Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lawsuits Threaten Infosec Research -- Just When We Need it Most (zdnet.com)

Posted by msmash on from the where-things-are-going dept.

This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. From a report: Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of -- from companies threatening to call an editor to demand a correction -- or else -- to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution. With nation state attackers targeting elections and critical national security infrastructure on a near-daily basis, security research is needed more than ever.

51 comments

  1. SLAPP? by Registered+Coward+v2 · · Score: 4, Interesting

    IANAL, but i would seem some of the threats border on using threats of a lawsuit to silence critics. Unfortunately, it takes money to defend yourself so it may be less painful simply to shut up.

    I wonder if the threat of discovery and fighting to keep it public would stop some lawsuits as it would force companies to reveal potentially damaging information. You want to sue? I'll prove what I said is materially correct by demanding your code, internal memos, etc. related to bugs. I guess we'd need a high powered lawyer who is interested in security to decide to do one pro-bono.

    The other option is to anonymously release bug data as soon as they are discovered to screw over companies that threaten lawsuits. If they don't want to play nice it's time to stand up to them in other ways.

    --
    I'm a consultant - I convert gibberish into cash-flow.
    1. Re:SLAPP? by jbmartin6 · · Score: 1

      Maybe some precedents linking SLAPP to malicious prosecution, then lawyers would take the case on spec to harvest the settlement

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  2. Smells of CEO Ego by postbigbang · · Score: 2

    Although some CEOs believe any PR is good PR, this will not end well for them. The screwed up. The problem was reported. It was fixed. That was reported. But they go for the throat of the reporter anyway.

    It's pretty ugly karma.

    --
    ---- Teach Peace. It's Cheaper Than War.
  3. wiki leaks? by originalGMC · · Score: 1

    How about wiki-sec? Anon white-hat dumping ground.

    1. Re:wiki leaks? by kelemvor4 · · Score: 1

      How about wiki-sec? Anon white-hat dumping ground.

      There are plenty of anonymous (not Anonymous) dumping grounds. Here's one: https://pastebin.com/

      There are many varied options. You don't make money by publishing articles on pastebin, though.

    2. Re:wiki leaks? by originalGMC · · Score: 1

      okay ... see below... if I make secsleaks.org, what would be a cool "bounty" model? Maybe a kickstarter for leaks? Have a payout scale on the verifiable data, based on the gravitas of the info. Anything to move good info away from fucking blogs.

  4. Blockchain to log multiple eyes on security? by mattr · · Score: 1

    Regarding "If they can make up and fabricate events and have a jury believe them -- well that's going to have a far greater effect than chilling researchers and data breach reporting," I wonder if a blockchain might be useful to allow multiple people including journalistic outfits in different countries to confirm the facts at identifiable points in time. This might weaken the ability of rich, illegal operations to attempt to sue lone security researchers.

    1. Re:Blockchain to log multiple eyes on security? by jd · · Score: 1

      There are easily enough company employees and astroturfers out there to exceed the 50%+1 needed to falsify a blockchain. You'd end up with "hard evidence" which proved that the moon landings were fake, McDonald's provided food, and that the defendants were in league with Satan.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  5. IANAL but... by Anonymous Coward · · Score: 0

    don't most legal jurisdictions have a defence of truthfulness in defamation cases?

    1. Re:IANAL but... by kelemvor4 · · Score: 1

      don't most legal jurisdictions have a defence of truthfulness in defamation cases?

      Civil cases are notoriously easy to win.

      Not that I'm defending him, but a perfect example is O.J. Simpson. He was found not guilty of doing the crime, yet still had to pay tons of money in civil suits. Our legal system in the us is a real shitshow.

    2. Re:IANAL but... by Khyber · · Score: 1

      Yes, and a fat SLAPP counter-suit against Keeper Security and the other companies involved should go a long way towards stopping their bullshit.

      BTW, Keeper Security's webpage isn't even properly secure and vulnerable to the most basic input fuzzing attacks.

      Pa-fucking-thetic.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  6. More like SLANP by Anonymous Coward · · Score: 0

    Strategic Lawsuit Against Negative Press

  7. SECSLEAKS.ORG by CRB9000 · · Score: 2

    Security Stat Leaks - secsleaks.org should be the name.

    1. Re:SECSLEAKS.ORG by originalGMC · · Score: 1

      Not only clever but funny. As long as we're doing it for the lulz.

  8. What you sow... by jbmartin6 · · Score: 3, Insightful

    Any company that sues researchers in this way should be assumed to be relinquishing any claim to responsible disclosure in the future.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:What you sow... by nehumanuscrede · · Score: 1

      Perhaps, some of the folks who don't bother with " responsible disclosure " simply know what we are just now learning about.

      It's easier and cheaper for the Company in question to simply sue, or threaten to sue, any individual who dares to shine a light on a security flaw.
      As a result, why be nice about it ?

      If you can't coerce them with a carrot, there is always the stick.

  9. Underestimating Other Programmers by Anonymous Coward · · Score: 0

    They are seriously underestimating the abilities of the unwashed masses. If we could write Linux and Root Kits, we can write AI too.

  10. It's not just CEO ego. by Anonymous Coward · · Score: 0

    There's a lot of "security researcher" ego in play, also. If not in these cases (Of course IHNRTFA), then certainly in plenty others. Quite often ego is exactly the driving force for the pimply s'kiddies to make a big racket about something or other in other people's {computers,networks,software,hardware,etc.}. So I do buy the argument that at least some CEOs, proud and prickly, seek to protect their company('s reputation) from meddling s'kiddies.

    It's one of the many serious flaws in the computer security racket and industry's way of doing business.

  11. Those reporters are n00bz by forkfail · · Score: 2

    Don't they know that the best security is security through obscurity?

    That if the bad guyz don't know about the h@x0rz that they can't hax teh big ironz n cloudz? /reallyBadSnarkOrSomething

    --
    Check your premises.
  12. O.J. Simpson justice by Anonymous Coward · · Score: 3, Interesting

    Not that I'm defending him, but a perfect example is O.J. Simpson. He was found not guilty of doing the crime, yet still had to pay tons of money in civil suits. Our legal system in the us is a real shitshow.

    How bad of a failure was that, really?

    He committed the murder. Then the government blew its credibility and trustworthiness by letting a racist cop try to frame an already-guilty guy, thereby undermining the credibility of all criminal prosecutions, everywhere. So OJ gets off on the criminal charge (i.e. We The People found that punishing the government is more important (much more important) to us than punishing any one particular criminal) but stills ends up being somewhat held accountable for the murder (by having to pay lots of money). It's not an ideal situation, but having racist cops isn't an ideal situation either, and you can't blame our legal system for racist cops, can you?

    He didn't lose the civil case because civil cases are too easy to litigate; he lost because it got reasonably proven that he committed the murder. Not proven well enough that we should imprison him, but well enough that we knew for sure that he definitely committed the murder and we could justifiably take some kind of action against him. Nice middle-ground, considering the fuckups by the police. I'd call that a graceful performance degradation.

  13. Data Protection Legislation by Anonymous Coward · · Score: 0

    Europe is in the middle of implementing General Data Protection Regulations (GDPR) which are exercising CEOs and CIOs greatly at the moment.
    If CEOs find themselves liable for regulatory prosecution it could help to stop them thinking that obscurity is acceptable and redress the legal imbalance as the effect of the the lawsuit would be to attract the regulators attention.

    So you should be lobbying for this in the US too. Even if you can't get these kinds of regulation in the US - maybe you can just publish in Europe.

  14. The legal system will be bypassed... by chriscokid · · Score: 0

    The end result of this will be that security vulnerabilities will be released anonymously.

    1. Re:The legal system will be bypassed... by Anonymous Coward · · Score: 0

      Or not released - but sold to interested mafia/Russians etc. They don't punish you for discovering, quite the contrary!
      Vendors/manufacturers had their chance, they already blew it. Expect more attacks 'out of the blue' in the future.

  15. Ass clowns for corporate greed by Anonymous Coward · · Score: 0

    Will indeed be the end of all of us.

  16. I just read the complaint by Anonymous Coward · · Score: 0

    And it seems Keeper has a possible claim.

    I hope Ars Technica/Conde Nast has a good explanation, otherwise, they might be paying up for their click bait. Hiding the relevant details behind squishy writing is not going to be a winning strategy.

    Slashdotters do need to try to understand that reporting does need to be accurate. Ars does not appear to be sued just because they reported on a security vulnerability.

  17. You have a choice by Anonymous Coward · · Score: 0

    If you find a 0-day, you have a choice. Responsible disclosure and maybe get paid or maybe risk getting sued or sell the 0-day on the black-market and make some money for sure. Tough choice. I guess you could just make it public, but that would be a bad business decision - no monies in it at all.

  18. Goodin's case isn't "a threat to infosec research" by SlaveToTheGrind · · Score: 2

    If Keeper wins this, they'll win because of misstatements/overstatements in Goodin's initial article that he significantly walked back multiple times, as laid out in Keeper's complaint. The research prompting Goodin's and other similar articles was not the issue.

  19. AI Experts Say Some Advances Should Be Kept Secret by thinkwaitfast · · Score: 1

    Adjacent /. story

  20. Re:Targeting elections? by Anonymous Coward · · Score: 0

    Classic! If you're not a fan on Trump, then you must be/have been a Hillary supporter.

    Newsflash. They should sharing a jail cell.

  21. CNN = Conde Nast Network (ars owners)? by Anonymous Coward · · Score: 0

    See subject: Could be - BOTH do "FAKE NEWS", lol & GET CAUGHT for it (priceless & classic)!

    APK

    P.S.=> Especially considering they tried "downmod hiding" me posting what I did 2x already https://it.slashdot.org/comments.pl?sid=11776235&cid=56164223/ & also https://it.slashdot.org/comments.pl?sid=11776235&cid=56165053/ (it's all weasels of "their kind" can do, lie/cheat/steal & they're KNOWN thru history for it)... apk

  22. Fuck these companies by Anonymous Coward · · Score: 0

    Unless the company has a legitimate bug bounty program I say just post whatever bugs you find online anonymously and let the script kiddies force the companies to clean up their act.

  23. Re:There's 2 kinds of people in the world... apk by Anonymous Coward · · Score: 0

    Too bad you are too fucking dumb to know how to do security either. Maybe you should be working at one of those companies. You can blather on about a single dumb topic for years and say all sorts of bogus things. It seems you are eminently qualified to work at such places, but not to provide security advice. If you replaced all the names of people you criticized with APK those statements would still be true.

  24. There's 2 kinds of people in the world... apk by Anonymous Coward · · Score: 0

    Article source quotes show how STUPID arseholetechnica is w/ SOLID PROOF:

    "Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy...The bug has since been fixed, according to Ormandy's follow-up note" FROM http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

    RoTfLmAo!

    * PROOF'S RIGHT THERE IN BLACK & WHITE he did indeed LIBEL them with FALSE INFORMATION on a BUG that was LONG FIXED by time he put out his bullshit 'article'!

    CNN = Conde Nast Network (ars owners)?

    Must be - BOTH do "FAKE NEWS", lol!

    (Note scumbag Ken Fisher of arseholetechnica won't COMMENT either (he knows he's fucked)).

    Dan Goodin != security researcher - he's from ARSEHOLETECHNICA (home of underachiever wannabes).

    FACT: He's nothing more than a HACK that spits back what others actually DO do in security, & nothing more (hence his blunder posting about a bug LONG FIXED by the time of his 'article' (derivative drivel))!

    Goodin & arstechnica = mere SPECTATORS - f'ing up big posting FALSEHOODS a bug exists when it was patched LONG beforehand!

    Lastly RoTfLmAo: Arstechnica tried HIDING I posted these facts 2x now when I posted them before https://it.slashdot.org/comments.pl?sid=11776235&cid=56164223/ & https://it.slashdot.org/comments.pl?sid=11776235&cid=56165053/

    APK

    P.S.=> See subject: ...those who ACTUALLY DO & those who merely WRITE ABOUT THOSE THAT DO do REAL SECURITY (arstechnica != the latter)... apk

  25. There's 2 kinds of people in the world... apk by Anonymous Coward · · Score: 0

    Article source quotes show how STUPID arseholetechnica is w/ SOLID PROOF:

    "Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy...The bug has since been fixed, according to Ormandy's follow-up note" FROM http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

    RoTfLmAo!

    * PROOF'S RIGHT THERE IN BLACK & WHITE he did indeed LIBEL them with FALSE INFORMATION on a BUG that was LONG FIXED by time he put out his bullshit 'article'!

    CNN = Conde Nast Network (ars owners)?

    Must be - BOTH do "FAKE NEWS", lol!

    (Note scumbag Ken Fisher of arseholetechnica won't COMMENT either (he knows he's fucked)).

    Dan Goodin != security researcher - he's from ARSEHOLETECHNICA (home of underachiever wannabes).

    FACT: He's nothing more than a HACK that spits back what others actually DO do in security, & nothing more (hence his blunder posting about a bug LONG FIXED by the time of his 'article' (derivative drivel))!

    Goodin & arstechnica = mere SPECTATORS - f'ing up big posting FALSEHOODS a bug exists when it was patched LONG beforehand!

    Lastly RoTfLmAo: Arstechnica tried HIDING I posted these facts 2x now when I posted them before https://it.slashdot.org/comments.pl?sid=11776235&cid=56164223/ & https://it.slashdot.org/comments.pl?sid=11776235&cid=56165053/

    APK

    P.S.=> See subject: ...those who ACTUALLY DO & those who merely WRITE ABOUT THOSE THAT DO do REAL SECURITY (arstechnica != the latter)... apk

  26. /.ers disagree w/ you unidentifiable ac troll by Anonymous Coward · · Score: 0

    I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell February 16 2017

    (APK's work), I've flat out said it's good by BronsCon February 11 2016

    his hosts program is actually pretty good by xenotransplant August 10 2015

    his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

    I like your host file system by Karmashock September 09 2015

    I do use APK's host file on all my systems at home by OrangeTide December 01 2017

    I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

    * Good reviews of MY security program = better than CNN Conde NastY (Same ARSTECHNICA "Fake News"?)!

    APK

    P.S.=> You WISH you were me, loser (especially after blowing 15 downmodpoints on my posts, lol - talk proof of your guilt ArsHoleTECHNICA)... apk

  27. There's 2 kinds of people in the world... apk by Anonymous Coward · · Score: 0

    Article source quotes show how STUPID arseholetechnica is w/ SOLID PROOF:

    "Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy...The bug has since been fixed, according to Ormandy's follow-up note" FROM http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

    RoTfLmAo!

    * PROOF'S RIGHT THERE IN BLACK & WHITE he did indeed LIBEL them with FALSE INFORMATION on a BUG that was LONG FIXED by time he put out his bullshit 'article'!

    CNN = Conde Nast Network (ars owners)?

    Must be - BOTH do "FAKE NEWS", lol!

    (Note scumbag Ken Fisher of arseholetechnica won't COMMENT either (he knows he's fucked)).

    Dan Goodin != security researcher - he's from ARSEHOLETECHNICA (home of underachiever wannabes).

    FACT: He's nothing more than a HACK that spits back what others actually DO do in security, & nothing more (hence his blunder posting about a bug LONG FIXED by the time of his 'article' (derivative drivel))!

    Goodin & arstechnica = mere SPECTATORS - f'ing up big posting FALSEHOODS a bug exists when it was patched LONG beforehand!

    Lastly RoTfLmAo: Arstechnica tried HIDING I posted these facts 2x now when I posted them before https://it.slashdot.org/comments.pl?sid=11776235&cid=56164223/ & https://it.slashdot.org/comments.pl?sid=11776235&cid=56165053/

    APK

    P.S.=> See subject: ...those who ACTUALLY DO & those who merely WRITE ABOUT THOSE THAT DO do REAL SECURITY (arstechnica != the latter)... apk

  28. There's 2 kinds of people in the world... apk by Anonymous Coward · · Score: 0

    Article source quotes show how STUPID arseholetechnica is w/ SOLID PROOF:

    "Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy...The bug has since been fixed, according to Ormandy's follow-up note" FROM http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

    RoTfLmAo!

    * PROOF'S RIGHT THERE IN BLACK & WHITE he did indeed LIBEL them with FALSE INFORMATION on a BUG that was LONG FIXED by time he put out his bullshit 'article'!

    CNN = Conde Nast Network (ars owners)?

    Must be - BOTH do "FAKE NEWS", lol!

    (Note scumbag Ken Fisher of arseholetechnica won't COMMENT either (he knows he's fucked)).

    Dan Goodin != security researcher - he's from ARSEHOLETECHNICA (home of underachiever wannabes).

    FACT: He's nothing more than a HACK that spits back what others actually DO do in security, & nothing more (hence his blunder posting about a bug LONG FIXED by the time of his 'article' (derivative drivel))!

    Goodin & arstechnica = mere SPECTATORS - f'ing up big posting FALSEHOODS a bug exists when it was patched LONG beforehand!

    Lastly RoTfLmAo: Arstechnica tried HIDING I posted these facts 2x now when I posted them before https://it.slashdot.org/comments.pl?sid=11776235&cid=56164223/ & https://it.slashdot.org/comments.pl?sid=11776235&cid=56165053/

    APK

    P.S.=> See subject: ...those who ACTUALLY DO & those who merely WRITE ABOUT THOSE THAT DO do REAL SECURITY (arstechnica != the latter)... apk

  29. Arstechnica's is making shitty reporting look good by Anonymous Coward · · Score: 0

    The problem I noticed from an Arstechnica story about the recent FCC attack on free software in wireless routers was they quoted people who had NOTHING to do with the issue. They basically just bought into the FCC's story. The article sounded well written and made it sounds like idiots were bitching about something they didn't understand when it was actually the other way around. Because they had people from different organizations related to wifi quoted it made it sounds like they had done there homework. Having been involved however I actually knew who they needed to quote and who understood the issues. Public advocacy organizations with legal know how but zero technical knowledge aren't going to be good people to quote- but most people wouldn't have known this. wtf was going on or what the argument even was by the people against the rule changes or why it was going to hurt everybody were completely ignored. They only backed off ever so slightly when they realized how badly they got it wrong in follow up articles.

    I should point out the people who *actually* knew what was going on were the engineers designing and authoring the drivers and firmwares for the wifi chipsets. But that's not who Arstechnica's was quoting and they NEVER even reached out to the organization that was setup to counter the FCC. Today we have NO 100% free software routers based on newer chipsets and the underlying tech has been hindered because developers can't improve the code or add code for things like mesh networking because the community is now being deprived of access to the code for newer wifi firmwares and much of the driver code has been moved into the firmware. Newer Atheros chipsets suck because of this and it's why most Linux users are still buying 802.11n hardware over the shitty newer 802.11ac stuff. The leading supplier of Linux hardware doesn't even sell anything newer than 802.11n because of this problem.

  30. There's 2 kinds of people in the world... apk by Anonymous Coward · · Score: 0

    Article source quotes show how STUPID arseholetechnica is w/ SOLID PROOF:

    "Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy...The bug has since been fixed, according to Ormandy's follow-up note" FROM http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

    RoTfLmAo!

    * PROOF'S RIGHT THERE IN BLACK & WHITE he did indeed LIBEL them with FALSE INFORMATION on a BUG that was LONG FIXED by time he put out his bullshit 'article'!

    CNN = Conde Nast Network (ars owners)?

    Must be - BOTH do "FAKE NEWS", lol!

    (Note scumbag Ken Fisher of arseholetechnica won't COMMENT either (he knows he's fucked)).

    Dan Goodin != security researcher - he's from ARSEHOLETECHNICA (home of underachiever wannabes).

    FACT: He's nothing more than a HACK that spits back what others actually DO do in security, & nothing more (hence his blunder posting about a bug LONG FIXED by the time of his 'article' (derivative drivel))!

    Goodin & arstechnica = mere SPECTATORS - f'ing up big posting FALSEHOODS a bug exists when it was patched LONG beforehand!

    Lastly RoTfLmAo: Arstechnica tried HIDING I posted these facts 2x now when I posted them before https://it.slashdot.org/comments.pl?sid=11776235&cid=56164223/ & https://it.slashdot.org/comments.pl?sid=11776235&cid=56165053/

    APK

    P.S.=> See subject: ...those who ACTUALLY DO & those who merely WRITE ABOUT THOSE THAT DO do REAL SECURITY (arstechnica != the latter)... apk

  31. There's 2 kinds of people in the world... apk by Anonymous Coward · · Score: 0

    Article source quotes show how STUPID arseholetechnica is w/ SOLID PROOF:

    "Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy...The bug has since been fixed, according to Ormandy's follow-up note" FROM http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

    RoTfLmAo!

    * PROOF'S RIGHT THERE IN BLACK & WHITE he did indeed LIBEL them with FALSE INFORMATION on a BUG that was LONG FIXED by time he put out his bullshit 'article'!

    CNN = Conde Nast Network (ars owners)?

    Must be - BOTH do "FAKE NEWS", lol!

    (Note scumbag Ken Fisher of arseholetechnica won't COMMENT either (he knows he's fucked)).

    Dan Goodin != security researcher - he's from ARSEHOLETECHNICA (home of underachiever wannabes).

    FACT: He's nothing more than a HACK that spits back what others actually DO do in security, & nothing more (hence his blunder posting about a bug LONG FIXED by the time of his 'article' (derivative drivel))!

    Goodin & arstechnica = mere SPECTATORS - f'ing up big posting FALSEHOODS a bug exists when it was patched LONG beforehand!

    Lastly RoTfLmAo: Arstechnica tried HIDING I posted these facts 7x now when I posted them before (2 samples) https://it.slashdot.org/comments.pl?sid=11776235&cid=56164223/ & https://it.slashdot.org/comments.pl?sid=11776235&cid=56165053/

    APK

    P.S.=> See subject: ...those who ACTUALLY DO & those who merely WRITE ABOUT THOSE THAT DO do REAL SECURITY (arstechnica != the latter)... apk