunately, so not sure how that happened), though I want to clear the air and make it known that I have no intention of diminishing the partnership we had.
We had agreed to be able to present separately, and it’s my intention to always credit. I feel terrible that Marc feels slighted here.
