Yet, the necessity of demonstrating such attacks before the vulnerabilities are fixed is dangerous, both for Internet users and for researchers.

By raising the amount of work required for researchers to get their voices heard it makes it all the more likely attackers will build the tools first. It also raises the legal liability for researchers. Sotirov and Applebaum contacted the EFF before giving their presentation. They were concerned about the legality of presenting their attack method. They had to be very careful about how they presented their work, because it was a practical attack, not theoretical.

The EFF advised them not to tell the effected certificate authorities in advance lest their presentation be subject to a lawsuit and never be heard.

It was not an unreasonable fear. Student researchers from MIT had their presentation halted by a judge six months earlier at the DEFCON conference in Las Vegas. The students researched the Massachusetts Bay Transportation Authority’s payment system and how it was affected by various vulnerabilities, including in the chip card used by the MBTA. They built the attack tools, demonstrated them, and recorded the results.

The students had planned to demonstrate the attacks at DEFCON, but their advisor at MIT, Prof. Ron Rivest, suggested that they notify the MBTA first. After all, that is considered the responsible thing to do.

There was a bit of back and forth between the students and the MBTA, but at the end of it all, a judge was convinced to gag the students. Their presentation did leak out because it was already published in the conference materials. The student's court case is still going on as of this writing.

Such incidents suggest that the organizations most in need of a practical demonstration to prod them to be more secure are also the organizations that are most likely to try to shoot the messenger. The security community needs make it clear that gagging researchers is never acceptable.

I don’t see the need for demonstrations going away. As more of the computing infrastructure moves into the cloud, it is more likely that demonstrations, like the Rogue CA or the MBTA payment system attack, will need to touch computer infrastructure that isn't owned by a security researcher.

Unless there is some sort of safe harbor for researchers, attackers will be the only ones demonstrating the vulnerabilities, and they won’t be giving any presentations.