Slashdot Mirror
Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity?
Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.
Depends.
If they have the knowledge, resources and time to recognise the baseless claim and defend it in court then do as they please.
If they don't they could simply try releasing their information anonymously.
... I would put that vulnerability on sale in the hxkerspace instead
we get it.
Nobody threatened anybody. There was no saber rattling.
Whoever posted this article is a moron.
My next "response" would be directly to Wikileaks...anonymously...
So, instead of a minor blip of a story that some piece of gear has a vulnerability, that then gets patched and largely ignored amid the chorus of other similar stories, you've now elevated the tale of your gear's vulnerability to the front page of various tech sites, not because it's a vulnerability, but because you threatened legal action to prevent disclosure of the vulnerability.
That's some great work at shooting yourselves in the foot. I would have thought more people get that by this point in the internet age, but apparently not.
and sell it to the highest bidder.
1. I send you a letter saying I'm going to release security vulnerabilities about your house to your neighborhood residents and the internet in general.
2. You send me a letter asking for time to fix your house's security problems, since, naturally, as a so-called "researcher" that's of equivalent interest with respect correcting future known-bad designs. You note that telling people in the neighborhood how to break into your house might have legal implications.
3. I say "fuck you, wrong law, noob" and publish.
Pardon me if I don't expect cheers and adulation.
How is a bitcoin exchange supposedly spying on someone related to a vulnerability disclosure for a digital lock?!
They have lawyers that are willing to effectively anonymize or otherwise proxy the communication to the vendor.
Also donate.
Probably about the same as James Bailey did in response to Dale Cox on behalf of the Cleveland Browns:
http://www.lettersofnote.com/2...
Now everyone knows their locks as shit. and easily hack-able.
>IOActive's reverse engineering process required the use of skilled technicians, sophisticated lab equipment, and other costly resources not generally available to the public.
Since when have the bad guys limited themselves to what was available to the general public? Or even limited themselves to what one person could do?
I take it that the Cyberlock is effective, only when the attack is carried out by somebody like my next door neighbor. He is a very nice person, but due to Alzheimer's, people in the neighborhood do have to occasionally walk him home.
Wind Beneath Thy Wings
This little circus shows security-conscious potential customers something very important about Cyberlock: their first response to an issue affecting the customer's security is to attempt to punish the person who found it.
Seriously...who wants a company like that in charge of security? I'd like to see some lawsuits from existing clients over false advertising and failure to act as one would reasonably expect a security company to act.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
This is not really the problem. These locks can not be upgraded over the network, there is no Tuesday patch day for them. It is not feasable to replace all locks from all customers within 30 days. Only a complete ass clown would post these details. It's like finding a bug that allows you to bypass security to get customer credit card numbers, then threatening to release all those numbers within 30 days.
You can not possibly assume that every company that makes a physical device needs to have a 100% perfect device for their first version, and yet that's what is sort of implied here, either have a perfect device or any bug will screw you over and all of your customers. Either that or all physical devices need to be on the internet for remote control upgrades, which sounds like an even worse scenario.
No, instead: find the bugs, report the bugs, and don't be a whale's tool by screwing them over.
These Lawyers would be hard pressed in any case to prove malicious intent, given that the disclosure was made and was ignored.
As a lot of posts here have commented on, the root of the problem is abuse of the legal system for monetary profit and to strong arm people into accepting the whims of "Idiots with money" or IWM in this case. The pervasive view that the purpose of the legal system is to use the law to to do anything but enforce the law, uphold fair-play in the society given these laws and ensure that those who are harmed or have provable and quantifiable "Damages" from the actions of others who did so to them with negligence and malicious or self-serving intent, compensate the victim.
So many seem to have this erroneous view that the legal system is there for them to extort money or get revenge against someone who they have no other way to manipulate their actions or enforce authority upon them which they do not possess. It is not a lottery, it is a mechanism to ensure that people in society do not resort to anarchy when handling conflicts, not a business model for extorting profit when negotiations, situations or business models go south.
The security expert here notified them that they had a security vulnerability and they ignored him and then tried to sue him for it. It is clear that they had no damages and that they are trying to use the system to throw their weight around with money and profit from it when the problem was caused by them and they did nothing to right the ship. If I were the judge in this case, I would refuse to hear it, and order them out of court (the business) to make sure that in the future if they are going to try to sue the little guy that is trying to help them, that they will be liable for wrongful prosecution. This precedence needs to be set in society.
So, how many thousands of copies of this report are now out in the wild because the lawyers of Cyberlock were dumb enough to not react intelligently to someone saying "Hey, you guys have problems" to them? And how many people in possession of those copies are willing to "creatively" spread them around in case Cyberlock does anything truly stupid?
And is it just me, or is it a little apropos that the Captcha for this post is "distorts," as in "Cyberlock's lawyers have a distorted opinion of their intelligence" or similar?
Now there are headlines about how shit Cyberlock products are, instead of a single blog post.
Parent is correct - disclosure is only responsible when something can be done to fix the vulnerability. If nothing can be done, find some other way to disclose.
I'm a minority race. Save your vitriol for white people.
Submit to the company[1] with details[2], a deadline[3] for publication, and a notice that threats of any sort result in immediate public disclosure.
Then follow up as described.
This combination of telling exactly what you will do then doing exactly that, telling them what you did as you do it, is pretty powerful should it ever come to court. Of course you record all steps taken. You could and probably should take hashes of the notices sent and publish those immediately; a gpg-signed pastebin post will do. But showing you did inform them of your actions and then did exactly what you said you'd do is the key here.
[1] I'd do so pseudonymously to make responding with a lawsuit less attractive.
[2] And, unless they have publicly offered such a thing, not ask for any money or reward, doofus!
[3] Probably something like 30 days extendable with another 30 days exactly once IFF they ask nicely.
In this case, something can be done: the company can stop selling the lock as "secure" (or "a lock"), and then put out a new one that is actually secure. Maybe do a product recall so people know about it.
What did they do instead? Start threatening the guy who told them about the vulnerabilities. When a company does that, the only responsible thing to do is to publish, because you know the company won't ever fix the problems otherwise.
(I do think 30 days is a bit on the short side... but I don't think giving them longer would've changed anything. They clearly had no intention of fixing anything so long as their customers remained in the dark.)
In this case, something can be done: the company can stop selling the lock as "secure" (or "a lock"), and then put out a new one that is actually secure. Maybe do a product recall so people know about it.
You know, it's possible to disclose that a vulnerability exists without disclosing how to exploit it. The letter from the lawyer also states that the firm is interested in discussing this further but was rebuffed by the "researcher". How are they supposed to know if the exploit is real or not if the "researcher" in question refuses to disclose the PoC to their lawyer. I'm pretty certain that a single phone call resolved the "are you working on their behalf" question. At that point (verification) he should have simply given the vendor the PoC and a few more days before putting people at risk.
What did they do instead? Start threatening the guy who told them about the vulnerabilities.
(How do you know they weren't going to contact their customers after the PoC was verified? You have a time machine?)
Anyway I dunno about the "threat" - I read that letter from them that he published; I don't get any impression of threats, implicit or otherwise. I read the summary. He gave them 30 days to respond to him. They took 29 days. Now he feels that they took too long to get back to him... what a crybaby.
The problem here is not the vendor (yet). This is a physical item that may or may not need to be recalled. That is the problem. That, and the fact that reading the "researcher's" (I hate using this word to describe this guy) story from the link in TFS shows quite clearly that he's handling this in an irresponsible manner. Go ahead, click the link and read what he has to say - "Hey personally /i/ love the drama on this kind of stuff.. ".
I'm a minority race. Save your vitriol for white people.
Amazing how little has changed... you'd think with improved communication and mobility (of goods and people), attitutes would have shifted in favor of disclosure.
But something can be done to fix the vulnerability - stop using Cyberlock locks. A disclosure of the problem is the most responsible thing that can be done for the CONSUMERS. The Cyberlock is not the potential victim of any exploits here.
What if the company sends your report to /dev/null ? If this guy figured it out, so can someone who is less concerned with ethics.
Of you don't disclose every user is vulnerable and doesn't know it, so can't take steps to protect themselves. This has happened multiple times before with locks. First lock bumping, and prior getting screwed by insurance companies saying they must have left the door unlocked or investigated by the police for fraud. Then with electronic hotel room locks that lead to a spate of thefts, again with the hotel owners and insurance companies denying it. To be fair the hotel owners didn't know either.
I'd say even 30 days is too long. Nothing can be done, so it's not like they need time to prepare a patch. Maybe 3 working days tops, enough time to confirm the problem and produce a plan to assist customers, and put a press release on their web site. If they don't want to do that then you don't want to be complicit in their cover-up.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
disclosure is only responsible when something can be done to fix the vulnerability. If nothing can be done, find some other way to disclose.
Of you don't disclose every user is vulnerable and doesn't know it, so can't take steps to protect themselves.
I never proposed non-disclosure, so I'm not sure why you're replying to me.
I'm a minority race. Save your vitriol for white people.
disclosure is only responsible when something can be done to fix the vulnerability. If nothing can be done, find some other way to disclose.
The 80s called. They want their debate between hackers and locksmiths back.
"When something can be done" == modulated by the convenience of the organized and powerful. That means everyone except the customer.
You're arguing (albeit wrongly, since without considering the customer) from a controlling nanny-state view that anything which is not good for the world (by populist judgement) should be punished arbitrarily through governance. That's incorrect. phar can do what he likes, good for the world or not, and so can Cyberlock. If there are rules to playing the Freedom Game, they must be disclosed in advance, not made up after the fact by busybodies. Appeal to the state, the court, the King, whatever, is insane here. Nobody stole anyone's goat. Cyberlock's response should be limited to making better locks or repairing the ones they already sold. If governance should intervene on anyone's behalf, it's phar's, ex. through California's SLAPP law since they're trying to achieve prior restraint on speech by strategic legal harassment which is exactly what SLAPP was billed as fighting.
Also. . . "find some other way to disclose [than disclosure]"? I'm being trolled, right?
You know, it's possible to disclose that a vulnerability exists without disclosing how to exploit it. The letter from the lawyer also states that the firm is interested in discussing this further but was rebuffed by the "researcher". How are they supposed to know if the exploit is real or not if the "researcher" in question refuses to disclose the PoC to their lawyer. I'm pretty certain that a single phone call resolved the "are you working on their behalf" question. At that point (verification) he should have simply given the vendor the PoC and a few more days before putting people at risk.
Had the vendor shown any actual interest in addressing the issue rather than burying it, they probably could have gotten an extension. Instead, they chose to squash any inclination to good will by prattling on with vague DMCA threats.
If the nature of the attack isn't released in detail, how does anyone learn from the mistake? As for the details, what good does it do to tell the lawyers? Might as well tell the mailroom guy. If they were serious about learning from their mistake, they would want him to discuss it with an engineer. Perhaps if the disclosure is public, one of the engineers might hear about it in a coherent enough form to actually fix something.
They made specific claims about their security product that have been determined to be untrue, what's your solution? Let them keep selling weak security to high security facilities?
You know, it's possible to disclose that a vulnerability exists without disclosing how to exploit it. The letter from the lawyer also states that the firm is interested in discussing this further but was rebuffed by the "researcher".
No, they weren't. If an engineer from the company had made contact, the researcher would have been happy to discuss the technical details. Instead they sent a lawyer.
What is the point of discussing technical details with a lawyer?
Anyway I dunno about the "threat" - I read that letter from them that he published; I don't get any impression of threats, implicit or otherwise.
The fact that they got their lawyer rather than an engineer to contact him is in itself an implicit threat.
It is not feasable to replace all locks from all customers within 30 days.
Who said anything about replacing them? The company needs to have a program, together with their distributors/sales network, of updating the firmware on such devices. If they don't, they've already lost, and their customers are crazy for buying such devices.
A successful API design takes a mixture of software design and pedagogy.
Well, I don't have one of these devices or the manual, but when I started my first comment my assumption was that these were entirely stand alone devices. They look just like padlocks. Apparently the keys can be updated, where all the logic is, but they're not always connected to the internet. Thus the company still has to notify all customers, the customers have to get new keys (though anyone using such a secure type of lock is used to key management), and so forth.
Plus of course, that 30 days includes time to fix the problems. That's a very short time to evaluate the problems, come up with solutions, test the solutions thoroughly, and roll them out. Though I presume after a couple weeks when the complete stranger's report of flaws is verified that they can move into panic mode and speed it up. If the flaws are as bad as the blogger is alleging then it sounds like redesign is needed rather than quick and dirty hacks.
I've had a bug where a regulatory officer was sitting in my cube and describing how urgent the bug was. Just being in that sort of situation slows you down, you spend extra time testing, you spend half the day in meetings, you get extra code reviews, documents get filed, etc.