Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure

qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.

Re:Contact the EFF

[Bert64]

He's actually helping their customers, because their customers have bought a flawed product that isn't fit for purpose. By disclosing the vulnerabilities, these customers are now aware and can demand a fix or switch to an alternative product.

If they sweep these vulnerabilities under the rug that doesn't mean they go away or that noone knows about them, it just means that the customers don't know about them. Others with more nefarious goals may still be aware of the issues and decide to exploit them, an attack that will be completely unexpected because the customers have false faith in the product. Infact, false faith in a security product often leads victims of exploitation to blame something else (often the staff) when a breach happens because they refuse to accept that their expensive security product is flawed.

Evven in 1850

[lskovlund]

Locksmiths were having this discussion at least as early as the mid-19th century.

"A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties." -- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850

Amazing how little has changed... you'd think with improved communication and mobility (of goods and people), attitutes would have shifted in favor of disclosure.