Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Criminal Justice

Pressure (not) to Publish

advertisement 
Running head: Pressure (not) to Publish
Pressure (not) to Publish:
Discussing the Publication of Cyber Security Research
Karen Farthing
CSC540, Spring 2013
Murray State University
Abstract
Cyber security researchers are increasingly facing a daunting dilemma: to publish or not to
publish? The ethical argument can be approached from two different perspectives. The first
school of thought posits that any exploits discovered should be published, so that systems
administrators are aware of the ever evolving threat. The second school of thought is espoused
largely by business and government, and posits that new exploits should not be published,
because it leaves systems vulnerable to attack. It’s a David and Goliath struggle, leaving
researchers in the unenviable position of having to choose the hard right over the easy wrong.
Legislation has been unable to keep pace with a rapidly changing technological landscape,
leaving the line between legal and criminal behavior open to debate. So where does that leave the
researcher? No man’s land.
Pressure (not) to Publish: Discussing the Publication of Cyber Security Research
Introduction
Cyber security researchers face an increasingly difficult battle when attempting to publish
or present their work. Publishing security vulnerabilities is risky. Researchers must take care not
to publish too much; for example, if a researcher publishes too much functional code, the
vulnerability discussed could be exploited before patches can be applied. There are also no
whistleblower protections in place for researchers. They face legal threats from businesses and
governments, and fall victim to smear campaigns when companies don’t have a legal leg to stand
on (Attrition.org, 2013). In the following pages, this paper will discuss legal and other barriers to
publication; case histories that describe white hats, grey hats, black hats, and innovators;
identification of factors that contribute to the issue; and identification of steps that might
alleviate the problem.
Barriers to Publication
There are many legal vehicles that contribute to the limitations placed upon researchers
who want to publish vulnerability reporting. Likewise, businesses and governments sometimes
resort to less than legal means aimed at discouraging researchers from publishing information
about security vulnerabilities.
Legal Barriers
Copyright Law is intended to protect a creator from unauthorized reproduction of his work.
This applies to software, as well as music, video, and a number of other works. Security
researchers must often make copies of software in order to find bugs or exploits, and this can
violate copyright law (Electronic Frontier Foundation, 2013).
Trade Secret Law is intended to protect the proprietary works of businesses engaged in
maintaining an edge over their competition. According to the Coder’s Rights Project FAQ from
the Electronic Frontier Foundation, “…misappropriation of trade secrets can be both a civil and
criminal offense. Generally, a trade secret is information that (1) derives independent economic
value, actual or potential, from not being generally known to the public or to other persons who
can obtain economic value from its disclosure or use; and (2) is the subject of efforts that are
reasonable under the circumstances to maintain its secrecy. Misappropriation means a wrongful
acquisition, use, or disclosure of a trade secret (Electronic Frontier Foundation, 2013).” Reverse
engineering of software or hardware can fall under the auspices of violation of trade secret law.
Companies often try to claim that security vulnerabilities fall under trade secret law, because if
knowledge about a vulnerability were to be made public, it could cause a deleterious effect upon
their competitive advantage or adversely affect the value of their holdings.
Patent Law ostensibly grants the creator of a work or invention sole use of the
aforementioned for a limited period of time. It is intended to prevent the infringement of other
parties upon their intellectual property, during the period of time that said property has the most
earning potential. Researchers can run afoul of patent law if they create a hardware hack that
behaves or operates too similarly to another product currently under patent – regardless of how
the researcher created the hack.
The Digital Millennium Copyright Act (DMCA) is the juggernaut that all security
researchers must face. Any security researcher venturing into the arenas of Digital Rights
Management (DRM) or technological protection measures must tread very, very carefully. Even
when caution is exercised, researchers will most likely violate the DMCA at some point. The
terms of the DMCA are broad and open to interpretation at every turn. Congress did, however,
provide three limited circumstances under which security researchers can conduct reverse
engineering, encryption research, and security research. Distribution of code or tools that
circumvent the provisions of the DMCA can only occur in limited circumstances and must be
under the supervision of and with permission from the entity that stands to be injured as a result
of said research. The DMCA has had an impact on the worldwide cryptography research
community, since an argument can be made that any cryptanalytic research violates, or might
violate, the DMCA. Additionally, critics argue that the DMCA stifles free expression (see case
histories of Felten and Sklyarov), jeopardizes fair use for owners of various media, impedes
competition, and interferes with computer intrusion laws. However, since this paper is not
intended as a discussion of the DMCA, please refer to section 1201 of the Act.
Contract Law surrounds the concept of a legally enforceable “promise” between two
parties. Non-disclosure Agreements (NDAs) fall into this category, as do EULAs and Terms of
Service/Terms of Use. Contract law most benefits the company that employs a researcher, rather
than the researcher himself. Since this area of the law is “murky”, researchers who publish their
work against the wishes of their employers stand a very good chance of at least getting fired, if
not sued, for breach of contract.
Criminal Law is designed to punish law breakers (of course). Researchers can be charged
under various criminal codes if it can be proved that they published their work with the intent to
help others commit a crime (aiding and abetting), or if the research is so detailed that it would be
simple for others to commit crimes (facilitation).
International Law varies from country to country (of course), and is much too broad to
cover in a limited but meaningful way. Researches should be mindful of a host country’s laws
when working overseas, and should be mindful of any laws they might break via use of
telecommunications technologies that might span across borders.
Other Methods
“Media smear” campaigns have been instigated against researchers when there was no
clear legal method for stopping the publication of their work. A particularly vicious instance
involved researchers David Maynor and Jon Ellch, who cracked a MacBook at Black Hat in
2006 using third party drivers and third party wireless hardware. Apple PR director Lynn Fox
orchestrated a smear campaign accusing Maynor and Ellch of fabricating aspects of the hack, all
in an attempt to make it appear that Apple was a victim of unscrupulous hackers (Ou, How
Apple orchestrated web attack on researchers, 2007).
Overt and covert threats have been used to intimidate researchers into either cancelling or
delaying, or removing publication. One popular method is for a company to issue a DMCA takedown notice to a researcher, only to have them rescind the notice later. In one instance, banking
equipment manufacturer Thales sent a DMCA takedown notice to John Young, who runs the
well-known Cryptome site, demanding that he remove a manual for one of their HSM products
(Moody, 2013). HSM stands for “hardware security module”, and in the banking industry HSMs
are instrumental in managing cryptographic keys and PINs used to authenticate bank card
transactions. The manual in question had been used for years by security researchers who were
investigating vulnerabilities cryptographic weaknesses, and those vulnerabilities were causing
Thales some notable embarrassment. Another instance involves Patrick Webster, a security
consultant in Australia, who quietly warned First State Superannuation Fund about a web
vulnerability that would allow a hacker to access users’ accounts (Pauli, 2011). The Fund
thanked him for the tip, fixed the flaw within 24 hours, then sent the police to his house the next
day to “investigate”. The Fund demanded that Webster turn over his personal laptop to their inhouse IT staff, and also informed him that he could be held liable for any expenses related to
fixing the flaw that he reported. So, this researcher saved the company potentially millions of
dollars by alerting them to the flaw, alerted them privately that the flaw existed so that they could
avoid any embarrassment, and they threatened him with legal action and a repair bill.
Firings due to pressure from others is another tactic used by businesses to curtail or
punish unflattering publication. Dan Geer, former CTO of @stake Inc., was let go just a day after
the publication of a paper he co-authored that was sharply critical of Microsoft Corp.— one of
@stake’s customers. The paper covered the effects that Microsoft’s monopolistic position have
on the security of the Internet, and argued that the dominance of Windows in the marketplace has
created a monoculture in which all systems are more vulnerable to widespread attacks and
viruses (Fisher, 2003). Both @stake and Microsoft claimed that Greer was let go for other
reasons, but Greer professed serious doubts.
Case Histories
Security researchers typically fall into one of four categories: white hats, grey hats, black
hats, and innovators. They all hack or crack systems, but have varying motivations. While many
researchers ascribe to being white hats, the truth is that most of them are actually grey. The
following section details the attributes of each, and provides a few “case histories” for members
of each category.
White hats profess to work to secure systems without breaking into them. “Hackers
for good”, they work with software companies/governments to resolve vulnerabilities and won't
announce vulnerabilities until a company is ready or found to be responsible. They will show the
system owner - but no one else - how to exploit a vulnerability, and will only attack systems
when authorized (Hafele, 2004).
Grey hats have a tendency to either skirt the law or run afoul of the law in the course of
their research. They might break into systems to heighten awareness of security flaws, and have
a tendency to announce vulnerabilities publicly without informing the company (or on the same
day that the company is notified). They may release exploit code or tools that aren’t easily
modified for hacking security, and will explore holes before notifying the owner of
vulnerabilities (Hafele, 2004).
Black hats are the bad guys. A black hat cares more about controlling and accessing
systems than about security. He will keep all of his exploits to himself, and will trade with others
on closed lists. He won't publish, and hacks for his own gain or for malicious reasons (Hafele,
2004).
White Hats
Ed Felten is currently the Director of Princeton's Center for Information Technology Policy.
Felten was a witness for the government in US v. Microsoft, where Microsoft was accused of a
variety of anti-trust violations surrounding the exclusive use of Internet Explorer with the
Windows operating system. Microsoft asserted that IE could not be removed from the
distribution without causing damage to the OS. Felten and a team of his students were able to
prove otherwise, severely damaging Microsoft’s case.
He is probably best known for his involvement with the Secure Digital Music Initiative
(SDMI), wherein the Recording Industry Association of America and Verance Corporation sued
him and his team for winning a competition they sponsored. The competition asked participants
to attempt to break the watermarking schema in use for protecting copyrighted music from
unauthorized use. In just three weeks, Felten’s team was able to remove any watermarks,
rendering the SDMI schema useless. When he attempted to publish his work, the RIAA and
Veyance threatened to sue him under the auspices of the DMCA for violation of section 1201 of
the same. The suit failed, and Felten presented his work at Usenix in 2001.
Felten was instrumental in uncovering security and accuracy problems in Diebold and
Sequoia voting machines. He and his students also discovered the cold boot attack, which allows
someone with physical access to a machine to extract the contents in memory after bypassing
any security methodologies (Wikipedia, 2013).
Michael Lynn was instrumental in highlighting security flaws in Cisco’s IOS. Dubbed
“Ciscogate”, the flaw centered around IPv6 packets, and whether or not a Cisco device could be
exploited remotely. Cisco fixed the flaw in early 2005, and Lynn was scheduled to present a
paper at Black Hat the same year detailing the results of his research. Lynn was careful to
remove as much detail as possible, but Cisco objected – strenuously. Representatives from the
company arrived at the conference a few hours before he was scheduled to present, confiscated
his paper and notes, and pressured Black Hat into cancelling his presentation. Lynn’s employer,
ISS, also gave him a “cease and desist” order regarding the presentation, and told him he would
be fired if he presented his work. Lynn resigned from his position at ISS an hour prior to
presenting, and asked attendees for a job just before giving his speech. He was hired by Juniper
Networks a few months later, and is still employed there (Masnick, 2005).
HD Moore is an innovator and white hat who developed Metasploit, one of the most widely
used penetration and vulnerabilities testers in use (Stop The Hacker, 2012). He also developed
the Metasploit Decloaking Tool, which purports to be able to identify a user’s IP address
regardless of the use of proxies or VPNs. Current research projects include the Month of
Browser Bugs, which aims to combine fast-paced discovery with full disclosure.
Grey Hats
Robert Morris was the first person convicted under the Computer Fraud and Abuse Act for
spawning the Morris Worm – considered by many to be the first internet worm. Designed as a
means for measuring networks, Morris developed the worm while he was a graduate student at
Cornell. The story of how the worm “escaped” changes from time to time, but most accounts
agree that Morris developed the worm as a means to test and map the limits of the local area
network in a laboratory environment. However, containment of the worm failed, and in an effort
to disguise where the worm originated, Morris managed to divert it to MIT – where it spread
worldwide. Morris is currently a tenured professor of Computer Science at – you guessed it –
MIT (Anthony, 2011).
Dmitry Sklyarov is a Russian programmer who gained notoriety for cracking Adobe’s
ebook DRM scheme while employed at Russian software company ElcomSoft. In 2001, after
giving a presentation at DEF CON titled “eBook's Security - Theory and Practice”, Sklyarov was
arrested by the FBI and jailed for violating the DMCA after complaints from Adobe. However,
the DMCA does not apply in Russia, and the courts decided that a Russian citizen working for a
Russian company could not be held accountable under the DMCA. Both Sklyarov and
ElcomSoft were found not guilty at trial (Wikipedia, 2013).
Jon Lech Johansen (DVD Jon) is a Norwegian programmer with a thing for DRM – he
hates it. Since 2001, Johansen has developed 16 different methodologies for defeating DRM on a
multitude of platforms. Ironically, the Sony Rootkit actually used code stolen from Johansen, and
some have argued that he might have a case to sue Sony under the DMCA. His most notorious
exploit was the release of DeCSS, a method for defeating the Content Scrambling System in use
on DVDs (Anthony, 2011).
Black Hats
Kevin Mitnick’s first exploit occurred at the age of 12, when he figured out how to ride the
transit system in LA for free by bypassing the punch card system in use. He became a social
engineer, garnering usernames, passwords, and modem phone numbers. He hacked DEC at age
16 and was tried and convicted to 12 months in jail with three years’ supervised release. Near the
end of his three year probation, he hacked PacBell’s voice mail system, then went on the run for
over 2 years. By the time the FBI finally caught him, he had hacked numerous networks, cloned
cell phones, and stolen proprietary software from cell companies (Anthony, 2011).
Kevin Poulsen is currently the editor of Wired Magazine, but he began his career as a phone
phreak. His most notorious exploit was hacking the phone lines of a local radio station in order to
ensure that he was the 102d caller – to win a Porsche. The FBI began pursuing him for myriad
crimes, and he turned fugitive. When a special was aired on America’s Most Wanted profiling
Poulsen, you guessed it, the phone system at AMW crashed. After his release from prison, he
managed to reinvent himself as a white hat and investigative journalist. Poulsen used exploits on
MySpace to identify over 700 sex offenders engaged in soliciting sex from children, and was the
man who broke the Bradley Manning-WikiLeaks story (Anthony, 2011).
Gary McKinnon is accused of hacking into 97 United States military and NASA computers
over a 13-month period between February 2001 and March 2002. The US authorities claim he
deleted critical files from operating systems, which shut down the United States Army’s Military
District of Washington network of 2,000 computers for 24 hours. McKinnon also posted a notice
on the military's website: "Your security is crap". After the September 11 attacks in 2001, he
deleted weapons logs at the Earle Naval Weapons Station, rendering its network of 300
computers inoperable and paralyzing munitions supply deliveries for the US Navy's Atlantic
Fleet. McKinnon is also accused of copying data, account files and passwords onto his own
computer. US authorities claim the cost of tracking and correcting the problems he caused was
over $700,000 (Wikipedia, 2013).
Identify the Problem
Ideological disconnect
There is an ideological disconnect between researchers/security professionals, and the
businesses and governments they work for. The researchers’ view: publish known vulnerabilities
so they can be prevented. Business’ and Government’s view: don’t publish, because if the exploit
is unknown, we aren’t vulnerable. You can see where this would lead to problems. Appendix A
lists a veritable cornucopia of instances detailing what happens when these competing ideologies
clash. Some examples include:
Researcher Ahmed Al-Khabaz discovered vulnerabilities in Skytech's Omnivox portals that
exposed 250k student records, and brought it to the attention of Dawson College. Skytech
threatened to press charges and send him to jail if he did not sign an NDA (Attrition.org, 2013).
Consultants Varun Uppal and Gyan Chawdhary discovered high-speed trading system
hacks during the course of business with a client. Due to financial pressure (i.e. loss of said
client), the talk was cancelled and has not been published (Attrition.org, 2013).
Security specialist Patrick Webster found a direct object reference vulnerability in First
State Superannuation’s website. He received a letter indicating FSS reported him to the police,
and threatened him with further legal action. After negative publicity, First State Super
withdraws legal threat (Attrition.org, 2013).
There are no “whistleblower” protections anywhere to protect researchers, consultants, or
security specialists. Not in the DMCA, not in the any of the legal statutes related to cybercrime
and security, and not in business law.
The “Grey Hat” concept is tricky. Most researchers aspire to be white hats, but before you
get the pay and the position, you have to break some rules and build a reputation. That means
either black hat or grey hat activity. Unfortunately, government and business have a tendency to
lump black and grey together, and they only tolerate white hats as “guns for hire” because they
have to.
Businesses defining legislation via lobby to uninformed legislators (He who has the most money,
wins)
Almost everyone agrees that the DMCA is a bad piece of legislation. It’s only real purpose
is to prop up a failing business model adhered to by producers of “art”. I’m not attacking the
artist here, but rather entities like the RIAA, the MPAA, and the big publishing houses. These
entities banded together, spent a LOT of money, and got the legislation they wanted through use
of lobbyists and payments to members of Congress.
Researchers “crossing the line” into illegal activity (as currently defined)
There have been cases where researchers have crossed the line into illegal activity – even
become blackmailers and extorters. However, most of that information is anecdotal – found on
forums and blogs.
One notable example is the case of Bret McDanel. While employed at Tornado
Development, McDanel discovered a flaw in the web-mail product provided to customers.
McDanel notified Tornado, and when they took too long to fix the problem, he quit. Six months
later (and employed at another company) he discovered that the exploit had not been fixed. He
took on the name "Secret Squirrel" and e-mailed about 5,600 of Tornado's customers over the
course of three days, telling about the vulnerability, and directed them to his own website for
information about it. This caused Tornado to panic - by deleting customers' emails without
consent so they couldn't read McDanel's message.
McDanel was arrested, tried, convicted and sentenced to sixteen months in prison, because
of the email and website he crafted. However, there was no evidence that McDanel or anyone
else ever exploited the vulnerability. McDanel was prosecuted for "knowingly causing the
transmission of information and as a result of such conduct, intentionally cause any impairment
to the integrity or availability of data, a program, a system, or information without
authorization." This is normally reserved for people who publish viruses and worms, not for
people who publish unpatched exploits to the potential victims. So, even though no "computer
crime" was actually committed, he was convicted for "impairing the integrity" of a system
(Rasch, 2003).
This is an excellent example of the disconnect between researchers and government. While
McDanel could have acted less like an angry teenager and more like a polished professional, he
really didn’t have much of a choice. He could have gone back to the management at Tornado and
expressed concern – but it didn’t work the first time. Had he threatened to expose the
vulnerability if Tornado didn’t fix it, he could have been charged with extortion. Had he broken
in and fixed the exploit himself, he definitely would have been outside the law. So he did what
he thought was best, and because federal prosecutors decided to stretch the limits of the law, he
went to jail. Not fair.
Solve the Problem
Current recommended practices
One of the current practices recommended by the EFF’s Coder’s Rights Project is delayed
publication, also known as “responsible disclosure”. This involves self-policing on the part of
researchers and a good faith effort to notify victims of any exploits prior to publishing any work.
It also requires that researchers do not publish until adequate time has been given for victims to
build a patch or close loopholes.
Another recommended practice involves limited publication. This practice requires that
researchers publish the concept, not fully functional exploit. This would prevent bad actors from
taking advantage of exploits that have not been or cannot be patched. Also included in limited
publication is that researchers only publish to a limited audience – peers, business, and
government entities. By keeping to a smaller “pond”, researchers limit the number of fish that
get to feed.
Both of these practices are a win-win for everyone involved, and show a level of
professionalism and mutual respect for security partners.
Fix bad/broken legislation
Current legislation has not kept pace with the state of the industry. Almost every facet of
current legislation has weaknesses – the DMCA, copyright/patent law, criminal/international
law, even business and civil law. While pointing out weaknesses is easy (and would take all
day), coming up with a solution is not so simple. One good first step would be to limit or
redefine lobby access and the legislative process to include advocates from within the industry,
from researchers, from business concerns, and from our legislative representatives. I’m not sure
how to make that work, either, but change needs to start somewhere.
Proposed Future Practices
Going forward, in addition to the steps outlined in “solve the problem”, a new mindset should
be developed. Some recommendations are to redefine the business model or philosophy to
embrace early and ubiquitous reporting of vulnerabilities and exploits. This has huge
implications for national security as well as business. Without a fundamental change of mindset,
however, this will never happen. This change can be facilitated by adopting an “Open Source”
mindset between all stakeholders (business, government, researchers).
References
Anonymous. (2001, Apr 20). RIAA Challenges SDMI Attack. Retrieved Apr 3, 2013, from Extra - The
Register UK: http://www.theregister.co.uk/extra/sdmi-attack.htm
Anthony, S. (2011, Sep 1). Black hat down: What happened to the world’s most famous hackers?
Retrieved Mar 3, 2013, from Extremetech.com: http://www.extremetech.com/extreme/94647black-hat-down-what-happened-to-the-most-famous-hackers/2
Attrition.org. (2013, 01). Legal Threats Against Security Researchers. Retrieved 03 15, 2013, from
attrition.org: http://attrition.org/errata/legal_threats/
Buchanan, E., Aycock, J., Dexter, S., Dittrick, D., & Hvizdak, E. (2011, Jun). Computer Science Security
Research and Human Subjects: Emerging Considerations for. Journal of Empirical Research on
Human Research Ethics: An International Journal, 6(2), 71 - 83.
Burstein, A. J. (2008, Apr 14). Conducting Cybersecurity Research Legally and Ethically. Retrieved Mar 13,
2013, from usenix.org:
http://static.usenix.org/event/leet08/tech/full_papers/burstein/burstein.pdf
Electronic Frontier Foundation. (2013). A "Grey Hat" Guide. Retrieved Mar 5, 2013, from Pages - EFF.org:
https://www.eff.org/pages/grey-hat-guide
Electronic Frontier Foundation. (2013). Coders’ Rights Project Vulnerability Reporting FAQ. Retrieved Feb
23, 2013, from Issues - Coders - EFF.org: https://www.eff.org/issues/coders/vulnerabilityreporting-faq
Felten, E. (2013, Mar 29). The Chilling Effects of the DMCA. Retrieved Apr 3, 2013, from Articles Technology - slate.com:
http://www.slate.com/articles/technology/future_tense/2013/03/dmca_chilling_effects_how_c
opyright_law_hurts_security_research.html
Fisher, D. (2003, Sep 29). Security Expert Geer Sounds Off on Dismissal . Retrieved Apr 16, 2013, from
Security - eweek.com: http://www.eweek.com/c/a/Security/Security-Expert-Geer-Sounds-Offon-Dismissal/
Goodin, D. (2007, Apr 17). ISP ejects whistle-blowing student. Retrieved Mar 22, 2013, from Security The Register UK: http://www.theregister.co.uk/2007/04/17/hackers_service_terminated/
Hafele, D. M. (2004, Feb 23). Three Different Shades of Ethical Hacking: Black, White and Gray. Retrieved
03 22, 2013, from SANS Institute InfoSec Reading Room:
http://www.sans.org/reading_room/whitepapers/hackers/shades-ethical-hacking-black-whitegray_1390
Hurley, E. (2004, Feb). Cyberspace security liability lawsuits on the rise? Retrieved Mar 10, 2013, from
Information Security Laws, Investigations and Ethics - Information Security Magazine:
http://searchsecurity.techtarget.com/Cyberspace-security-liability-lawsuits-on-the-rise
Kravets, D. (2013, Apr 24). Man Convicted of Hacking Despite Not Hacking. Retrieved Apr 25, 2013, from
Threat Level - Wired Magazine: http://www.wired.com/threatlevel/2013/04/man-convicted-ofhacking-despite-no-hacking/
Lemos, R. (2002, Sep 23). New laws make hacking a black-and-white choice. Retrieved Mar 25, 2013,
from CNET News: http://news.cnet.com/2009-1001_3-958129.html
Lemos, R. (2002, Aug 2). Security pros create resource on flaws. Retrieved Mar 22, 2013, from CNET
News News - Business Tech: http://news.cnet.com/2100-1001-948127.html
Lemos, R. (2003, Nov 13). GameSpy warns security researcher. Retrieved Mar 13, 2013, from CNET News
- Enterprise Security: http://news.cnet.com/2100-7355_3-5107305.html
Lemos, R. (2011, Oct 17). Security suffers when firms sue researchers who report flaws. Retrieved Mar 5,
2013, from Tech Watch - InfoWorld: http://www.infoworld.com/t/web-security/securitysuffers-when-firms-sue-researchers-who-report-flaws-176281
Lohmann, F. V. (2010, Feb). Unintended Consequences: . Retrieved Mar 6, 2013, from EFF.org:
https://www.eff.org/sites/default/files/eff-unintended-consequences-12-years_0.pdf
Loup-Richet, J. (2012, Oct 30). Why Security Research Should Be Protected Speech. Retrieved Mar 5,
2013, from Censorship - Information Systems Research: http://www.information-systemsresearch.com/blog/2012/10/30/why-security-research-should-be-protected-speech/
Masnick, M. (2005, Jul 28). Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities.
Retrieved Apr 4, 2013, from Legal Issues - TechDirt:
http://www.techdirt.com/articles/20050728/0259209.shtml
McCullagh, D. (2001, Jul 23). Russian Hacker Arrested. Retrieved Mar 15, 2013, from Cryptome.org:
http://cryptome.org/dmitry-bruce.htm
McCullagh, D. (2002, Jul 30). Security warning draws DMCA threat. Retrieved Mar 15, 2013, from CNET
News - Digital Media: http://news.cnet.com/2100-1023-947325.html
Menn, J. (2012, Oct 29). Legal fears muffle warnings on cybersecurity threats. Retrieved Mar 13, 2013,
from Featured Articles - Computer Security: http://articles.chicagotribune.com/2012-1029/business/sns-rt-us-cyberwar-infrastructurebre89s1ah-20121029_1_cyber-attackscybersecurity-stuxnet
Mills, E. (2008, Jul 9). Dutch chipmaker sues to silence security researchers. Retrieved Apr 5, 2013, from
News Blogs - CNET: http://news.cnet.com/8301-10784_3-9985886-7.html
Mills, E. (2011, Aug 01). Journalist faces charges over transit card flaw reports. Retrieved Mar 7, 2013,
from News - CNET: http://news.cnet.com/8301-27080_3-20086613-245/journalist-facescharges-over-transit-card-flaw-reports/?part=rss&subj=news&tag=2547-1_3-020&dlvrit=142337
Moody, G. (2013, Jan 24). Banking Equipment Vendor Tries To Censor Security Research With DMCA
Notice -- Then Backs Down When Called Out For It. Retrieved Mar 19, 2013, from Abusing the
system - TechDirt: http://www.techdirt.com/articles/20130118/10002721726/bankingequipment-vendor-tries-to-censor-security-research-with-dmca-notice-then-backs-down-whencalled-out-it.shtml
Ou, G. (2006, Aug 20). Vicious orchestrated assault on MacBook wireless researchers. Retrieved Mar 22,
2013, from Real World IT - zdnet.com: http://www.zdnet.com/blog/ou/vicious-orchestratedassault-on-macbook-wireless-researchers/300
Ou, G. (2007, Mar 20). How Apple orchestrated web attack on researchers. Retrieved Mar 27, 2013, from
Repost from Real World IT - ZDNet: http://www.zdnet.com/blog/ou/how-apple-orchestratedweb-attack-on-researchers/451
Pauli, D. (2011, Oct 14). Security researcher threatened with vulnerability repair bill. Retrieved Mar 5,
2013, from Risk - SC Magazine: http://www.scmagazine.com.au/News/276780,securityresearcher-threatened-with-vulnerability-repair-bill.aspx
Schneier, B. (2001, Nov 15). Full Disclosure. Retrieved Apr 4, 2013, from Crypto-Gram Newsletter Schneier.com: http://www.schneier.com/crypto-gram-0111.html
Schneier, B. (2002, Jun). Fixing Network Security by Hacking the Business Climate. Retrieved Mar 15,
2013, from UCSC.edu: http://classes.soe.ucsc.edu/cmps122/Spring04/Documents/schneier.pdf
Schneier, B. (2011, May 24). New Siemens SCADA Vulnerabilities Kept Secret. Retrieved Mar 5, 2013,
from Schneier on Security - Schneier.com:
http://www.schneier.com/blog/archives/2011/05/new_siemens_sca.html
Search Security. (2008, Aug 14). MIT case shows folly of suing security researchers. Retrieved 2013 Feb,
2013, from Security Laws, Investigations and Ethics - Searchsecurity.com: 28
Silverman, J. (n.d.). 10 Famous Hackers and Hacks. Retrieved Mar 13, 2013, from Communications Discovery Channel: http://dsc.discovery.com/tv-shows/curiosity/topics/10-famous-hackershacks.htm
Stop The Hacker. (2012, Jul 23). The Five Most Famous Good Guy Hackers. Retrieved Mar 22, 2013, from
stopthehacker.com: http://www.stopthehacker.com/2012/07/03/five-most-famous-good-guyhackers/
Stubblefield, A. B., & Wallach, D. S. (2001, July). Dagster: Censorship-Resistant Publishing Without
Replication. Retrieved Mar 13, 2013, from cs.rice.edu:
http://www.cs.rice.edu/~dwallach/pub/dagster-tr.pdf
University of Exeter. (2012, Nov 12). Attitudes towards security threats uncovered. Retrieved Apr 5,
2013, from News - Phys.org: http://phys.org/news/2012-11-attitudes-threats-uncovered.html
Vijayan, J. (2011, Jan 21). Sony sends 'dangerous' message with PS3 lawsuit, says EFF. Retrieved Mar 5,
2013, from Legal News - Computer World:
http://www.computerworld.com/s/article/9205885/Sony_sends_dangerous_message_with_PS
3_lawsuit_says_EFF
Wikipedia. (2013, Apr 20). Edward Felten. Retrieved Apr 25, 2013, from wikipedia.org:
http://en.wikipedia.org/wiki/Edward_Felten
Wikipedia. (2013). Gary McKinnon. Retrieved Apr 3, 2013, from wikipedia.org:
http://en.wikipedia.org/wiki/Gary_McKinnon
Wikipedia. (2013, Apr 29). United States v. Elcomsoft. Retrieved Apr 30, 2013, from wikipedia.org:
http://en.wikipedia.org/wiki/United_States_v._ElcomSoft_and_Sklyarov
Appendix A
Legal Threats Against Security Researchers: How vendors try to save face by stifling legitimate
research
(Note – this table was taken in its entirety from http://attrition.org/errata/legal_threats/ and is
intended for use as an overview of trending topics.)
When
1/20/2013
Company
making
threat
Dawson
College /
Skytech
10/25/2012
(unknown
international
utility)
10/25/2012
(unknown
international
utility)
5/28/2012
E-Soft (UK)
Researchers
Ahmed AlKhabaz)
Research
Topic
Resolution/Status
Link
Vulnerabilitie
s in Skytech's
Omnivox
portals, used
by schools
Found vulnerability that exposed
250k student records, brought it to
attention of college. Did not try to
conceal his identity, did not misuse
the information, did not try to
profit. Skytech threatened to press
charges and send him to jail if he
did not sign an NDA.
http://www.nationalpost
.com/m/wp/news/canad
a/blog.html?b=news.nati
onalpost.com/2013/01/2
0/youth-expelled-frommontreal-college-afterfinding-sloppy-codingthat-compromisedsecurity-of-250000students-personal-data
(unknown)
Nuclear
power plant
vulnerabilities
(SCADA)
Ralph
Langner
Nuclear
power plant
vulnerabilities
(SCADA)
Eric Romang
Video of
Metasploit
Digital Music
Pad SEH
overflow
exploitation
module
Talk was cancelled last minute at
the 12th ICS Cyber Security
Conference An unnamed vendor
objected to the talk on the
grounds that "the review would
disclose problems in its
equipment" and threatened to
sue, "even though plant officials
had approved the presentations".
This is one of two talks cancelled
at the conference, according to the
conference organizer.
Talk was cancelled last minute at
the 12th ICS Cyber Security
Conference An unnamed vendor
objected to the talk on the
grounds that "the review would
disclose problems in its
equipment" and threatened to
sue, "even though plant officials
had approved the presentations".
This is one of two talks cancelled
at the conference according to the
conference organizer.
E-Soft sent a bogus copyright claim
to YouTube to have the video
removed. It has been reposted to
the same site once by another
individual. The video remains
available, and there have been no
reported attempts to silence news
of the exploit in other manners.
http://gadgets.ndtv.com
/internet/news/legalfears-muffle-warningson-cyber-securitythreats-286061
http://gadgets.ndtv.com
/internet/news/legalfears-muffle-warningson-cyber-securitythreats-286061
http://attrition.org/errat
a/legal_threats/e-soft/
1/31/2012
11/22/2011
10/13/2011
8/1/2011
Smart
Grid/Meter
Vendor
(unspecified)
Carrier IQ
First State
Superannuat
ion
Trans Link
Systems
Don Weber /
InGuardians
Smart Grid
Meter
Security
Assessment
Tool Release
Researcher cancelled the talk last
minute, citing the desire to work
with the vendor. Note: a reliable
source tells Attrition that
InGuardian did not reach out to
the vendor until weeks after the
ShmooCon CFP. Further,
Weber says there was no
vulnerabilities being disclosed,
suggesting that InGuardian may
have cancelled the talk when the
unspecified vendor agreed to
become a client.
Trevor
Eckhart
Carrier IQ
software logs
excessive
information
Carrier IQ threatens Eckhart and
sends a cease & desist letter.
Shortly after negative attention,
Carrier IQ retracts the threat.
Research stays public.
Patrick
Webster
Direct Object
Reference
vulnerability
in FSS website
Brenno de
Winter
OV Transit
Payment
System
Vulnerabilitie
s
Acidgen
Buffer
overflow in
Music Maker
16 software
(version
16.0.2.4)
Researcher received
letter indicating FSS reported him
to the police and threatened him
with further legal action. After
negative publicity, First State
Super withdraws legal threat.
Researcher learned he may have
been facing legal charges. Vendor
statement says a criminal
complaint was filed and researcher
was questioned, but researcher
was not the target of the
complaint. It is still not clear who
the complaint was filed against or
if this was a tactic to stifle de
Winter's research
Research published despite threat.
Researchers convinced Magix to
change stance on vuln handling.
Magix opened a resource for
security researches site, but try to
force researchers not to disclose
w/o a patch or fix available, in
their terms and conditions.
Roth's apartment was raided, his
bank account frozen, and he had
to refrain from releasing his tool
during Black Hat. Injunction had
since been revoked, Roth
published the research.
4/27/2011
Magix AG
3/21/2011
German
telecommun
ications firm
(unspecified)
Thomas
Roth
Amazon EC2based
password
cracking
software
7/26/2010
Financial
Industry
Client
(unspecified)
Varun Uppal
and Gyan
Chawdhary
High-Speed
Trading
System Hacks
Due to financial pressure (i.e. loss
of a client), the talk was pulled and
not presenter anywhere else.
Taiwanese
Government
Wayne
Huang,
Armorize
Technologie
s Inc.
The Chinese
Cyber Army:
An
Archaeologica
l Study from
Two weeks before the
conference, the talk was
cancelled due to "pressure from
the Taiwanese government."
7/15/2010
https://twitter.com/cuta
way/status/1659234456
98347008
http://www.darkreading.
com/enduser/researcherovercomes-legal-setbackover/229301362
http://www.eweek.com/
c/a/Security/ChinaCyber-Army-Talk-PulledFrom-Black-Hat-668887/
2001 to 2010
Scott Jarkoff
Navy Federal
Credit Union
Web Site
Flaws
SliceHost / TechMiso challenges
RSA, RSA backs down
C&D Sent to Tumblr, information
removed but vulnerability still
present (2009-07-17)
http://techmiso.com/243
4/navy-federal-creditunion-web-siteoperating-with-securityissue/
http://dl.dropboxuserco
ntent.com/u/634884/Let
ter%20to%20Tumblr%20
from%20P.%20Bertrand
%207-17-09.PDF
7/18/2009
RSA
7/17/2009
Comerica
Bank
Lance James
XSS / Phishing
vulnerabilities
on Comerica
site
6/6/2009
Orange.fr
HackersBlog
Multiple
Vulnerabilitie
s [1] [2]
Apparent legal threats, details not
published.
404 not found
8/13/2008
Sequoia
Voting
Systems
Ed Felten
Voting
Machine
Audit
Research still not published (200810-02)
https://freedom-totinker.com/blog/appel/ju
dge-suppresses-reportvoting-machine-security/
8/9/2008
Massachuset
ts Bay
Transit
Authority
Zach
Anderson, RJ
Ryan and
Alessandro
Chiesa
Electronic
Fare Payment
(Charlie
Card/Charlie
Ticket)
Gag order lifted, Researchers hired
as consultants by MBTA
https://www.eff.org/pres
s/archives/2008/12/22
7/9/2008
NXP
(formerly
Philips
Semiconduct
ors)
Radboud
University
Nijmegen
Mifare Classic
Card Chip
Security
Research Published
http://news.cnet.com/83
01-10784_3-99858867.html
12/6/2007
Autonomy
Corp., PLC
Secunia
KeyView
Vulnerability
Research
Research Published
7/29/2007
U.S.
Customs
Halvar Flake
Security
Training
Material
Researcher denied entry into U.S.,
training cancelled last minute
4/17/2007
BeThere (Be
Un limited)
Sid
Karunaratne
Publishing ISP
Router
Backdoor
Information
Researcher still in talks with
BeThere, passwords
redacted, patch supplied, ISP
service not restored (2007-07-06)
2/27/2007
HID Global
Chris
Paget/IOActi
ve
RFID Security
Problems
Talk pulled, research not published
2007-??-??
TippingPoint
Technologie
s, Inc.
/David
Maynor /
ErrataSec
Reversing
TippingPoint
rule set to
discover
vulnerabilities
Bulk of research later published at
BlackHat Briefings 07.
7/29/2005
Cisco
Systems, Inc.
Mike
Lynn /ISS
Cisco router
vulnerabilities
Resigned from ISS before
settlement, gave BH presentation,
future disclosure injunction agreed
on
http://archives.neohapsi
s.com/archives/fulldisclo
sure/2007-12/0152.html
http://addxorrol.blogspo
t.com/2007/07/ive-beendenied-entry-to-usessentially.html
http://www.theregister.c
o.uk/2007/04/17/hacker
s_service_terminated/
http://www.infoworld.co
m/d/securitycentral/lawsuits-patentclaims-silence-black-hattalk-720
https://www.blackhat.co
m/presentations/bh-usa07/Maynor_and_Graham
/Whitepaper/bh-usa-07maynor_and_grahamWP.pdf
http://www.securityfocu
s.com/news/11260
3/25/2005
9/30/2003
7/30/2002
7/16/2001
2001-??-??
Sybase, Inc.
Blackboard
Transaction
System
HewlettPackard
Developmen
t Company,
L.P. (HP)
Adobe
Systems
Incorporate
d
Tegam
International
Viguard
Antivirus
NextGeneration
Security
Software
Sybase
Database
vulnerabilities
Threat dropped, research
published
http://www.securityfocu
s.com/news/10827
Billy
Hoffman
and Virgil
Griffith
Blackboard
issued C&D to
Interz0ne
conference,
filed
complaint
against
students
Confidential agreement reached
between Hoffman, Griffith and
Blackboard
http://www.chillingeffect
s.org/weather.cgi?Weath
erID=383
SNOsoft
Tru64 Unix OS
vulnerability DMCA based
threat
Vendor/researcher agree on
future timeline, Additional Tru64
vulnerabilities published, HP asks
Neohapsis for OpenSSL exploit
code shortly after
http://news.cnet.com/21
00-1023-947325.html
Dmitry
Sklyarov &El
comSoft
Adobe eBook
AEBPR Bypass
Elcomsoft found Not Guilty
http://news.cnet.com/21
00-1023-978176.html
Suspended fine of 5,000 Euros
http://news.cnet.com/Fr
ance%20puts%20a%20da
mper%20on%20flawhunting/2100-7350_35606306.html?tag=techd
irt
Guillaume
Tena
(Guillermito)
Vulnerabilitie
s in Viguard
Antivirus
Four
Watermark
Protection
http://en.wikipedia.org/
SDMI, RIAA
Research published at USENIX
4/23/2001
Ed Felten
Schemes
wiki/Edward_Felten#SD
and Verance
2001
Bypass MI_Lawsuits
Corporation
DMCA based
threat
DVD
2600: The
Encryption
MPAA &
http://www.linuxinsider.
8/17/2000
Hacker
Breaking
DeCSS ruled 'not a trade secret'
DVD CCA
com/story/32672.html
Quarterly
Software
(DeCSS)
The following incidents are not confirmed as legal or financial threats. They are being included here in the hopes that someone
will come forward with additional information or clarification.
Company
Research
When
making
Researchers
Resolution/Status
Topic
threat
NDA between Edge/Apple existed
already, Apple called Edge on it.
FileVault
Researcher "rescinded talk" but BH
http://news.cnet.com/83
Charles Edge
encryption
CFP team shows no record of talk
8/1/2008
Apple
01-1009_3-10004627/ 318 Inc.
system
being submitted in first place.
83.html
weaknesses
Attrition Theory: Incident used as
press fodder for 318/Edge
attention.
Week of
Oracle
WoOB cancelled, rumors of
12/7/2006
Argeniss
Oracle Bugs
404 not found
Corporation
financial/legal threats
(WoOB)
The following incidents are related to the ones above, but "cross the line". They include incidents where it was not "security
research", but rather activity that was considered a crime by current laws (at the time). Instead of following a more ethical
approach or going the route of responsible disclosure, the researcher chose to research and disclose the details in a manner
that was questionable. While the threat of law suit of such activity is frivilous to most, the companies are being prudent
because the researcher in question likely did break laws in the process.
Company
Research
When
making
Researchers
Resolution/Status
Topic
threat
Voting
http://www.wired.com/t
Hari Prasad,
Machine
Prasad arrested, machine given to
8/23/2010
n/a
hreatlevel/2010/08/rese
Netindia
vulnerability
him was apparently stolen
archer-arrested-in-india
research
Used
http://www.canada.com
keylogger to
/ottawacitizen/news/city
Carleton
Mansour
Moufid charged with computer
9/12/2008
expose
/story.html?id=25110a8f
University
Moufid
crime
student
-a73a-43a0-a2a5information
1daa08d147d1
Database
programming
http://www.wired.com/p
University of
error allows
McCarty charged with computer
olitics/law/commentary/
4/28/2006
Southern
Eric McCarty
disclosure of
crime
circuitcourt/2006/05/708
California
student SSN
57
and more
Secure
Tornado
Webmail
Arrested, tried, convicted and
Bret
http://www.securityfocu
8/18/2003
Developmen
Session
sentenced to 16 months of prison
McDanel
s.com/columnists/179
t, Inc.
Hijacking
time
discovery
Harris
Insecure
Faces 5 years and $250,000 fine.
County
Stefan
wireless
3/18/2002
The jury deliberated for 15
District
Puffer
network
minutes before acquitting Puffer.
Court
discovery
Over the years, many talks have been cancelled for various reasons. Sometimes, the rumor of legal threats dominate the venue
and/or news, but never happened. This table will list such events, to help clarify what happened. As time allows, any case of a
security talk being cancelled will be added.
Company
making
Research
When
Researchers
Resolution/Status
request or
Topic
threat
Grutzmacher coordinated
disclosure via US-CERT in August.
Days before Toorcon 2012, HP
Kurt
Huawei / H3C
sent a polite request for him to
Hewlett10/19/2012
Grutzmache
router
cancel, saying patches were not
Packard
r
vulnerabilities
ready. Grutzmacher cancelled his
talk. Two days later, HP released
the patch, casting doubt over their
intention behind the request.
Pirate Bay
Neij's lawyer advised his client not
founders
Talk titled
to travel to a highly visible public
10/10/2012
(none)
Peter Sunde
"Data is
conference centered on hacking.
and Fredrik
Political"
Sunde was reportedly too ill to
Neij
travel.
7/29/2012
(unknown)
Sergey
Gordeychik /
Denis
Baranov,
Positive
Technologie
s
1/31/2012
Smart Grid
Meter
Vendor
(unnamed)
Don Weber /
InGuardians
SCADA
vulnerabilities
including
Siemens
The talk "SCADA Strangelove: How
I Learned To Start Worrying And
Love The Nuclear Plants" was
cancelled a week before the
conference and replaced with a
different SCADA talk by another
person not affiliated with Positive
Technologies. No confirmation as
to why, speculation is the talk was
pulled due to vendor pressure.
Smart Grid
Vulnerabilitie
s
Was asked to pull talk from
ShmooCon 2012, complied.
Presented later at BSidesLV 2012.
Google
Android
Vulnerabilitie
s
8/16/2011
(none)
Riley Hassel
/ Shane
Macaulay
5/18/2011
Siemens /
Department
of Homeland
Security
(DHS)
Dillon
Beresford /
NSS Labs
SCADA
vulnerabilities
7/15/2010
Taiwanese /
Chinese
agencies
(unnamed)
Wayne
Huang,
Armorize
CTO
Analysis of
China's
governmentbacked
hacking
initiatives
6/29/2010
ATM
Vendors
(unnamed)
Raoul Chiesa
ATM
Vulnerabilitie
s
BlackHat Briefings Las Vegas 2011
Hassel/Macaulay scheduled to give
"Hacking Android for Profit" talk at
BlackHat Briefings Las Vegas 2011.
Neither presenter showed for their
talk. Subsequent articles point out
that Google said "The identified
bugs are not present in Android",
and that the presenters backed
out in "fear criminals would use it
attack Android phones". In
another work, Hassel said "that
some of their work may have
replicated previously published
research, and they wanted to
make sure they properly
acknowledged that work."
TakeDownCon 2011 talk titled
"Chain Reactions - Hacking SCADA"
was cancelled by Beresford after
concerns from Siemens/DHS were
expressed. Beresford said "DHS in
no way tried to censor the
presentation."
Talk pulled from BlackHat Briefings
2010 in Las Vegas, announced by
Caleb Sima, Armorize CEO on
Twitter. An earlier version of the
talk was given to a small
conference in Taiwain in 2007.
Initial reports said that Chiesa was
threatened by ATM vendors and
forced to cancel last
minute. according to Chiesa, no
threats were made. The talk was
cancelled for "logistical issues that
day". Some in the industry have
classified this as a publicity stunt,
to garner more attention for the
talk at a subsequent date.
6/30/2009
7/2/2008
ATM
Vendors
(unnamed,
presumed
Triton)
Barnaby Jack
/ Juniper
Networks
ATM
Vulnerabilitie
s
Apple
Unamed
'Apple
Insiders'
Apple
Security
Response
Team
BlackHat Briefings Las Vegas 2009
talk cancelled by Juniper after ATM
vendor expressed concerns about
disclosure before customers were
fully protected. Information
published at BlackHat 2010.
According to Trey Ford, BlackHat
general manager, a panel of Apple
insiders were to have a panel to
discuss "the company's securityresponse team". When Apple's
marketing department heard, the
panel was abruptly cancelled.
Related documents
Independent Research
Independent Research
ICRL 2015 Guidelines for Paper Submission 1st Author (full name of
ICRL 2015 Guidelines for Paper Submission 1st Author (full name of
Download
advertisement