[ISN] Japanese Government Bans Security Researcher's Speech

From: InfoSec News (isn@private)
Date: Mon Nov 15 2004 - 02:48:20 PST


http://www.ejovi.net/archives/2004/11/japanese_govern.html

November 12, 2004

[JUKI net is Japan's national ID system. Ejovi performed a security
audit of the system for Nagano Prefecture one year ago]

Its been a long day. I am greatly disappointed that Soumushou, the
Japanese government that maintains JUKI net, prevented me from
speaking today at the PacSec security conference. Soumushou prevented
my talk by threatening the Japanese event who currently are seeking
contracts from the government

The Japanese government gave me two options.

1) Do not talk
2) Drastically change your slides to say what they want me to.

When I offered to not use slides at all and give my own opinion they
told me that I would not be permitted to speak AT ALL. It is obvious
to me that they did not have an issue with my slides or presentation.
They were afraid that I would draw attention to problems in JUKI net.
Soumushou thinks that they can hide from the issues. They think that
if they keep people from speaking about the issues, it will go away. I
thought I would be immune from such Japanese government pressures
however I underestimated Soumushou's ability to manipulate those
around me.

Soumushou's reason for forbidding me to speak was this "Since we are
endorsing the convention we have to right to tell you not to speak" if
this is the case, the Japanese government needs only sponsor or
endorse ANY event in which they don't agree with and force the
organizers to change the content. If this is the case Japan will never
make any progress towards a safer environment.

What is most upsetting to me is the fact that I HAD NO PLANS TO
CRITIZE the Japanese government. My talk was going to be extremely
fair and balanced addressing the issues raised by both sides. In fact
I invited Soumushou to meet with me directly so that I can address any
issues they may have. I told them this on the telephone and by email.
Instead they choose to pressure the Japanese representatives of the
conference. They never attempted to talk with me directly. Why is
this?

If they had issues with something I may say why not ask me about it?
Why pressure a company they relies on government contracts? Is this
fair? The purpose of my talk was to present both sides of JUKI net
security systems. I have no vested interest in seeing it fail or in
seeing it succeed. I only wanted to recommend how best to make it
safer, how best to improve the system. But Soumushou believed that my
recommendations on how to improve its security alone would mean that
JUKI net has problems and they refused to admit this. I'm sorry to
tell them but it does have security problems. The good news is that
the technical issues can be easily resolved. However the greatest
problem with JUKI net is not technical but Soumushou's inability to
even acknowledge that they exist! How can a system become secure if
the Japanese government are not willing to listen to someone who
points out issues.

Today was a sad day for Japan and a frustrating day for me.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Mon Nov 15 2004 - 04:50:16 PST