Christina Warren, now writing at Gizmodo:
After finding serious security vulnerabilities in St. Jude Medical’s pacemakers and defibrillators, cybersecurity and research company MedSec decided to take that information to a short-seller (Carson Block of the investment firm Muddy Waters) which then bet against the company in the stock market. This was instead of disclosing the vulnerability, in theory something that could endanger lives, to the manufacturer St. Jude.
Sometimes I wish I had a podcast or a television show instead of words on a page, so I could play a supercut of people saying “that’s fucked up” right now.
MedSec CEO Justine Bone:
In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message.
What a load of horse shit. While MedSec is right that electronic medical devices need vastly better security, there are loads of legitimate paths that they could have taken to ensure that St. Jude was required to fix their devices. As MedSec is only now going to the FDA, their decision to put profits over responsible disclosure is scarcely better than selling the vulnerability to the highest bidder.