Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure

Posted by Soulskill on from the what-year-is-this dept.

qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.

7 of 87 comments (clear)

  1. Streisand Effect by Fire_Wraith · · Score: 5, Insightful

    So, instead of a minor blip of a story that some piece of gear has a vulnerability, that then gets patched and largely ignored amid the chorus of other similar stories, you've now elevated the tale of your gear's vulnerability to the front page of various tech sites, not because it's a vulnerability, but because you threatened legal action to prevent disclosure of the vulnerability.

    That's some great work at shooting yourselves in the foot. I would have thought more people get that by this point in the internet age, but apparently not.

    1. Re:Streisand Effect by rtb61 · · Score: 4, Insightful

      Never forget lawyers. Lawyers first advice, you need us to advise you, so that you can pay us for each and every phone call, for each and every letter read and response written, for each and every email read and response written and, for researching your problem (you pay them to learn how to solve the problems they create for you). The problem here is reaching for the lawyers, the advice they give you and that you pay for, usually will be to pay them more and they will wrap that up in some sell able story. Once you reach for the lawyers, you have already lost. So they did not shoot themselves in the foot, their lawyers tricked them into paying the lawyers to shoot them in both feet.

      --
      Chaos - everything, everywhere, everywhen
  2. Re:"Related"??? by monkeyzoo · · Score: 5, Funny

    Because they both use electricity.

  3. Re:Wah, "threatened" by Fallen+Kell · · Score: 4, Informative

    1. I send you a letter saying I'm going to release security vulnerabilities about your house to your neighborhood residents and the internet in general in 30 days.

    2. On day 29 with no previous contact or attempted contact, you send me a letter asking for time to fix your house's security problems, since, naturally, as a so-called "researcher" that's of equivalent interest with respect correcting future known-bad designs. You note that telling people in the neighborhood how to break into your house might have legal implications.

    3. I say "fuck you, wrong law, noob" and publish because you obviously had plenty of time to contact me to discuss before and chose to not do so and instead decided best to threaten me on day 29 hoping to stall and did a poor job of threatening using laws that have nothing to do with the matter at hand trying to make your position look strong and scary when all you had to do was contact me earlier than the 29th day asking for more information on the vulnerabilities, and/or offer to hire my services as a consultant to help fix the issues your security product obviously has in place.

    Fixed that for you...

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  4. Unintentional disclosure by hyades1 · · Score: 5, Insightful

    This little circus shows security-conscious potential customers something very important about Cyberlock: their first response to an issue affecting the customer's security is to attempt to punish the person who found it.

    Seriously...who wants a company like that in charge of security? I'd like to see some lawsuits from existing clients over false advertising and failure to act as one would reasonably expect a security company to act.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  5. Re:Deny them the pleasure of security by obscurity by Darinbob · · Score: 4, Informative

    This is not really the problem. These locks can not be upgraded over the network, there is no Tuesday patch day for them. It is not feasable to replace all locks from all customers within 30 days. Only a complete ass clown would post these details. It's like finding a bug that allows you to bypass security to get customer credit card numbers, then threatening to release all those numbers within 30 days.

    You can not possibly assume that every company that makes a physical device needs to have a 100% perfect device for their first version, and yet that's what is sort of implied here, either have a perfect device or any bug will screw you over and all of your customers. Either that or all physical devices need to be on the internet for remote control upgrades, which sounds like an even worse scenario.

    No, instead: find the bugs, report the bugs, and don't be a whale's tool by screwing them over.

  6. Evven in 1850 by lskovlund · · Score: 5, Interesting
    Locksmiths were having this discussion at least as early as the mid-19th century.

    "A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties." -- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850

    Amazing how little has changed... you'd think with improved communication and mobility (of goods and people), attitutes would have shifted in favor of disclosure.