Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure

qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.

Streisand Effect

[Fire_Wraith]

So, instead of a minor blip of a story that some piece of gear has a vulnerability, that then gets patched and largely ignored amid the chorus of other similar stories, you've now elevated the tale of your gear's vulnerability to the front page of various tech sites, not because it's a vulnerability, but because you threatened legal action to prevent disclosure of the vulnerability.

That's some great work at shooting yourselves in the foot. I would have thought more people get that by this point in the internet age, but apparently not.

Re:"Related"???

[monkeyzoo]

Because they both use electricity.

Unintentional disclosure

[hyades1]

This little circus shows security-conscious potential customers something very important about Cyberlock: their first response to an issue affecting the customer's security is to attempt to punish the person who found it.

Seriously...who wants a company like that in charge of security? I'd like to see some lawsuits from existing clients over false advertising and failure to act as one would reasonably expect a security company to act.

Evven in 1850

[lskovlund]

Locksmiths were having this discussion at least as early as the mid-19th century.

"A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties." -- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850

Amazing how little has changed... you'd think with improved communication and mobility (of goods and people), attitutes would have shifted in favor of disclosure.