Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure

qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.

Streisand Effect

[Fire_Wraith]

So, instead of a minor blip of a story that some piece of gear has a vulnerability, that then gets patched and largely ignored amid the chorus of other similar stories, you've now elevated the tale of your gear's vulnerability to the front page of various tech sites, not because it's a vulnerability, but because you threatened legal action to prevent disclosure of the vulnerability.

That's some great work at shooting yourselves in the foot. I would have thought more people get that by this point in the internet age, but apparently not.

Re:Streisand Effect

[rtb61]

Never forget lawyers. Lawyers first advice, you need us to advise you, so that you can pay us for each and every phone call, for each and every letter read and response written, for each and every email read and response written and, for researching your problem (you pay them to learn how to solve the problems they create for you). The problem here is reaching for the lawyers, the advice they give you and that you pay for, usually will be to pay them more and they will wrap that up in some sell able story. Once you reach for the lawyers, you have already lost. So they did not shoot themselves in the foot, their lawyers tricked them into paying the lawyers to shoot them in both feet.

Unintentional disclosure

[hyades1]

This little circus shows security-conscious potential customers something very important about Cyberlock: their first response to an issue affecting the customer's security is to attempt to punish the person who found it.

Seriously...who wants a company like that in charge of security? I'd like to see some lawsuits from existing clients over false advertising and failure to act as one would reasonably expect a security company to act.

Re:What a breathless load of nonsense.

[harryjohnston]

It wasn't a dreadfully threatening letter, no, but the mere fact that they called in their lawyer rather than getting one of their engineers to contact him is both bizarre and disturbing.

The lawyer claims to have wanted to discuss the technical details of the vulnerability. It doesn't seem likely that that would be a productive conversation.

Re:How many thousands of copies are there now?

[Bert64]

Lawyers don't care if they lose the case or not, they just care that they get paid which happens either way. As with most legal actions, both sides lose and only the lawyers benefit in any way.