Upload
vobao
View
215
Download
1
Embed Size (px)
Citation preview
Running head: Pressure (not) to Publish
Pressure (not) to Publish:
Discussing the Publication of Cyber Security Research
Karen Farthing
CSC540, Spring 2013
Murray State University
Abstract
Cyber security researchers are increasingly facing a daunting dilemma: to publish or not to
publish? The ethical argument can be approached from two different perspectives. The first
school of thought posits that any exploits discovered should be published, so that systems
administrators are aware of the ever evolving threat. The second school of thought is espoused
largely by business and government, and posits that new exploits should not be published,
because it leaves systems vulnerable to attack. It’s a David and Goliath struggle, leaving
researchers in the unenviable position of having to choose the hard right over the easy wrong.
Legislation has been unable to keep pace with a rapidly changing technological landscape,
leaving the line between legal and criminal behavior open to debate. So where does that leave the
researcher? No man’s land.
Pressure (not) to Publish: Discussing the Publication of Cyber Security Research
Introduction
Cyber security researchers face an increasingly difficult battle when attempting to publish
or present their work. Publishing security vulnerabilities is risky. Researchers must take care not
to publish too much; for example, if a researcher publishes too much functional code, the
vulnerability discussed could be exploited before patches can be applied. There are also no
whistleblower protections in place for researchers. They face legal threats from businesses and
governments, and fall victim to smear campaigns when companies don’t have a legal leg to stand
on (Attrition.org, 2013). In the following pages, this paper will discuss legal and other barriers to
publication; case histories that describe white hats, grey hats, black hats, and innovators;
identification of factors that contribute to the issue; and identification of steps that might
alleviate the problem.
Barriers to Publication
There are many legal vehicles that contribute to the limitations placed upon researchers
who want to publish vulnerability reporting. Likewise, businesses and governments sometimes
resort to less than legal means aimed at discouraging researchers from publishing information
about security vulnerabilities.
Legal Barriers
Copyright Law is intended to protect a creator from unauthorized reproduction of his work.
This applies to software, as well as music, video, and a number of other works. Security
researchers must often make copies of software in order to find bugs or exploits, and this can
violate copyright law (Electronic Frontier Foundation, 2013).
Trade Secret Law is intended to protect the proprietary works of businesses engaged in
maintaining an edge over their competition. According to the Coder’s Rights Project FAQ from
the Electronic Frontier Foundation, “…misappropriation of trade secrets can be both a civil and
criminal offense. Generally, a trade secret is information that (1) derives independent economic
value, actual or potential, from not being generally known to the public or to other persons who
can obtain economic value from its disclosure or use; and (2) is the subject of efforts that are
reasonable under the circumstances to maintain its secrecy. Misappropriation means a wrongful
acquisition, use, or disclosure of a trade secret (Electronic Frontier Foundation, 2013).” Reverse
engineering of software or hardware can fall under the auspices of violation of trade secret law.
Companies often try to claim that security vulnerabilities fall under trade secret law, because if
knowledge about a vulnerability were to be made public, it could cause a deleterious effect upon
their competitive advantage or adversely affect the value of their holdings.
Patent Law ostensibly grants the creator of a work or invention sole use of the
aforementioned for a limited period of time. It is intended to prevent the infringement of other
parties upon their intellectual property, during the period of time that said property has the most
earning potential. Researchers can run afoul of patent law if they create a hardware hack that
behaves or operates too similarly to another product currently under patent – regardless of how
the researcher created the hack.
The Digital Millennium Copyright Act (DMCA) is the juggernaut that all security
researchers must face. Any security researcher venturing into the arenas of Digital Rights
Management (DRM) or technological protection measures must tread very, very carefully. Even
when caution is exercised, researchers will most likely violate the DMCA at some point. The
terms of the DMCA are broad and open to interpretation at every turn. Congress did, however,
provide three limited circumstances under which security researchers can conduct reverse
engineering, encryption research, and security research. Distribution of code or tools that
circumvent the provisions of the DMCA can only occur in limited circumstances and must be
under the supervision of and with permission from the entity that stands to be injured as a result
of said research. The DMCA has had an impact on the worldwide cryptography research
community, since an argument can be made that any cryptanalytic research violates, or might
violate, the DMCA. Additionally, critics argue that the DMCA stifles free expression (see case
histories of Felten and Sklyarov), jeopardizes fair use for owners of various media, impedes
competition, and interferes with computer intrusion laws. However, since this paper is not
intended as a discussion of the DMCA, please refer to section 1201 of the Act.
Contract Law surrounds the concept of a legally enforceable “promise” between two
parties. Non-disclosure Agreements (NDAs) fall into this category, as do EULAs and Terms of
Service/Terms of Use. Contract law most benefits the company that employs a researcher, rather
than the researcher himself. Since this area of the law is “murky”, researchers who publish their
work against the wishes of their employers stand a very good chance of at least getting fired, if
not sued, for breach of contract.
Criminal Law is designed to punish law breakers (of course). Researchers can be charged
under various criminal codes if it can be proved that they published their work with the intent to
help others commit a crime (aiding and abetting), or if the research is so detailed that it would be
simple for others to commit crimes (facilitation).
International Law varies from country to country (of course), and is much too broad to
cover in a limited but meaningful way. Researches should be mindful of a host country’s laws
when working overseas, and should be mindful of any laws they might break via use of
telecommunications technologies that might span across borders.
Other Methods
“Media smear” campaigns have been instigated against researchers when there was no
clear legal method for stopping the publication of their work. A particularly vicious instance
involved researchers David Maynor and Jon Ellch, who cracked a MacBook at Black Hat in
2006 using third party drivers and third party wireless hardware. Apple PR director Lynn Fox
orchestrated a smear campaign accusing Maynor and Ellch of fabricating aspects of the hack, all
in an attempt to make it appear that Apple was a victim of unscrupulous hackers (Ou, How
Apple orchestrated web attack on researchers, 2007).
Overt and covert threats have been used to intimidate researchers into either cancelling or
delaying, or removing publication. One popular method is for a company to issue a DMCA take-
down notice to a researcher, only to have them rescind the notice later. In one instance, banking
equipment manufacturer Thales sent a DMCA takedown notice to John Young, who runs the
well-known Cryptome site, demanding that he remove a manual for one of their HSM products
(Moody, 2013). HSM stands for “hardware security module”, and in the banking industry HSMs
are instrumental in managing cryptographic keys and PINs used to authenticate bank card
transactions. The manual in question had been used for years by security researchers who were
investigating vulnerabilities cryptographic weaknesses, and those vulnerabilities were causing
Thales some notable embarrassment. Another instance involves Patrick Webster, a security
consultant in Australia, who quietly warned First State Superannuation Fund about a web
vulnerability that would allow a hacker to access users’ accounts (Pauli, 2011). The Fund
thanked him for the tip, fixed the flaw within 24 hours, then sent the police to his house the next
day to “investigate”. The Fund demanded that Webster turn over his personal laptop to their in-
house IT staff, and also informed him that he could be held liable for any expenses related to
fixing the flaw that he reported. So, this researcher saved the company potentially millions of
dollars by alerting them to the flaw, alerted them privately that the flaw existed so that they could
avoid any embarrassment, and they threatened him with legal action and a repair bill.
Firings due to pressure from others is another tactic used by businesses to curtail or
punish unflattering publication. Dan Geer, former CTO of @stake Inc., was let go just a day after
the publication of a paper he co-authored that was sharply critical of Microsoft Corp.— one of
@stake’s customers. The paper covered the effects that Microsoft’s monopolistic position have
on the security of the Internet, and argued that the dominance of Windows in the marketplace has
created a monoculture in which all systems are more vulnerable to widespread attacks and
viruses (Fisher, 2003). Both @stake and Microsoft claimed that Greer was let go for other
reasons, but Greer professed serious doubts.
Case Histories
Security researchers typically fall into one of four categories: white hats, grey hats, black
hats, and innovators. They all hack or crack systems, but have varying motivations. While many
researchers ascribe to being white hats, the truth is that most of them are actually grey. The
following section details the attributes of each, and provides a few “case histories” for members
of each category.
White hats profess to work to secure systems without breaking into them. “Hackers
for good”, they work with software companies/governments to resolve vulnerabilities and won't
announce vulnerabilities until a company is ready or found to be responsible. They will show the
system owner - but no one else - how to exploit a vulnerability, and will only attack systems
when authorized (Hafele, 2004).
Grey hats have a tendency to either skirt the law or run afoul of the law in the course of
their research. They might break into systems to heighten awareness of security flaws, and have
a tendency to announce vulnerabilities publicly without informing the company (or on the same
day that the company is notified). They may release exploit code or tools that aren’t easily
modified for hacking security, and will explore holes before notifying the owner of
vulnerabilities (Hafele, 2004).
Black hats are the bad guys. A black hat cares more about controlling and accessing
systems than about security. He will keep all of his exploits to himself, and will trade with others
on closed lists. He won't publish, and hacks for his own gain or for malicious reasons (Hafele,
2004).
White Hats
Ed Felten is currently the Director of Princeton's Center for Information Technology Policy.
Felten was a witness for the government in US v. Microsoft, where Microsoft was accused of a
variety of anti-trust violations surrounding the exclusive use of Internet Explorer with the
Windows operating system. Microsoft asserted that IE could not be removed from the
distribution without causing damage to the OS. Felten and a team of his students were able to
prove otherwise, severely damaging Microsoft’s case.
He is probably best known for his involvement with the Secure Digital Music Initiative
(SDMI), wherein the Recording Industry Association of America and Verance Corporation sued
him and his team for winning a competition they sponsored. The competition asked participants
to attempt to break the watermarking schema in use for protecting copyrighted music from
unauthorized use. In just three weeks, Felten’s team was able to remove any watermarks,
rendering the SDMI schema useless. When he attempted to publish his work, the RIAA and
Veyance threatened to sue him under the auspices of the DMCA for violation of section 1201 of
the same. The suit failed, and Felten presented his work at Usenix in 2001.
Felten was instrumental in uncovering security and accuracy problems in Diebold and
Sequoia voting machines. He and his students also discovered the cold boot attack, which allows
someone with physical access to a machine to extract the contents in memory after bypassing
any security methodologies (Wikipedia, 2013).
Michael Lynn was instrumental in highlighting security flaws in Cisco’s IOS. Dubbed
“Ciscogate”, the flaw centered around IPv6 packets, and whether or not a Cisco device could be
exploited remotely. Cisco fixed the flaw in early 2005, and Lynn was scheduled to present a
paper at Black Hat the same year detailing the results of his research. Lynn was careful to
remove as much detail as possible, but Cisco objected – strenuously. Representatives from the
company arrived at the conference a few hours before he was scheduled to present, confiscated
his paper and notes, and pressured Black Hat into cancelling his presentation. Lynn’s employer,
ISS, also gave him a “cease and desist” order regarding the presentation, and told him he would
be fired if he presented his work. Lynn resigned from his position at ISS an hour prior to
presenting, and asked attendees for a job just before giving his speech. He was hired by Juniper
Networks a few months later, and is still employed there (Masnick, 2005).
HD Moore is an innovator and white hat who developed Metasploit, one of the most widely
used penetration and vulnerabilities testers in use (Stop The Hacker, 2012). He also developed
the Metasploit Decloaking Tool, which purports to be able to identify a user’s IP address
regardless of the use of proxies or VPNs. Current research projects include the Month of
Browser Bugs, which aims to combine fast-paced discovery with full disclosure.
Grey Hats
Robert Morris was the first person convicted under the Computer Fraud and Abuse Act for
spawning the Morris Worm – considered by many to be the first internet worm. Designed as a
means for measuring networks, Morris developed the worm while he was a graduate student at
Cornell. The story of how the worm “escaped” changes from time to time, but most accounts
agree that Morris developed the worm as a means to test and map the limits of the local area
network in a laboratory environment. However, containment of the worm failed, and in an effort
to disguise where the worm originated, Morris managed to divert it to MIT – where it spread
worldwide. Morris is currently a tenured professor of Computer Science at – you guessed it –
MIT (Anthony, 2011).
Dmitry Sklyarov is a Russian programmer who gained notoriety for cracking Adobe’s
ebook DRM scheme while employed at Russian software company ElcomSoft. In 2001, after
giving a presentation at DEF CON titled “eBook's Security - Theory and Practice”, Sklyarov was
arrested by the FBI and jailed for violating the DMCA after complaints from Adobe. However,
the DMCA does not apply in Russia, and the courts decided that a Russian citizen working for a
Russian company could not be held accountable under the DMCA. Both Sklyarov and
ElcomSoft were found not guilty at trial (Wikipedia, 2013).
Jon Lech Johansen (DVD Jon) is a Norwegian programmer with a thing for DRM – he
hates it. Since 2001, Johansen has developed 16 different methodologies for defeating DRM on a
multitude of platforms. Ironically, the Sony Rootkit actually used code stolen from Johansen, and
some have argued that he might have a case to sue Sony under the DMCA. His most notorious
exploit was the release of DeCSS, a method for defeating the Content Scrambling System in use
on DVDs (Anthony, 2011).
Black Hats
Kevin Mitnick’s first exploit occurred at the age of 12, when he figured out how to ride the
transit system in LA for free by bypassing the punch card system in use. He became a social
engineer, garnering usernames, passwords, and modem phone numbers. He hacked DEC at age
16 and was tried and convicted to 12 months in jail with three years’ supervised release. Near the
end of his three year probation, he hacked PacBell’s voice mail system, then went on the run for
over 2 years. By the time the FBI finally caught him, he had hacked numerous networks, cloned
cell phones, and stolen proprietary software from cell companies (Anthony, 2011).
Kevin Poulsen is currently the editor of Wired Magazine, but he began his career as a phone
phreak. His most notorious exploit was hacking the phone lines of a local radio station in order to
ensure that he was the 102d caller – to win a Porsche. The FBI began pursuing him for myriad
crimes, and he turned fugitive. When a special was aired on America’s Most Wanted profiling
Poulsen, you guessed it, the phone system at AMW crashed. After his release from prison, he
managed to reinvent himself as a white hat and investigative journalist. Poulsen used exploits on
MySpace to identify over 700 sex offenders engaged in soliciting sex from children, and was the
man who broke the Bradley Manning-WikiLeaks story (Anthony, 2011).
Gary McKinnon is accused of hacking into 97 United States military and NASA computers
over a 13-month period between February 2001 and March 2002. The US authorities claim he
deleted critical files from operating systems, which shut down the United States Army’s Military
District of Washington network of 2,000 computers for 24 hours. McKinnon also posted a notice
on the military's website: "Your security is crap". After the September 11 attacks in 2001, he
deleted weapons logs at the Earle Naval Weapons Station, rendering its network of 300
computers inoperable and paralyzing munitions supply deliveries for the US Navy's Atlantic
Fleet. McKinnon is also accused of copying data, account files and passwords onto his own
computer. US authorities claim the cost of tracking and correcting the problems he caused was
over $700,000 (Wikipedia, 2013).
Identify the Problem
Ideological disconnect
There is an ideological disconnect between researchers/security professionals, and the
businesses and governments they work for. The researchers’ view: publish known vulnerabilities
so they can be prevented. Business’ and Government’s view: don’t publish, because if the exploit
is unknown, we aren’t vulnerable. You can see where this would lead to problems. Appendix A
lists a veritable cornucopia of instances detailing what happens when these competing ideologies
clash. Some examples include:
Researcher Ahmed Al-Khabaz discovered vulnerabilities in Skytech's Omnivox portals that
exposed 250k student records, and brought it to the attention of Dawson College. Skytech
threatened to press charges and send him to jail if he did not sign an NDA (Attrition.org, 2013).
Consultants Varun Uppal and Gyan Chawdhary discovered high-speed trading system
hacks during the course of business with a client. Due to financial pressure (i.e. loss of said
client), the talk was cancelled and has not been published (Attrition.org, 2013).
Security specialist Patrick Webster found a direct object reference vulnerability in First
State Superannuation’s website. He received a letter indicating FSS reported him to the police,
and threatened him with further legal action. After negative publicity, First State Super
withdraws legal threat (Attrition.org, 2013).
There are no “whistleblower” protections anywhere to protect researchers, consultants, or
security specialists. Not in the DMCA, not in the any of the legal statutes related to cybercrime
and security, and not in business law.
The “Grey Hat” concept is tricky. Most researchers aspire to be white hats, but before you
get the pay and the position, you have to break some rules and build a reputation. That means
either black hat or grey hat activity. Unfortunately, government and business have a tendency to
lump black and grey together, and they only tolerate white hats as “guns for hire” because they
have to.
Businesses defining legislation via lobby to uninformed legislators (He who has the most money,
wins)
Almost everyone agrees that the DMCA is a bad piece of legislation. It’s only real purpose
is to prop up a failing business model adhered to by producers of “art”. I’m not attacking the
artist here, but rather entities like the RIAA, the MPAA, and the big publishing houses. These
entities banded together, spent a LOT of money, and got the legislation they wanted through use
of lobbyists and payments to members of Congress.
Researchers “crossing the line” into illegal activity (as currently defined)
There have been cases where researchers have crossed the line into illegal activity – even
become blackmailers and extorters. However, most of that information is anecdotal – found on
forums and blogs.
One notable example is the case of Bret McDanel. While employed at Tornado
Development, McDanel discovered a flaw in the web-mail product provided to customers.
McDanel notified Tornado, and when they took too long to fix the problem, he quit. Six months
later (and employed at another company) he discovered that the exploit had not been fixed. He
took on the name "Secret Squirrel" and e-mailed about 5,600 of Tornado's customers over the
course of three days, telling about the vulnerability, and directed them to his own website for
information about it. This caused Tornado to panic - by deleting customers' emails without
consent so they couldn't read McDanel's message.
McDanel was arrested, tried, convicted and sentenced to sixteen months in prison, because
of the email and website he crafted. However, there was no evidence that McDanel or anyone
else ever exploited the vulnerability. McDanel was prosecuted for "knowingly causing the
transmission of information and as a result of such conduct, intentionally cause any impairment
to the integrity or availability of data, a program, a system, or information without
authorization." This is normally reserved for people who publish viruses and worms, not for
people who publish unpatched exploits to the potential victims. So, even though no "computer
crime" was actually committed, he was convicted for "impairing the integrity" of a system
(Rasch, 2003).
This is an excellent example of the disconnect between researchers and government. While
McDanel could have acted less like an angry teenager and more like a polished professional, he
really didn’t have much of a choice. He could have gone back to the management at Tornado and
expressed concern – but it didn’t work the first time. Had he threatened to expose the
vulnerability if Tornado didn’t fix it, he could have been charged with extortion. Had he broken
in and fixed the exploit himself, he definitely would have been outside the law. So he did what
he thought was best, and because federal prosecutors decided to stretch the limits of the law, he
went to jail. Not fair.
Solve the Problem
Current recommended practices
One of the current practices recommended by the EFF’s Coder’s Rights Project is delayed
publication, also known as “responsible disclosure”. This involves self-policing on the part of
researchers and a good faith effort to notify victims of any exploits prior to publishing any work.
It also requires that researchers do not publish until adequate time has been given for victims to
build a patch or close loopholes.
Another recommended practice involves limited publication. This practice requires that
researchers publish the concept, not fully functional exploit. This would prevent bad actors from
taking advantage of exploits that have not been or cannot be patched. Also included in limited
publication is that researchers only publish to a limited audience – peers, business, and
government entities. By keeping to a smaller “pond”, researchers limit the number of fish that
get to feed.
Both of these practices are a win-win for everyone involved, and show a level of
professionalism and mutual respect for security partners.
Fix bad/broken legislation
Current legislation has not kept pace with the state of the industry. Almost every facet of
current legislation has weaknesses – the DMCA, copyright/patent law, criminal/international
law, even business and civil law. While pointing out weaknesses is easy (and would take all
day), coming up with a solution is not so simple. One good first step would be to limit or
redefine lobby access and the legislative process to include advocates from within the industry,
from researchers, from business concerns, and from our legislative representatives. I’m not sure
how to make that work, either, but change needs to start somewhere.
Proposed Future Practices
Going forward, in addition to the steps outlined in “solve the problem”, a new mindset should
be developed. Some recommendations are to redefine the business model or philosophy to
embrace early and ubiquitous reporting of vulnerabilities and exploits. This has huge
implications for national security as well as business. Without a fundamental change of mindset,
however, this will never happen. This change can be facilitated by adopting an “Open Source”
mindset between all stakeholders (business, government, researchers).
References
Anonymous. (2001, Apr 20). RIAA Challenges SDMI Attack. Retrieved Apr 3, 2013, from Extra - The Register UK: http://www.theregister.co.uk/extra/sdmi-attack.htm
Anthony, S. (2011, Sep 1). Black hat down: What happened to the world’s most famous hackers? Retrieved Mar 3, 2013, from Extremetech.com: http://www.extremetech.com/extreme/94647-black-hat-down-what-happened-to-the-most-famous-hackers/2
Attrition.org. (2013, 01). Legal Threats Against Security Researchers. Retrieved 03 15, 2013, from attrition.org: http://attrition.org/errata/legal_threats/
Buchanan, E., Aycock, J., Dexter, S., Dittrick, D., & Hvizdak, E. (2011, Jun). Computer Science Security Research and Human Subjects: Emerging Considerations for. Journal of Empirical Research on Human Research Ethics: An International Journal, 6(2), 71 - 83.
Burstein, A. J. (2008, Apr 14). Conducting Cybersecurity Research Legally and Ethically. Retrieved Mar 13, 2013, from usenix.org: http://static.usenix.org/event/leet08/tech/full_papers/burstein/burstein.pdf
Electronic Frontier Foundation. (2013). A "Grey Hat" Guide. Retrieved Mar 5, 2013, from Pages - EFF.org: https://www.eff.org/pages/grey-hat-guide
Electronic Frontier Foundation. (2013). Coders’ Rights Project Vulnerability Reporting FAQ. Retrieved Feb 23, 2013, from Issues - Coders - EFF.org: https://www.eff.org/issues/coders/vulnerability-reporting-faq
Felten, E. (2013, Mar 29). The Chilling Effects of the DMCA. Retrieved Apr 3, 2013, from Articles - Technology - slate.com: http://www.slate.com/articles/technology/future_tense/2013/03/dmca_chilling_effects_how_copyright_law_hurts_security_research.html
Fisher, D. (2003, Sep 29). Security Expert Geer Sounds Off on Dismissal . Retrieved Apr 16, 2013, from Security - eweek.com: http://www.eweek.com/c/a/Security/Security-Expert-Geer-Sounds-Off-on-Dismissal/
Goodin, D. (2007, Apr 17). ISP ejects whistle-blowing student. Retrieved Mar 22, 2013, from Security - The Register UK: http://www.theregister.co.uk/2007/04/17/hackers_service_terminated/
Hafele, D. M. (2004, Feb 23). Three Different Shades of Ethical Hacking: Black, White and Gray. Retrieved 03 22, 2013, from SANS Institute InfoSec Reading Room: http://www.sans.org/reading_room/whitepapers/hackers/shades-ethical-hacking-black-white-gray_1390
Hurley, E. (2004, Feb). Cyberspace security liability lawsuits on the rise? Retrieved Mar 10, 2013, from Information Security Laws, Investigations and Ethics - Information Security Magazine: http://searchsecurity.techtarget.com/Cyberspace-security-liability-lawsuits-on-the-rise
Kravets, D. (2013, Apr 24). Man Convicted of Hacking Despite Not Hacking. Retrieved Apr 25, 2013, from Threat Level - Wired Magazine: http://www.wired.com/threatlevel/2013/04/man-convicted-of-hacking-despite-no-hacking/
Lemos, R. (2002, Sep 23). New laws make hacking a black-and-white choice. Retrieved Mar 25, 2013, from CNET News: http://news.cnet.com/2009-1001_3-958129.html
Lemos, R. (2002, Aug 2). Security pros create resource on flaws. Retrieved Mar 22, 2013, from CNET News News - Business Tech: http://news.cnet.com/2100-1001-948127.html
Lemos, R. (2003, Nov 13). GameSpy warns security researcher. Retrieved Mar 13, 2013, from CNET News - Enterprise Security: http://news.cnet.com/2100-7355_3-5107305.html
Lemos, R. (2011, Oct 17). Security suffers when firms sue researchers who report flaws. Retrieved Mar 5, 2013, from Tech Watch - InfoWorld: http://www.infoworld.com/t/web-security/security-suffers-when-firms-sue-researchers-who-report-flaws-176281
Lohmann, F. V. (2010, Feb). Unintended Consequences: . Retrieved Mar 6, 2013, from EFF.org: https://www.eff.org/sites/default/files/eff-unintended-consequences-12-years_0.pdf
Loup-Richet, J. (2012, Oct 30). Why Security Research Should Be Protected Speech. Retrieved Mar 5, 2013, from Censorship - Information Systems Research: http://www.information-systems-research.com/blog/2012/10/30/why-security-research-should-be-protected-speech/
Masnick, M. (2005, Jul 28). Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities. Retrieved Apr 4, 2013, from Legal Issues - TechDirt: http://www.techdirt.com/articles/20050728/0259209.shtml
McCullagh, D. (2001, Jul 23). Russian Hacker Arrested. Retrieved Mar 15, 2013, from Cryptome.org: http://cryptome.org/dmitry-bruce.htm
McCullagh, D. (2002, Jul 30). Security warning draws DMCA threat. Retrieved Mar 15, 2013, from CNET News - Digital Media: http://news.cnet.com/2100-1023-947325.html
Menn, J. (2012, Oct 29). Legal fears muffle warnings on cybersecurity threats. Retrieved Mar 13, 2013, from Featured Articles - Computer Security: http://articles.chicagotribune.com/2012-10-29/business/sns-rt-us-cyberwar-infrastructurebre89s1ah-20121029_1_cyber-attacks-cybersecurity-stuxnet
Mills, E. (2008, Jul 9). Dutch chipmaker sues to silence security researchers. Retrieved Apr 5, 2013, from News Blogs - CNET: http://news.cnet.com/8301-10784_3-9985886-7.html
Mills, E. (2011, Aug 01). Journalist faces charges over transit card flaw reports. Retrieved Mar 7, 2013, from News - CNET: http://news.cnet.com/8301-27080_3-20086613-245/journalist-faces-charges-over-transit-card-flaw-reports/?part=rss&subj=news&tag=2547-1_3-0-20&dlvrit=142337
Moody, G. (2013, Jan 24). Banking Equipment Vendor Tries To Censor Security Research With DMCA Notice -- Then Backs Down When Called Out For It. Retrieved Mar 19, 2013, from Abusing the system - TechDirt: http://www.techdirt.com/articles/20130118/10002721726/banking-equipment-vendor-tries-to-censor-security-research-with-dmca-notice-then-backs-down-when-called-out-it.shtml
Ou, G. (2006, Aug 20). Vicious orchestrated assault on MacBook wireless researchers. Retrieved Mar 22, 2013, from Real World IT - zdnet.com: http://www.zdnet.com/blog/ou/vicious-orchestrated-assault-on-macbook-wireless-researchers/300
Ou, G. (2007, Mar 20). How Apple orchestrated web attack on researchers. Retrieved Mar 27, 2013, from Repost from Real World IT - ZDNet: http://www.zdnet.com/blog/ou/how-apple-orchestrated-web-attack-on-researchers/451
Pauli, D. (2011, Oct 14). Security researcher threatened with vulnerability repair bill. Retrieved Mar 5, 2013, from Risk - SC Magazine: http://www.scmagazine.com.au/News/276780,security-researcher-threatened-with-vulnerability-repair-bill.aspx
Schneier, B. (2001, Nov 15). Full Disclosure. Retrieved Apr 4, 2013, from Crypto-Gram Newsletter - Schneier.com: http://www.schneier.com/crypto-gram-0111.html
Schneier, B. (2002, Jun). Fixing Network Security by Hacking the Business Climate. Retrieved Mar 15, 2013, from UCSC.edu: http://classes.soe.ucsc.edu/cmps122/Spring04/Documents/schneier.pdf
Schneier, B. (2011, May 24). New Siemens SCADA Vulnerabilities Kept Secret. Retrieved Mar 5, 2013, from Schneier on Security - Schneier.com: http://www.schneier.com/blog/archives/2011/05/new_siemens_sca.html
Search Security. (2008, Aug 14). MIT case shows folly of suing security researchers. Retrieved 2013 Feb, 2013, from Security Laws, Investigations and Ethics - Searchsecurity.com: 28
Silverman, J. (n.d.). 10 Famous Hackers and Hacks. Retrieved Mar 13, 2013, from Communications - Discovery Channel: http://dsc.discovery.com/tv-shows/curiosity/topics/10-famous-hackers-hacks.htm
Stop The Hacker. (2012, Jul 23). The Five Most Famous Good Guy Hackers. Retrieved Mar 22, 2013, from stopthehacker.com: http://www.stopthehacker.com/2012/07/03/five-most-famous-good-guy-hackers/
Stubblefield, A. B., & Wallach, D. S. (2001, July). Dagster: Censorship-Resistant Publishing Without Replication. Retrieved Mar 13, 2013, from cs.rice.edu: http://www.cs.rice.edu/~dwallach/pub/dagster-tr.pdf
University of Exeter. (2012, Nov 12). Attitudes towards security threats uncovered. Retrieved Apr 5, 2013, from News - Phys.org: http://phys.org/news/2012-11-attitudes-threats-uncovered.html
Vijayan, J. (2011, Jan 21). Sony sends 'dangerous' message with PS3 lawsuit, says EFF. Retrieved Mar 5, 2013, from Legal News - Computer World: http://www.computerworld.com/s/article/9205885/Sony_sends_dangerous_message_with_PS3_lawsuit_says_EFF
Wikipedia. (2013, Apr 20). Edward Felten. Retrieved Apr 25, 2013, from wikipedia.org: http://en.wikipedia.org/wiki/Edward_Felten
Wikipedia. (2013). Gary McKinnon. Retrieved Apr 3, 2013, from wikipedia.org: http://en.wikipedia.org/wiki/Gary_McKinnon
Wikipedia. (2013, Apr 29). United States v. Elcomsoft. Retrieved Apr 30, 2013, from wikipedia.org: http://en.wikipedia.org/wiki/United_States_v._ElcomSoft_and_Sklyarov
Appendix A
Legal Threats Against Security Researchers: How vendors try to save face by stifling legitimate
research
(Note – this table was taken in its entirety from http://attrition.org/errata/legal_threats/ and is
intended for use as an overview of trending topics.)
WhenCompany making threat
Researchers Research Topic Resolution/Status Link
1/20/2013Dawson College / Skytech
Ahmed Al-Khabaz)
Vulnerabilities in Skytech's
Omnivox portals, used
by schools
Found vulnerability that exposed 250k student records, brought it
to attention of college. Did not try to conceal his identity, did not
misuse the information, did not try to profit. Skytech threatened to press charges and send him to
jail if he did not sign an NDA.
http://www.nationalpost.com/
m/wp/news/canada/blog.html?
b=news.nationalpost.com/2013/01/20/youth-
expelled-from-montreal-college-after-finding-sloppy-coding-that-
compromised-security-of-250000-students-
personal-data
10/25/2012
(unknown internationa
l utility)(unknown)
Nuclear power plant vulnerabilitie
s (SCADA)
Talk was cancelled last minute at the 12th ICS Cyber Security
Conference An unnamed vendor objected to the talk on the
grounds that "the review would disclose problems in its
equipment" and threatened to sue, "even though plant officials
had approved the presentations". This is one of two talks cancelled at the conference, according to
the conference organizer.
http://gadgets.ndtv.com/
internet/news/legal-fears-muffle-warnings-
on-cyber-security-threats-286061
10/25/2012
(unknown internationa
l utility)
Ralph Langner
Nuclear power plant vulnerabilitie
s (SCADA)
Talk was cancelled last minute at the 12th ICS Cyber Security
Conference An unnamed vendor objected to the talk on the
grounds that "the review would disclose problems in its
equipment" and threatened to sue, "even though plant officials
had approved the presentations". This is one of two talks cancelled at the conference according to
the conference organizer.
http://gadgets.ndtv.com/
internet/news/legal-fears-muffle-warnings-
on-cyber-security-threats-286061
5/28/2012 E-Soft (UK) Eric Romang Video of Metasploit
Digital Music Pad SEH overflow
exploitation module
E-Soft sent a bogus copyright claim to YouTube to have the video removed. It has been
reposted to the same site once by another individual. The video
remains available, and there have been no reported attempts to
http://attrition.org/errata/legal_threats/e-
soft/
silence news of the exploit in other manners.
1/31/2012
Smart Grid/Meter
Vendor (unspecified
)
Don Weber /
InGuardians
Smart Grid Meter
Security Assessment Tool Release
Researcher cancelled the talk last minute, citing the desire to work with the vendor. Note: a reliable
source tells Attrition that InGuardian did not reach out to the vendor until weeks after the
ShmooCon CFP. Further, Weber says there was no
vulnerabilities being disclosed, suggesting that InGuardian may
have cancelled the talk when the unspecified vendor agreed to
become a client.
https://twitter.com/cutaway/status/
165923445698347008
11/22/2011 Carrier IQ Trevor
Eckhart
Carrier IQ software logs
excessive information
Carrier IQ threatens Eckhart and sends a cease & desist letter.
Shortly after negative attention, Carrier IQ retracts the threat.
Research stays public.
10/13/2011
First State Superannua
tion
Patrick Webster
Direct Object Reference
vulnerability in FSS
website
Researcher received letter indicating FSS reported him to the police and threatened him
with further legal action. After negative publicity, First State
Super withdraws legal threat.
8/1/2011 Trans Link Systems
Brenno de Winter
OV Transit Payment System
Vulnerabilities
Researcher learned he may have been facing legal charges. Vendor
statement says a criminal complaint was filed and
researcher was questioned, but researcher was not the target of the complaint. It is still not clear
who the complaint was filed against or if this was a tactic to
stifle de Winter's research
4/27/2011 Magix AG Acidgen
Buffer overflow in
Music Maker 16 software
(version 16.0.2.4)
Research published despite threat. Researchers convinced
Magix to change stance on vuln handling. Magix opened a resource for security
researches site, but try to force researchers not to disclose w/o a
patch or fix available, in their terms and conditions.
3/21/2011
German telecommu
nications firm
(unspecified)
Thomas Roth
Amazon EC2-based
password cracking software
Roth's apartment was raided, his bank account frozen, and he had to refrain from releasing his tool during Black Hat. Injunction had
since been revoked, Roth published the research.
http://www.darkreading.com/
end-user/researcher-overcomes-legal-
setback-over/229301362
7/26/2010
Financial Industry
Client (unspecified
)
Varun Uppal and Gyan
Chawdhary
High-Speed Trading
System Hacks
Due to financial pressure (i.e. loss of a client), the talk was pulled
and not presenter anywhere else.
7/15/2010 Taiwanese Government
Wayne Huang,
The Chinese Cyber Army:
Two weeks before the conference, the talk was
http://www.eweek.com/c/a/
Armorize Technologie
s Inc.
An Archaeological Study from 2001 to 2010
cancelled due to "pressure from the Taiwanese government."
Security/China-Cyber-Army-Talk-Pulled-From-
Black-Hat-668887/
7/18/2009 RSA Scott Jarkoff
Navy Federal Credit Union
Web Site Flaws
SliceHost / TechMiso challenges RSA, RSA backs down
http://techmiso.com/2434/navy-federal-
credit-union-web-site-operating-with-security-
issue/
7/17/2009 Comerica Bank Lance James
XSS / Phishing
vulnerabilities on
Comerica site
C&D Sent to Tumblr, information removed but vulnerability still
present (2009-07-17)
http://dl.dropboxusercontent.c
om/u/634884/Letter%20to%20Tumblr
%20from%20P.%20Bertrand%207-17-
09.PDF
6/6/2009 Orange.fr HackersBlogMultiple
Vulnerabilities [1] [2]
Apparent legal threats, details not published. 404 not found
8/13/2008Sequoia Voting
SystemsEd Felten
Voting Machine
Audit
Research still not published (2008-10-02)
https://freedom-to-tinker.com/blog/appel/
judge-suppresses-report-voting-machine-
security/
8/9/2008
Massachusetts Bay Transit
Authority
Zach Anderson,
RJ Ryan and Alessandro
Chiesa
Electronic Fare Payment
(Charlie Card/Charlie
Ticket)
Gag order lifted, Researchers hired as consultants by MBTA
https://www.eff.org/press/archives/
2008/12/22
7/9/2008
NXP (formerly
Philips Semiconduc
tors)
Radboud University Nijmegen
Mifare Classic Card Chip Security
Research Publishedhttp://news.cnet.com/
8301-10784_3-9985886-7.html
12/6/2007 Autonomy Corp., PLC Secunia
KeyView Vulnerability
ResearchResearch Published
http://archives.neohapsis.com/archives/fulldisclosure/
2007-12/0152.html
7/29/2007 U.S. Customs Halvar Flake
Security Training Material
Researcher denied entry into U.S., training cancelled last minute
http://addxorrol.blogspot.com/
2007/07/ive-been-denied-entry-to-us-
essentially.html
4/17/2007 BeThere (Be Un limited)
Sid Karunaratne
Publishing ISP Router
Backdoor Information
Researcher still in talks with BeThere, passwords
redacted, patch supplied, ISP service not restored (2007-07-06)
http://www.theregister.co.uk/
2007/04/17/hackers_service_termin
ated/
2/27/2007 HID GlobalChris
Paget/IOActive
RFID Security Problems
Talk pulled, research not published
http://www.infoworld.com/d/
security-central/lawsuits-patent-claims-silence-black-hat-talk-
720
2007-??-??TippingPoint Technologie
s, Inc.
/David Maynor / ErrataSec
Reversing TippingPoint
rule set to discover
Bulk of research later published at BlackHat Briefings 07.
https://www.blackhat.com/
presentations/bh-usa-07/
vulnerabilities
Maynor_and_Graham/Whitepaper/bh-usa-07-maynor_and_graham-
WP.pdf
7/29/2005Cisco
Systems, Inc.
Mike Lynn /ISS
Cisco router vulnerabilitie
s
Resigned from ISS before settlement, gave BH presentation,
future disclosure injunction agreed on
http://www.securityfocus.com
/news/11260
3/25/2005 Sybase, Inc.
Next-Generation
Security Software
Sybase Database
vulnerabilities
Threat dropped, research published
http://www.securityfocus.com
/news/10827
9/30/2003Blackboard Transaction
System
Billy Hoffman and Virgil
Griffith
Blackboard issued C&D to Interz0ne conference,
filed complaint
against students
Confidential agreement reached between Hoffman, Griffith and
Blackboard
http://www.chillingeffects.org/
weather.cgi?WeatherID=383
7/30/2002
Hewlett-Packard
Development
Company, L.P. (HP)
SNOsoft
Tru64 Unix OS
vulnerability - DMCA based
threat
Vendor/researcher agree on future timeline, Additional Tru64 vulnerabilities published, HP asks Neohapsis for OpenSSL exploit
code shortly after
http://news.cnet.com/2100-1023-947325.html
7/16/2001
Adobe Systems
Incorporated
Dmitry Sklyarov
&ElcomSoft
Adobe eBook AEBPR Bypass
Elcomsoft found Not Guilty http://news.cnet.com/2100-1023-978176.html
2001-??-??
Tegam Internationa
l Viguard Antivirus
Guillaume Tena
(Guillermito)
Vulnerabilities in Viguard
AntivirusSuspended fine of 5,000 Euros
http://news.cnet.com/France%20puts%20a%20damper%20on
%20flaw-hunting/2100-7350_3-5606306.html?
tag=techdirt
4/23/2001
SDMI, RIAA and Veranc
e Corporation
Ed Felten
Four Watermark Protection Schemes Bypass -
DMCA based threat
Research published at USENIX 2001
http://en.wikipedia.org/wiki/
Edward_Felten#SDMI_Lawsuits
8/17/2000 MPAA &DVD CCA
2600: The Hacker
Quarterly
DVD Encryption Breaking Software (DeCSS)
DeCSS ruled 'not a trade secret'http://
www.linuxinsider.com/story/32672.html
The following incidents are not confirmed as legal or financial threats. They are being included here in the hopes that someone will come forward with additional information or clarification.
WhenCompany making threat
Researchers Research Topic Resolution/Status
8/1/2008 AppleCharles
Edge / 318 Inc.
FileVault encryption
system weaknesses
NDA between Edge/Apple existed already, Apple called Edge on it. Researcher "rescinded talk" but BH CFP team shows no record of
talk being submitted in first place.
http://news.cnet.com/8301-1009_3-10004627-
83.html
Attrition Theory: Incident used as press fodder for 318/Edge
attention.
12/7/2006 Oracle Corporation Argeniss
Week of Oracle Bugs
(WoOB)
WoOB cancelled, rumors of financial/legal threats 404 not found
The following incidents are related to the ones above, but "cross the line". They include incidents where it was not "security research", but rather activity that was considered a crime by current laws (at the time). Instead of following a more ethical
approach or going the route of responsible disclosure, the researcher chose to research and disclose the details in a manner that was questionable. While the threat of law suit of such activity is frivilous to most, the companies are being prudent
because the researcher in question likely did break laws in the process.
WhenCompany making threat
Researchers Research Topic Resolution/Status
8/23/2010 n/a Hari Prasad, Netindia
Voting Machine
vulnerability research
Prasad arrested, machine given to him was apparently stolen
http://www.wired.com/
threatlevel/2010/08/researcher-arrested-in-
india
9/12/2008 Carleton University
Mansour Moufid
Used keylogger to
expose student
information
Moufid charged with computer crime
http://www.canada.com/
ottawacitizen/news/city/story.html?
id=25110a8f-a73a-43a0-a2a5-1daa08d147d1
4/28/2006University
of Southern California
Eric McCarty
Database programming error allows disclosure of student SSN
and more
McCarty charged with computer crime
http://www.wired.com/
politics/law/commentary/circuitcourt/
2006/05/70857
8/18/2003Tornado
Development, Inc.
Bret McDanel
Secure Webmail Session
Hijacking discovery
Arrested, tried, convicted and sentenced to 16 months of prison
time
http://www.securityfocus.com
/columnists/179
3/18/2002
Harris County District Court
Stefan Puffer
Insecure wireless network discovery
Faces 5 years and $250,000 fine. The jury deliberated for 15
minutes before acquitting Puffer.
Over the years, many talks have been cancelled for various reasons. Sometimes, the rumor of legal threats dominate the venue and/or news, but never happened. This table will list such events, to help clarify what happened. As time allows, any
case of a security talk being cancelled will be added.
When
Company making
request or threat
Researchers Research Topic Resolution/Status
10/19/2012
Hewlett-Packard
Kurt Grutzmache
r
Huawei / H3C router
vulnerabilities
Grutzmacher coordinated disclosure via US-CERT in August.
Days before Toorcon 2012, HP sent a polite request for him to cancel, saying patches were not
ready. Grutzmacher cancelled his talk. Two days later, HP released
the patch, casting doubt over their intention behind the
request.10/10/201 (none) Pirate Bay Talk titled Neij's lawyer advised his client not
2
founders Peter Sunde and Fredrik
Neij
"Data is Political"
to travel to a highly visible public conference centered on hacking. Sunde was reportedly too ill to
travel.
7/29/2012 (unknown)
Sergey Gordeychik
/ Denis Baranov, Positive
Technologies
SCADA vulnerabilitie
s including Siemens
The talk "SCADA Strangelove: How I Learned To Start Worrying
And Love The Nuclear Plants" was cancelled a week before the
conference and replaced with a different SCADA talk by another
person not affiliated with Positive Technologies. No confirmation as to why, speculation is the talk was
pulled due to vendor pressure.
1/31/2012
Smart Grid Meter
Vendor (unnamed)
Don Weber /
InGuardians
Smart Grid Vulnerabilitie
s
Was asked to pull talk from ShmooCon 2012, complied.
Presented later at BSidesLV 2012.
8/16/2011 (none)
Riley Hassel / Shane
Macaulay
Google Android
Vulnerabilities
BlackHat Briefings Las Vegas 2011 Hassel/Macaulay scheduled to
give "Hacking Android for Profit" talk at BlackHat Briefings Las
Vegas 2011. Neither presenter showed for their talk. Subsequent articles point out that Google said
"The identified bugs are not present in Android", and that the
presenters backed out in "fear criminals would use it attack Android phones". In another
work, Hassel said "that some of their work may have replicated previously published research, and they wanted to make sure
they properly acknowledged that work."
5/18/2011
Siemens / Department
of Homeland
Security (DHS)
Dillon Beresford /
NSS Labs
SCADA vulnerabilitie
s
TakeDownCon 2011 talk titled "Chain Reactions - Hacking SCADA" was cancelled by
Beresford after concerns from Siemens/DHS were expressed. Beresford said "DHS in no way
tried to censor the presentation."
7/15/2010
Taiwanese / Chinese agencies
(unnamed)
Wayne Huang,
Armorize CTO
Analysis of China's
government-backed hacking
initiatives
Talk pulled from BlackHat Briefings 2010 in Las Vegas, announced by Caleb Sima,
Armorize CEO on Twitter. An earlier version of the talk was given to a small conference in
Taiwain in 2007.
6/29/2010ATM
Vendors (unnamed)
Raoul Chiesa
ATM Vulnerabilitie
s
Initial reports said that Chiesa was threatened by ATM vendors
and forced to cancel last minute. according to Chiesa, no threats were made. The talk was
cancelled for "logistical issues that day". Some in the industry have classified this as a publicity
stunt, to garner more attention for the talk at a subsequent date.
6/30/2009
ATM Vendors
(unnamed, presumed
Triton)
Barnaby Jack /
Juniper Networks
ATM Vulnerabilitie
s
BlackHat Briefings Las Vegas 2009 talk cancelled by Juniper after
ATM vendor expressed concerns about disclosure before
customers were fully protected. Information published at BlackHat
2010.
7/2/2008 AppleUnamed 'Apple
Insiders'
Apple Security
Response Team
According to Trey Ford, BlackHat general manager, a panel of Apple
insiders were to have a panel to discuss "the company's security-response team". When Apple's
marketing department heard, the panel was abruptly cancelled.