Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lawsuits Threaten Infosec Research -- Just When We Need it Most (zdnet.com)

Posted by msmash on from the where-things-are-going dept.

This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. From a report: Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of -- from companies threatening to call an editor to demand a correction -- or else -- to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution. With nation state attackers targeting elections and critical national security infrastructure on a near-daily basis, security research is needed more than ever.

7 of 51 comments (clear)

  1. SLAPP? by Registered+Coward+v2 · · Score: 4, Interesting

    IANAL, but i would seem some of the threats border on using threats of a lawsuit to silence critics. Unfortunately, it takes money to defend yourself so it may be less painful simply to shut up.

    I wonder if the threat of discovery and fighting to keep it public would stop some lawsuits as it would force companies to reveal potentially damaging information. You want to sue? I'll prove what I said is materially correct by demanding your code, internal memos, etc. related to bugs. I guess we'd need a high powered lawyer who is interested in security to decide to do one pro-bono.

    The other option is to anonymously release bug data as soon as they are discovered to screw over companies that threaten lawsuits. If they don't want to play nice it's time to stand up to them in other ways.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  2. Smells of CEO Ego by postbigbang · · Score: 2

    Although some CEOs believe any PR is good PR, this will not end well for them. The screwed up. The problem was reported. It was fixed. That was reported. But they go for the throat of the reporter anyway.

    It's pretty ugly karma.

    --
    ---- Teach Peace. It's Cheaper Than War.
  3. SECSLEAKS.ORG by CRB9000 · · Score: 2

    Security Stat Leaks - secsleaks.org should be the name.

  4. What you sow... by jbmartin6 · · Score: 3, Insightful

    Any company that sues researchers in this way should be assumed to be relinquishing any claim to responsible disclosure in the future.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  5. Those reporters are n00bz by forkfail · · Score: 2

    Don't they know that the best security is security through obscurity?

    That if the bad guyz don't know about the h@x0rz that they can't hax teh big ironz n cloudz? /reallyBadSnarkOrSomething

    --
    Check your premises.
  6. O.J. Simpson justice by Anonymous Coward · · Score: 3, Interesting

    Not that I'm defending him, but a perfect example is O.J. Simpson. He was found not guilty of doing the crime, yet still had to pay tons of money in civil suits. Our legal system in the us is a real shitshow.

    How bad of a failure was that, really?

    He committed the murder. Then the government blew its credibility and trustworthiness by letting a racist cop try to frame an already-guilty guy, thereby undermining the credibility of all criminal prosecutions, everywhere. So OJ gets off on the criminal charge (i.e. We The People found that punishing the government is more important (much more important) to us than punishing any one particular criminal) but stills ends up being somewhat held accountable for the murder (by having to pay lots of money). It's not an ideal situation, but having racist cops isn't an ideal situation either, and you can't blame our legal system for racist cops, can you?

    He didn't lose the civil case because civil cases are too easy to litigate; he lost because it got reasonably proven that he committed the murder. Not proven well enough that we should imprison him, but well enough that we knew for sure that he definitely committed the murder and we could justifiably take some kind of action against him. Nice middle-ground, considering the fuckups by the police. I'd call that a graceful performance degradation.

  7. Goodin's case isn't "a threat to infosec research" by SlaveToTheGrind · · Score: 2

    If Keeper wins this, they'll win because of misstatements/overstatements in Goodin's initial article that he significantly walked back multiple times, as laid out in Keeper's complaint. The research prompting Goodin's and other similar articles was not the issue.