Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities, and coordinate disclosure. This will
go a lot farther toward building customer confidence and help avoid negative publicity.
| When |
Company making threat |
Researchers |
Research Topic |
Resolution/Status |
| 2012-05-28 |
E-Soft (UK) |
Eric Romang |
Video of Metasploit Digital Music Pad SEH overflow exploitation module |
 E-Soft sent a bogus copyright claim to YouTube to have the video removed. It has been reposted to
the same site once by another individual. The video remains available, and there have been no reported
attempts to silence news of the exploit in other manners. |
| 2012-01-31 |
Smart Grid/Meter Vendor (unspecified) |
Don Weber / InGuardians |
Smart Grid Meter Security Assessment Tool Release |
 Researcher cancelled the talk last minute, citing the desire to work with the vendor. Note: a reliable source tells Attrition that InGuardian did not reach out to
the vendor until weeks after the ShmooCon CFP. Further, Weber says there was no vulnerabilities being disclosed, suggesting
that InGuardian may have cancelled the talk when the unspecified vendor agreed to become a client. |
| 2011-11-22 |
Carrier IQ |
Trevor Eckhart |
Carrier IQ software logs excessive information |
Carrier IQ threatens Eckhart and sends a
cease & desist letter. Shortly after negative
attention, Carrier IQ retracts the threat. Research
stays public. |
| 2011-10-13 |
First State Superannuation |
Patrick Webster |
Direct Object Reference vulnerability in FSS website |
Researcher received letter indicating FSS reported him to the police and threatened him with further legal action. After negative publicity,
First State Super withdraws legal threat. |
| 2011-08-01 |
Trans Link Systems |
Brenno de Winter |
OV Transit Payment System Vulnerabilities |
Researcher learned he may have been facing legal charges. Vendor statement says a criminal complaint was filed and researcher was questioned, but researcher was not the target of the complaint. It is still not clear who the complaint was filed against or if this was a tactic to stifle de Winter's research |
| 2011-04-27 |
Magix AG |
Acidgen |
Buffer overflow in Music Maker 16 software (version 16.0.2.4) |
Research published despite threat. Researchers convinced Magix to change stance on vuln handling. Magix opened a resource for security researches site,
but try to force researchers not to disclose w/o a patch or fix available, in their terms and conditions. |
| 2011-03-21 |
German telecommunications firm (unspecified) |
Thomas Roth |
Amazon EC2-based password cracking software |
Roth's
apartment was raided, his bank account frozen, and he had to refrain from releasing his tool during Black Hat. Injunction had since been revoked, Roth published the research. |
| 2010-07-26 |
Financial Industry Client (unspecified) |
Varun Uppal and Gyan Chawdhary |
High-Speed Trading System Hacks |
Due to financial pressure (i.e. loss of a client), the talk was pulled and not presenter anywhere else. |
| 2010-07-15 |
Taiwanese Government |
Wayne Huang, Armorize Technologies Inc. |
The Chinese Cyber Army: An Archaeological Study from 2001 to 2010 |
Two weeks before the conference, the talk was cancelled due
to "pressure from the Taiwanese government." |
| 2009-07-18 |
RSA |
Scott Jarkoff |
Navy Federal Credit Union Web Site Flaws |
SliceHost / TechMiso challenges RSA, RSA backs down |
| 2009-07-17 |
Comerica Bank |
Lance James |
XSS / Phishing vulnerabilities on Comerica site |
C&D Sent to Tumblr, information removed but vulnerability still present (2009-07-17) |
| 2009-06-06 |
Orange.fr |
HackersBlog |
Multiple Vulnerabilities [1] [2] |
Apparent legal threats, details not published. |
| 2008-08-13 |
Sequoia Voting Systems |
Ed Felten |
Voting Machine Audit |
Research still not published (2008-10-02) |
| 2008-08-09 |
Massachusetts Bay Transit Authority |
Zach Anderson, RJ Ryan and Alessandro Chiesa |
Electronic Fare Payment (Charlie Card/Charlie Ticket) |
Gag order lifted, Researchers hired as consultants by MBTA |
| 2008-07-09 |
NXP (formerly Philips Semiconductors) |
Radboud University Nijmegen |
Mifare Classic Card Chip Security |
Research Published |
| 2007-12-06 |
Autonomy Corp., PLC |
Secunia |
KeyView Vulnerability Research |
Research Published |
| 2007-07-29 |
U.S. Customs |
Halvar Flake |
Security Training Material |
Researcher denied entry into U.S., training cancelled last minute |
| 2007-04-17 |
BeThere (Be Un limited) |
Sid Karunaratne |
Publishing ISP Router Backdoor Information |
Researcher still in talks with BeThere, passwords redacted, patch supplied, ISP service not restored (2007-07-06) |
| 2007-02-27 |
HID Global |
Chris Paget/IOActive |
RFID Security Problems |
Talk pulled, research not published |
| 2007-??-?? |
TippingPoint Technologies, Inc. |
/David Maynor / ErrataSec |
Reversing TippingPoint rule set to discover vulnerabilities |
Bulk of research later published at BlackHat
Briefings 07. |
| 2005-07-29 |
Cisco Systems, Inc. |
Mike Lynn / ISS |
Cisco router vulnerabilities |
Resigned from ISS before settlement, gave BH presentation, future disclosure injunction agreed on |
| 2005-03-25 |
Sybase, Inc. |
Next-Generation Security Software |
Sybase Database vulnerabilities |
Threat dropped, research published |
| 2003-09-30 |
Blackboard Transaction System |
Billy Hoffman and Virgil Griffith |
Blackboard issued C&D to Interz0ne conference, filed complaint against students |
Confidential agreement reached between Hoffman, Griffith and Blackboard |
| 2002-07-30 |
Hewlett-Packard Development Company, L.P. (HP) |
SNOsoft |
Tru64 Unix OS vulnerability - DMCA based threat |
Vendor/researcher agree on future timeline, Additional Tru64 vulnerabilities published,
HP asks Neohapsis for OpenSSL exploit code shortly after |
| 2001-07-16 |
Adobe Systems Incorporated |
Dmitry Sklyarov & ElcomSoft |
Adobe eBook AEBPR Bypass |
Elcomsoft found Not Guilty |
| 2001-??-?? |
Tegam International Viguard Antivirus |
Guillaume Tena (Guillermito) |
Vulnerabilities in Viguard Antivirus |
Suspended fine of 5,000 Euros |
| 2001-04-23 |
Secure Digital Music Initiative (SDMI), Recording Industry Association of America (RIAA) and Verance Corporation |
Ed Felten |
Four Watermark Protection Schemes Bypass - DMCA based threat |
Research published at USENIX 2001 |
| 2000-08-17 |
Motion Picture Association of America (MPAA) & DVD Copy Control Association (DVD CCA) |
2600: The Hacker Quarterly |
DVD Encryption Breaking Software (DeCSS) |
DeCSS ruled 'not a trade secret' |
The following incidents are related to the ones above, but "cross the line". They
include incidents where it was not "security research", but rather activity that was
considered a crime by current laws (at the time). Instead of following a more ethical
approach or going the route of responsible disclosure, the researcher chose to
research and disclose the details in a manner that was questionable. While the threat of
law suit of such activity is frivilous to most, the companies are being prudent
because the researcher in question likely did break laws in the process.
Over the years, many talks have been cancelled for various reasons. Sometimes, the rumor of legal threats
dominate the venue and/or news, but never happened. This table will list such events, to help clarify what
happened.
Copyright 2008-2011 by Attrition.org. Permission is granted to quote, reprint or redistribute provided the
text is not altered, and appropriate credit is given.
![[Image: Lady Liberty, Gun to Head]](legal_threats.jpg)
It has been clear for years that businesses have dropped ethics in favor of profit. Protecting the bottom line is usually more important than doing the right
thing, even if it means providing a better product to their customers. Companies fear negative publicity, especially if said publicity challenges the security of their
products. It doesn't matter that just about every company and product ships with numerous vulnerabilities, and adding security is a band-aid solution
rather than an integral part of the development life cycle. Rather than work with researchers who are frequently providing what would otherwise be high-dollar
specialized consulting for free, some companies opt to go take the muddy road and pursue legal action against the researchers. This action is one of desperation
and attempts to silence and stifle legitimate research and free speech. Invariably, this ends up being a huge negative PR move, much worse than what
would occur with the publication of said research without the legal murk.