Legal Threats Against Security Researchers

How vendors try to save face by stifling legitimate research

[Image: Lady Liberty, Gun to Head] It has been clear for years that businesses have dropped ethics in favor of profit. Protecting the bottom line is usually more important than doing the right thing, even if it means providing a better product to their customers. Companies fear negative publicity, especially if said publicity challenges the security of their products. It doesn't matter that just about every company and product ships with numerous vulnerabilities, and adding security is a band-aid solution rather than an integral part of the development life cycle. Rather than work with researchers who are frequently providing what would otherwise be high-dollar specialized consulting for free, some companies opt to go take the muddy road and pursue legal action against the researchers. This action is one of desperation and attempts to silence and stifle legitimate research and free speech. Invariably, this ends up being a huge negative PR move, much worse than what would occur with the publication of said research without the legal murk.

Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities, and coordinate disclosure. This will go a lot farther toward building customer confidence and help avoid negative publicity.

Researchers: help protect yourself from legal issues. Visit the EFF's Coders' Rights Project. Work with companies and respect their timelines for implementing fixes.

When Company making threat Researchers Research Topic Resolution/Status
2012-05-28 E-Soft (UK) Eric Romang Video of Metasploit Digital Music Pad SEH overflow exploitation module E-Soft sent a bogus copyright claim to YouTube to have the video removed. It has been reposted to the same site once by another individual. The video remains available, and there have been no reported attempts to silence news of the exploit in other manners.
2012-01-31 Smart Grid/Meter Vendor (unspecified) Don Weber / InGuardians Smart Grid Meter Security Assessment Tool Release Researcher cancelled the talk last minute, citing the desire to work with the vendor. Note: a reliable source tells Attrition that InGuardian did not reach out to the vendor until weeks after the ShmooCon CFP. Further, Weber says there was no vulnerabilities being disclosed, suggesting that InGuardian may have cancelled the talk when the unspecified vendor agreed to become a client.
2011-11-22 Carrier IQ Trevor Eckhart Carrier IQ software logs excessive information Carrier IQ threatens Eckhart and sends a cease & desist letter. Shortly after negative attention, Carrier IQ retracts the threat. Research stays public.
2011-10-13 First State Superannuation Patrick Webster Direct Object Reference vulnerability in FSS website Researcher received letter indicating FSS reported him to the police and threatened him with further legal action. After negative publicity, First State Super withdraws legal threat.
2011-08-01 Trans Link Systems Brenno de Winter OV Transit Payment System Vulnerabilities Researcher learned he may have been facing legal charges. Vendor statement says a criminal complaint was filed and researcher was questioned, but researcher was not the target of the complaint. It is still not clear who the complaint was filed against or if this was a tactic to stifle de Winter's research
2011-04-27 Magix AG Acidgen Buffer overflow in Music Maker 16 software (version Research published despite threat. Researchers convinced Magix to change stance on vuln handling. Magix opened a resource for security researches site, but try to force researchers not to disclose w/o a patch or fix available, in their terms and conditions.
2011-03-21 German telecommunications firm (unspecified) Thomas Roth Amazon EC2-based password cracking software Roth's apartment was raided, his bank account frozen, and he had to refrain from releasing his tool during Black Hat. Injunction had since been revoked, Roth published the research.
2010-07-26 Financial Industry Client (unspecified) Varun Uppal and Gyan Chawdhary High-Speed Trading System Hacks Due to financial pressure (i.e. loss of a client), the talk was pulled and not presenter anywhere else.
2010-07-15 Taiwanese Government Wayne Huang, Armorize Technologies Inc. The Chinese Cyber Army: An Archaeological Study from 2001 to 2010 Two weeks before the conference, the talk was cancelled due to "pressure from the Taiwanese government."
2009-07-18 RSA Scott Jarkoff Navy Federal Credit Union Web Site Flaws SliceHost / TechMiso challenges RSA, RSA backs down
2009-07-17 Comerica Bank Lance James XSS / Phishing vulnerabilities on Comerica site C&D Sent to Tumblr, information removed but vulnerability still present (2009-07-17)
2009-06-06 HackersBlog Multiple Vulnerabilities [1] [2] Apparent legal threats, details not published.
2008-08-13 Sequoia Voting Systems Ed Felten Voting Machine Audit Research still not published (2008-10-02)
2008-08-09 Massachusetts Bay Transit Authority Zach Anderson, RJ Ryan and Alessandro Chiesa Electronic Fare Payment (Charlie Card/Charlie Ticket) Gag order lifted, Researchers hired as consultants by MBTA
2008-07-09 NXP (formerly Philips Semiconductors) Radboud University Nijmegen Mifare Classic Card Chip Security Research Published
2007-12-06 Autonomy Corp., PLC Secunia KeyView Vulnerability Research Research Published
2007-07-29 U.S. Customs Halvar Flake Security Training Material Researcher denied entry into U.S., training cancelled last minute
2007-04-17 BeThere (Be Un limited) Sid Karunaratne Publishing ISP Router Backdoor Information Researcher still in talks with BeThere, passwords redacted, patch supplied, ISP service not restored (2007-07-06)
2007-02-27 HID Global Chris Paget/IOActive RFID Security Problems Talk pulled, research not published
2007-??-?? TippingPoint Technologies, Inc. /David Maynor / ErrataSec Reversing TippingPoint rule set to discover vulnerabilities Bulk of research later published at BlackHat Briefings 07.
2005-07-29 Cisco Systems, Inc. Mike Lynn / ISS Cisco router vulnerabilities Resigned from ISS before settlement, gave BH presentation, future disclosure injunction agreed on
2005-03-25 Sybase, Inc. Next-Generation Security Software Sybase Database vulnerabilities Threat dropped, research published
2003-09-30 Blackboard Transaction System Billy Hoffman and Virgil Griffith Blackboard issued C&D to Interz0ne conference, filed complaint against students Confidential agreement reached between Hoffman, Griffith and Blackboard
2002-07-30 Hewlett-Packard Development Company, L.P. (HP) SNOsoft Tru64 Unix OS vulnerability - DMCA based threat Vendor/researcher agree on future timeline, Additional Tru64 vulnerabilities published, HP asks Neohapsis for OpenSSL exploit code shortly after
2001-07-16 Adobe Systems Incorporated Dmitry Sklyarov & ElcomSoft Adobe eBook AEBPR Bypass Elcomsoft found Not Guilty
2001-??-?? Tegam International Viguard Antivirus Guillaume Tena (Guillermito) Vulnerabilities in Viguard Antivirus Suspended fine of 5,000 Euros
2001-04-23 Secure Digital Music Initiative (SDMI), Recording Industry Association of America (RIAA) and Verance Corporation Ed Felten Four Watermark Protection Schemes Bypass - DMCA based threat Research published at USENIX 2001
2000-08-17 Motion Picture Association of America (MPAA) & DVD Copy Control Association (DVD CCA) 2600: The Hacker Quarterly DVD Encryption Breaking Software (DeCSS) DeCSS ruled 'not a trade secret'

Notes about this page:

The following incidents are not confirmed as legal or financial threats. They are being included here in the hopes that someone will come forward with additional information or clarification.

When Company making threat Researchers Research Topic Resolution/Status
2008-08-01 Apple Charles Edge / 318 Inc. FileVault encryption system weaknesses NDA between Edge/Apple existed already, Apple called Edge on it. Researcher "rescinded talk" but BH CFP team shows no record of talk being submitted in first place. Attrition Theory: Incident used as press fodder for 318/Edge attention.
2006-12-07 Oracle Corporation Argeniss Week of Oracle Bugs (WoOB) WoOB cancelled, rumors of financial/legal threats

The following incidents are related to the ones above, but "cross the line". They include incidents where it was not "security research", but rather activity that was considered a crime by current laws (at the time). Instead of following a more ethical approach or going the route of responsible disclosure, the researcher chose to research and disclose the details in a manner that was questionable. While the threat of law suit of such activity is frivilous to most, the companies are being prudent because the researcher in question likely did break laws in the process.

When Company making threat Researchers Research Topic Resolution/Status
2010-08-23 n/a Hari Prasad, Netindia Voting Machine vulnerability research Prasad arrested, machine given to him was apparently stolen
2008-09-12 Carleton University Mansour Moufid Used keylogger to expose student information Moufid charged with computer crime
2006-04-28 University of Southern California Eric McCarty Database programming error allows disclosure of student SSN and more McCarty charged with computer crime
2003-08-18 Tornado Development, Inc. Bret McDanel Secure Webmail Session Hijacking discovery Arrested, tried, convicted and sentenced to 16 months of prison time
2002-03-18 Harris County District Court Stefan Puffer Insecure wireless network discovery Faces 5 years and $250,000 fine. The jury deliberated for 15 minutes before acquitting Puffer.

Over the years, many talks have been cancelled for various reasons. Sometimes, the rumor of legal threats dominate the venue and/or news, but never happened. This table will list such events, to help clarify what happened.

When Company making threat Researchers Research Topic Resolution/Status
2010-06-29 ATM Vendors (unnamed) Raoul Chiesa ATM Vulnerabilities Initial reports said that Chiesa was threatened by ATM vendors and forced to cancel last minute. according to Chiesa, no threats were made. The talk was cancelled for "logistical issues that day". Some in the industry have classified this as a publicity stunt, to garner more attention for the talk at a subsequent date.

Finally, the Electronic Frontier Foundation maintains a Takedown Hall of Shame that is related to this topic.

Copyright 2008-2011 by Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given.