back to article Zero-day hunters seek laws to prevent vendors suing them for helping out and doing their jobs

Cybersecurity Advisors Network (CyAN), the Paris-based body that represents infosec pros, has created a new working group to advocate for legislation that stops vendors from suing when security researchers show them zero-day bugs in their kit. Peter Coroneos, CyAN international veep and leader of its new "Zero Day Legislative …

  1. ShadowSystems

    Dear Companies, don't be stupid.

    If someone contacts you to warn you about a security flaw in your product, don't threaten them with legal actions, work with them to fix the flaw.

    If you threaten the people helping to fix your fuckups, don't be surprised if they stop telling you about them & instead start selling such zero-day exploits to the criminal underbelly of society that will *reward them* for such things.

    "I tried to warn them about the flaw, but they threatened to sue me for hacking. So I stopped telling them about all the flaws I kept finding & sold that knowledge to the script kiddie gangs. _THEY_ thanked, rewarded, and praised me for my efforts. How fucked up is _that_?"

    Imagine the PR & legal flac you will trigger when it comes out that you were openly hostile to the folks trying to help you. Protestations of "taking security seriously" won't hold up worth a damn when stood up next to you having tried to prosecute the folks that tried to notify you of those insecure bits...

    1. Yet Another Anonymous coward Silver badge

      Re: Dear Companies, don't be stupid.

      Yes but imagine how much higher Boeing's share price would be today if it was illegal to mention any possible flaws in their MCAS (tm) system

    2. Denarius Silver badge

      Re: Dear Companies, don't be stupid.

      havent dealt the legal system, have you ?

  2. Denarius Silver badge

    you mean

    clued legal practitioners ? Or worse, more rational judges who would eviscerate any body/person/company trying to create a legal threat on a responsible bug hunter ? Go wash your mouth out and apply mind bleach

  3. Phones Sheridan
    Pirate

    A lot of the resistance comes down to permission. If you own something, you're entitled to perform your own testing on it regardless of what it says in the EULA. What you can't do is take a crow-bar and go start testing other peoples doors and windows so to speak. If you don't have permission, don't touch it. If you happen across something during your lawful use of a service, by all means report it and provide an explanation of your actions so they can reproduce it. What you don't do is actively use the exploit you've discovered, and go for a joy-ride through their system downloading data and files.

    1. Yet Another Anonymous coward Silver badge

      >If you don't have permission, don't touch it

      A more appropriate analogy might be that you notice a truck going down the freeway leaking toxic chemicals but you don't mention it because you aren't the customer

      1. Phones Sheridan

        Not analogous. If toxic chemicals were spewing out of a truck, the correct response is to dial 999 and report it if the driver tells you to eff-off. The digital analog to this, would be if you spot a server hemorrhaging personal details, you contact the ICO. They are the only authorities (in the UK) with a government mandate to investigate it, just like the emergency services are with dangerous road spills.

  4. Richocet

    This was interesting reading. I looked through the repository of examples too.

    Some theories about why this can happen:

    1. Individual programmer / low level manager doesn't want to accept any blame so goes on the attack to hush it up.

    2. Company has psychopathic senior manager so programmers are terrified of bug reports and do everything they can to hush up reports, such as mislead the company lawyer that illegal hacking has taken place.

    3. Company has out of touch (non-technically literate) senior management and in-house lawyer who don't understand that the people finding exploits are providing a valuable service to the company.

    4. The company lawyer sees an opportunity to escalate the situation to make additional work for themself = fees.

    5. One or more government agencies have compelled or persuaded the company to add these vulnerabilities to their products. When the flaw is discovered, the company doesn't want to fix the issue or have it disclosed.

    If anyone read the example of the phone monitoring rootkit, it looks like the product was malware, and it was the only product of that company. So exposing any of the issues about the project was game over for the company. Therefore legal action was the only chance at survival. I class this as a rare special case.

    1. Doctor Syntax Silver badge

      6. All of the above.

  5. Clausewitz 4.0
    Devil

    Reverse Engineering is a gray area

    Reverse Engineering is a gray area. If you read the EULA of most systems, they will forbid you of doing so.

    So, if planning to fire up your IDA Pro, be sure to be in a like-minded organization with good protection in place, and depending on the project, even physical protection applies.

    1. bombastic bob Silver badge
      Facepalm

      Re: Reverse Engineering is a gray area

      oh, no EULA violation. gonna take away my birthday!!!

      File this under "no good deed goes unpunished"

  6. Doctor Syntax Silver badge

    Publish the cease and desist letter. Then let the company's customers wonder just what's wrong, how bad it is, and why they're doing this rather than fixing it.

    1. Anonymous Coward
      Anonymous Coward

      You're assuming that the hunters are correct. I once had a report to me that one of my servers was spitting out spam and flooding a chaps mail server, DOS levels of spam, his recipients were getting an email every second or so. I asked for a copy of the email headers, read back through to the originating server. It wasn't one of my IP addresses. It was a random server out on the internet (mis)configured as an open relay. My domain was being spoofed. I politely pointed out that there was nothing I could do about a 3rd party server spoofing email addresses. I showed him the NSLOOKUP of our MX records we were sending emails from (and I'm pretty certain SPF, tho I can't be sure that long ago, we were not on Office 365 then) to show him I had taken what steps I could from my side of things. I also pointed out that I could see the IP address was listed on several DNSBLs, so if he wanted to stop the emails at source, either block the IP in his mail server config, or firewall, or configure it with a DNSBL lookup. I even pointed him to an article online with how-to configs for most email servers out there.

      Within an hour all company board members were emailed with an ALL CAPS subjected email "OFFICIAL COMPLAINT OF INACTION BY YOUR IT DEPARTMENT". Basically re-iterating what his original email said, but in stronger language, lots of CAPITALS, complaining about my inaction and competency.

      I looked him up, saw that he owned an IT consultancy, professing to be an internet security professional. Then I saw his blog. He'd listed his interactions with the company I worked for and my lack of response. The blog also linked to his twitter and social media. He was basically shouting from the rooftops.

      Undeterred, (and mainly because there was no GDPR back in 2011 to stop me doing this). I simply screenshotted the interaction between us and posted it in response to all his posts, along with a breakdown of where he was at fault, and recommending anyone using his services to look for someone else that can read and understand something as simple as an email header.

      Couple of hours later, yet more emails ALL IN CAPS informing us he would take legal action against us immediately unless I apologised for my posts publically, admitted I was wrong and would fix the problem.

      Instead I screenshotted this, and added it to my previous posts on his blog and social media, along with a final sentence "You have 24 hours to show this interaction between us to your lawyer and someone more technically knowledgeable than you. Then, take appropriate action. Failure to do this will result in us starting legal action for defamation and/or libel".

      The following day, his blog on his company website had vanished and his social media accounts were all set to private with no public posts. Even his photo had gone.

      I've no problem with people reporting technical exploits, I'm grateful for it. But if someone else isn't as appreciative of your report, and you don't have the government authority to investigate it, then simply reporting it to the authorities, i.e. the ICO, and then minding your own business is safest all round for you as an individual. Or to put it another way; who are you, who made you the internet police. Be careful the real police don't end up investigating you if you keep sticking your beak in.

      1. bombastic bob Silver badge
        Pint

        Have a beer!

        (a BOFH's job is never done)

      2. Cav

        "who are you, who made you the internet police". Everyone has the right, and the duty, to point out exploits that could potentially harm millions of people by revealing their data.

        The example you gave is of a person believing you were the cause of the problem. He was wrong but that isn't the point. Although an idiot, he was right to contact you. Anyone else finding such a problem should also report it, initially to the company concerned, as most people do, which is the point of the article. Only if the company refuses to act should the informant go public. And they SHOULD go public and be protected by the law in the same way that whistle-blowers are. If you host a web facing system of any type, and that system holds the details of potentially millions of people, it is morally correct for someone to highlight the fact that you are leaking that data.

        1. Anonymous Coward
          Anonymous Coward

          "Everyone has the right, and the duty..."

          Then by the same token, everyone has the right and duty to point at someone and shout "Thief" or "Rapist" or "Murderer" because they believe it to be true..... Only they don't. Because we live in a society with rules and process.

          The only right someone has, is to report something to the authorities for them to investigate. Anything else is vigilantism, and any claims made have the same legal level as unfounded allegations, and usually ends up with the person doing the pointing being the one investigated and prosecuted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021