So from my possibly naive understanding of this article the new researchers want to publish the exploit on GitHub to ensure it gets fixed. But even they hold off on some of the worst exploit vectors because of an ethical dilemma. It would seem to me that any of this being published is probably as good as all of it for bad actors to reverse engineer the exploit and then study the usb spec and create new attacks. Just the mention of this sort of exploit is probably enough to make someone try and find it. So they seem to be contradicting themselves here. If it needs to be fixed and releasing will spur the industry into fixing it, it should be published.
Is there something I am missing here? Serious question.
Is there something I am missing here? Serious question.