Pressure (not) to Publish: - Murray State University's …campus.murraystate.edu/.../wlyle/540/2013/Farthing.docx · Web viewCyber security researchers face an increasingly difficult

Running head: Pressure (not) to Publish

Pressure (not) to Publish:

Discussing the Publication of Cyber Security Research

Karen Farthing

CSC540, Spring 2013

Murray State University

Abstract

Cyber security researchers are increasingly facing a daunting dilemma: to publish or not to

publish? The ethical argument can be approached from two different perspectives. The first

school of thought posits that any exploits discovered should be published, so that systems

administrators are aware of the ever evolving threat. The second school of thought is espoused

largely by business and government, and posits that new exploits should not be published,

because it leaves systems vulnerable to attack. It’s a David and Goliath struggle, leaving

researchers in the unenviable position of having to choose the hard right over the easy wrong.

Legislation has been unable to keep pace with a rapidly changing technological landscape,

leaving the line between legal and criminal behavior open to debate. So where does that leave the

researcher? No man’s land.

Pressure (not) to Publish: Discussing the Publication of Cyber Security Research

Introduction

Cyber security researchers face an increasingly difficult battle when attempting to publish

or present their work. Publishing security vulnerabilities is risky. Researchers must take care not

to publish too much; for example, if a researcher publishes too much functional code, the

vulnerability discussed could be exploited before patches can be applied. There are also no

whistleblower protections in place for researchers. They face legal threats from businesses and

governments, and fall victim to smear campaigns when companies don’t have a legal leg to stand

on (Attrition.org, 2013). In the following pages, this paper will discuss legal and other barriers to

publication; case histories that describe white hats, grey hats, black hats, and innovators;

identification of factors that contribute to the issue; and identification of steps that might

alleviate the problem.

Barriers to Publication

There are many legal vehicles that contribute to the limitations placed upon researchers

who want to publish vulnerability reporting. Likewise, businesses and governments sometimes

resort to less than legal means aimed at discouraging researchers from publishing information

about security vulnerabilities.

Legal Barriers

Copyright Law is intended to protect a creator from unauthorized reproduction of his work.

This applies to software, as well as music, video, and a number of other works. Security

researchers must often make copies of software in order to find bugs or exploits, and this can

violate copyright law (Electronic Frontier Foundation, 2013).

Trade Secret Law is intended to protect the proprietary works of businesses engaged in

maintaining an edge over their competition. According to the Coder’s Rights Project FAQ from

the Electronic Frontier Foundation, “…misappropriation of trade secrets can be both a civil and

criminal offense. Generally, a trade secret is information that (1) derives independent economic

value, actual or potential, from not being generally known to the public or to other persons who

can obtain economic value from its disclosure or use; and (2) is the subject of efforts that are

reasonable under the circumstances to maintain its secrecy. Misappropriation means a wrongful

acquisition, use, or disclosure of a trade secret (Electronic Frontier Foundation, 2013).” Reverse

engineering of software or hardware can fall under the auspices of violation of trade secret law.

Companies often try to claim that security vulnerabilities fall under trade secret law, because if

knowledge about a vulnerability were to be made public, it could cause a deleterious effect upon

their competitive advantage or adversely affect the value of their holdings.

Patent Law ostensibly grants the creator of a work or invention sole use of the

aforementioned for a limited period of time. It is intended to prevent the infringement of other

parties upon their intellectual property, during the period of time that said property has the most

earning potential. Researchers can run afoul of patent law if they create a hardware hack that

behaves or operates too similarly to another product currently under patent – regardless of how

the researcher created the hack.

The Digital Millennium Copyright Act (DMCA) is the juggernaut that all security

researchers must face. Any security researcher venturing into the arenas of Digital Rights

Management (DRM) or technological protection measures must tread very, very carefully. Even

when caution is exercised, researchers will most likely violate the DMCA at some point. The

terms of the DMCA are broad and open to interpretation at every turn. Congress did, however,

provide three limited circumstances under which security researchers can conduct reverse

engineering, encryption research, and security research. Distribution of code or tools that

circumvent the provisions of the DMCA can only occur in limited circumstances and must be

under the supervision of and with permission from the entity that stands to be injured as a result

of said research. The DMCA has had an impact on the worldwide cryptography research

community, since an argument can be made that any cryptanalytic research violates, or might

violate, the DMCA. Additionally, critics argue that the DMCA stifles free expression (see case

histories of Felten and Sklyarov), jeopardizes fair use for owners of various media, impedes

competition, and interferes with computer intrusion laws. However, since this paper is not

intended as a discussion of the DMCA, please refer to section 1201 of the Act.

Contract Law surrounds the concept of a legally enforceable “promise” between two

parties. Non-disclosure Agreements (NDAs) fall into this category, as do EULAs and Terms of

Service/Terms of Use. Contract law most benefits the company that employs a researcher, rather

than the researcher himself. Since this area of the law is “murky”, researchers who publish their

work against the wishes of their employers stand a very good chance of at least getting fired, if

not sued, for breach of contract.

Criminal Law is designed to punish law breakers (of course). Researchers can be charged

under various criminal codes if it can be proved that they published their work with the intent to

help others commit a crime (aiding and abetting), or if the research is so detailed that it would be

simple for others to commit crimes (facilitation).

International Law varies from country to country (of course), and is much too broad to

cover in a limited but meaningful way. Researches should be mindful of a host country’s laws

when working overseas, and should be mindful of any laws they might break via use of

telecommunications technologies that might span across borders.

Other Methods

“Media smear” campaigns have been instigated against researchers when there was no

clear legal method for stopping the publication of their work. A particularly vicious instance

involved researchers David Maynor and Jon Ellch, who cracked a MacBook at Black Hat in

2006 using third party drivers and third party wireless hardware. Apple PR director Lynn Fox

orchestrated a smear campaign accusing Maynor and Ellch of fabricating aspects of the hack, all

in an attempt to make it appear that Apple was a victim of unscrupulous hackers (Ou, How

Apple orchestrated web attack on researchers, 2007).

Overt and covert threats have been used to intimidate researchers into either cancelling or

delaying, or removing publication. One popular method is for a company to issue a DMCA take-

down notice to a researcher, only to have them rescind the notice later. In one instance, banking

equipment manufacturer Thales sent a DMCA takedown notice to John Young, who runs the

well-known Cryptome site, demanding that he remove a manual for one of their HSM products

(Moody, 2013). HSM stands for “hardware security module”, and in the banking industry HSMs

are instrumental in managing cryptographic keys and PINs used to authenticate bank card

transactions. The manual in question had been used for years by security researchers who were

investigating vulnerabilities cryptographic weaknesses, and those vulnerabilities were causing

Thales some notable embarrassment. Another instance involves Patrick Webster, a security

consultant in Australia, who quietly warned First State Superannuation Fund about a web

vulnerability that would allow a hacker to access users’ accounts (Pauli, 2011). The Fund

thanked him for the tip, fixed the flaw within 24 hours, then sent the police to his house the next

day to “investigate”. The Fund demanded that Webster turn over his personal laptop to their in-

house IT staff, and also informed him that he could be held liable for any expenses related to

fixing the flaw that he reported. So, this researcher saved the company potentially millions of

dollars by alerting them to the flaw, alerted them privately that the flaw existed so that they could

avoid any embarrassment, and they threatened him with legal action and a repair bill.

Firings due to pressure from others is another tactic used by businesses to curtail or

punish unflattering publication. Dan Geer, former CTO of @stake Inc., was let go just a day after

the publication of a paper he co-authored that was sharply critical of Microsoft Corp.— one of

@stake’s customers. The paper covered the effects that Microsoft’s monopolistic position have

on the security of the Internet, and argued that the dominance of Windows in the marketplace has

created a monoculture in which all systems are more vulnerable to widespread attacks and

viruses (Fisher, 2003). Both @stake and Microsoft claimed that Greer was let go for other

reasons, but Greer professed serious doubts.

Case Histories

Security researchers typically fall into one of four categories: white hats, grey hats, black

hats, and innovators. They all hack or crack systems, but have varying motivations. While many

researchers ascribe to being white hats, the truth is that most of them are actually grey. The

following section details the attributes of each, and provides a few “case histories” for members

of each category.

White hats profess to work to secure systems without breaking into them. “Hackers

for good”, they work with software companies/governments to resolve vulnerabilities and won't

announce vulnerabilities until a company is ready or found to be responsible. They will show the

system owner - but no one else - how to exploit a vulnerability, and will only attack systems

when authorized (Hafele, 2004).

Grey hats have a tendency to either skirt the law or run afoul of the law in the course of

their research. They might break into systems to heighten awareness of security flaws, and have

a tendency to announce vulnerabilities publicly without informing the company (or on the same

day that the company is notified). They may release exploit code or tools that aren’t easily

modified for hacking security, and will explore holes before notifying the owner of

vulnerabilities (Hafele, 2004).

Black hats are the bad guys. A black hat cares more about controlling and accessing

systems than about security. He will keep all of his exploits to himself, and will trade with others

on closed lists. He won't publish, and hacks for his own gain or for malicious reasons (Hafele,

2004).

White Hats

Ed Felten is currently the Director of Princeton's Center for Information Technology Policy.

Felten was a witness for the government in US v. Microsoft, where Microsoft was accused of a

variety of anti-trust violations surrounding the exclusive use of Internet Explorer with the

Windows operating system. Microsoft asserted that IE could not be removed from the

distribution without causing damage to the OS. Felten and a team of his students were able to

prove otherwise, severely damaging Microsoft’s case.

He is probably best known for his involvement with the Secure Digital Music Initiative

(SDMI), wherein the Recording Industry Association of America and Verance Corporation sued

him and his team for winning a competition they sponsored. The competition asked participants

to attempt to break the watermarking schema in use for protecting copyrighted music from

unauthorized use. In just three weeks, Felten’s team was able to remove any watermarks,

rendering the SDMI schema useless. When he attempted to publish his work, the RIAA and

Veyance threatened to sue him under the auspices of the DMCA for violation of section 1201 of

the same. The suit failed, and Felten presented his work at Usenix in 2001.

Felten was instrumental in uncovering security and accuracy problems in Diebold and

Sequoia voting machines. He and his students also discovered the cold boot attack, which allows

someone with physical access to a machine to extract the contents in memory after bypassing

any security methodologies (Wikipedia, 2013).

Michael Lynn was instrumental in highlighting security flaws in Cisco’s IOS. Dubbed

“Ciscogate”, the flaw centered around IPv6 packets, and whether or not a Cisco device could be

exploited remotely. Cisco fixed the flaw in early 2005, and Lynn was scheduled to present a

paper at Black Hat the same year detailing the results of his research. Lynn was careful to

remove as much detail as possible, but Cisco objected – strenuously. Representatives from the

company arrived at the conference a few hours before he was scheduled to present, confiscated

his paper and notes, and pressured Black Hat into cancelling his presentation. Lynn’s employer,

ISS, also gave him a “cease and desist” order regarding the presentation, and told him he would

be fired if he presented his work. Lynn resigned from his position at ISS an hour prior to

presenting, and asked attendees for a job just before giving his speech. He was hired by Juniper

Networks a few months later, and is still employed there (Masnick, 2005).

HD Moore is an innovator and white hat who developed Metasploit, one of the most widely

used penetration and vulnerabilities testers in use (Stop The Hacker, 2012). He also developed

the Metasploit Decloaking Tool, which purports to be able to identify a user’s IP address

regardless of the use of proxies or VPNs. Current research projects include the Month of

Browser Bugs, which aims to combine fast-paced discovery with full disclosure.

Grey Hats

Robert Morris was the first person convicted under the Computer Fraud and Abuse Act for

spawning the Morris Worm – considered by many to be the first internet worm. Designed as a

means for measuring networks, Morris developed the worm while he was a graduate student at

Cornell. The story of how the worm “escaped” changes from time to time, but most accounts

agree that Morris developed the worm as a means to test and map the limits of the local area

network in a laboratory environment. However, containment of the worm failed, and in an effort

to disguise where the worm originated, Morris managed to divert it to MIT – where it spread

worldwide. Morris is currently a tenured professor of Computer Science at – you guessed it –

MIT (Anthony, 2011).

Dmitry Sklyarov is a Russian programmer who gained notoriety for cracking Adobe’s

ebook DRM scheme while employed at Russian software company ElcomSoft. In 2001, after

giving a presentation at DEF CON titled “eBook's Security - Theory and Practice”, Sklyarov was

arrested by the FBI and jailed for violating the DMCA after complaints from Adobe. However,

the DMCA does not apply in Russia, and the courts decided that a Russian citizen working for a

Russian company could not be held accountable under the DMCA. Both Sklyarov and

ElcomSoft were found not guilty at trial (Wikipedia, 2013).

Jon Lech Johansen (DVD Jon) is a Norwegian programmer with a thing for DRM – he

hates it. Since 2001, Johansen has developed 16 different methodologies for defeating DRM on a

multitude of platforms. Ironically, the Sony Rootkit actually used code stolen from Johansen, and

some have argued that he might have a case to sue Sony under the DMCA. His most notorious

exploit was the release of DeCSS, a method for defeating the Content Scrambling System in use

on DVDs (Anthony, 2011).

Black Hats

Kevin Mitnick’s first exploit occurred at the age of 12, when he figured out how to ride the

transit system in LA for free by bypassing the punch card system in use. He became a social

engineer, garnering usernames, passwords, and modem phone numbers. He hacked DEC at age

16 and was tried and convicted to 12 months in jail with three years’ supervised release. Near the

end of his three year probation, he hacked PacBell’s voice mail system, then went on the run for

over 2 years. By the time the FBI finally caught him, he had hacked numerous networks, cloned

cell phones, and stolen proprietary software from cell companies (Anthony, 2011).

Kevin Poulsen is currently the editor of Wired Magazine, but he began his career as a phone

phreak. His most notorious exploit was hacking the phone lines of a local radio station in order to

ensure that he was the 102d caller – to win a Porsche. The FBI began pursuing him for myriad

crimes, and he turned fugitive. When a special was aired on America’s Most Wanted profiling

Poulsen, you guessed it, the phone system at AMW crashed. After his release from prison, he

managed to reinvent himself as a white hat and investigative journalist. Poulsen used exploits on

MySpace to identify over 700 sex offenders engaged in soliciting sex from children, and was the

man who broke the Bradley Manning-WikiLeaks story (Anthony, 2011).

Gary McKinnon is accused of hacking into 97 United States military and NASA computers

over a 13-month period between February 2001 and March 2002. The US authorities claim he

deleted critical files from operating systems, which shut down the United States Army’s Military

District of Washington network of 2,000 computers for 24 hours. McKinnon also posted a notice

on the military's website: "Your security is crap". After the September 11 attacks in 2001, he

deleted weapons logs at the Earle Naval Weapons Station, rendering its network of 300

computers inoperable and paralyzing munitions supply deliveries for the US Navy's Atlantic

Fleet. McKinnon is also accused of copying data, account files and passwords onto his own

computer. US authorities claim the cost of tracking and correcting the problems he caused was

over $700,000 (Wikipedia, 2013).

Identify the Problem

Ideological disconnect

There is an ideological disconnect between researchers/security professionals, and the

businesses and governments they work for. The researchers’ view: publish known vulnerabilities

so they can be prevented. Business’ and Government’s view: don’t publish, because if the exploit

is unknown, we aren’t vulnerable. You can see where this would lead to problems. Appendix A

lists a veritable cornucopia of instances detailing what happens when these competing ideologies

clash. Some examples include:

Researcher Ahmed Al-Khabaz discovered vulnerabilities in Skytech's Omnivox portals that

exposed 250k student records, and brought it to the attention of Dawson College. Skytech

threatened to press charges and send him to jail if he did not sign an NDA (Attrition.org, 2013).

Consultants Varun Uppal and Gyan Chawdhary discovered high-speed trading system

hacks during the course of business with a client. Due to financial pressure (i.e. loss of said

client), the talk was cancelled and has not been published (Attrition.org, 2013).

Security specialist Patrick Webster found a direct object reference vulnerability in First

State Superannuation’s website. He received a letter indicating FSS reported him to the police,

and threatened him with further legal action. After negative publicity, First State Super

withdraws legal threat (Attrition.org, 2013).

There are no “whistleblower” protections anywhere to protect researchers, consultants, or

security specialists. Not in the DMCA, not in the any of the legal statutes related to cybercrime

and security, and not in business law.

The “Grey Hat” concept is tricky. Most researchers aspire to be white hats, but before you

get the pay and the position, you have to break some rules and build a reputation. That means

either black hat or grey hat activity. Unfortunately, government and business have a tendency to

lump black and grey together, and they only tolerate white hats as “guns for hire” because they

have to.

Businesses defining legislation via lobby to uninformed legislators (He who has the most money,

wins)

Almost everyone agrees that the DMCA is a bad piece of legislation. It’s only real purpose

is to prop up a failing business model adhered to by producers of “art”. I’m not attacking the

artist here, but rather entities like the RIAA, the MPAA, and the big publishing houses. These

entities banded together, spent a LOT of money, and got the legislation they wanted through use

of lobbyists and payments to members of Congress.

Researchers “crossing the line” into illegal activity (as currently defined)

There have been cases where researchers have crossed the line into illegal activity – even

become blackmailers and extorters. However, most of that information is anecdotal – found on

forums and blogs.

One notable example is the case of Bret McDanel. While employed at Tornado

Development, McDanel discovered a flaw in the web-mail product provided to customers.

McDanel notified Tornado, and when they took too long to fix the problem, he quit. Six months

later (and employed at another company) he discovered that the exploit had not been fixed. He

took on the name "Secret Squirrel" and e-mailed about 5,600 of Tornado's customers over the

course of three days, telling about the vulnerability, and directed them to his own website for

information about it. This caused Tornado to panic - by deleting customers' emails without

consent so they couldn't read McDanel's message.

McDanel was arrested, tried, convicted and sentenced to sixteen months in prison, because

of the email and website he crafted. However, there was no evidence that McDanel or anyone

else ever exploited the vulnerability. McDanel was prosecuted for "knowingly causing the

transmission of information and as a result of such conduct, intentionally cause any impairment

to the integrity or availability of data, a program, a system, or information without

authorization." This is normally reserved for people who publish viruses and worms, not for

people who publish unpatched exploits to the potential victims. So, even though no "computer

crime" was actually committed, he was convicted for "impairing the integrity" of a system

(Rasch, 2003).

This is an excellent example of the disconnect between researchers and government. While

McDanel could have acted less like an angry teenager and more like a polished professional, he

really didn’t have much of a choice. He could have gone back to the management at Tornado and

expressed concern – but it didn’t work the first time. Had he threatened to expose the

vulnerability if Tornado didn’t fix it, he could have been charged with extortion. Had he broken

in and fixed the exploit himself, he definitely would have been outside the law. So he did what

he thought was best, and because federal prosecutors decided to stretch the limits of the law, he

went to jail. Not fair.

Solve the Problem

Current recommended practices

One of the current practices recommended by the EFF’s Coder’s Rights Project is delayed

publication, also known as “responsible disclosure”. This involves self-policing on the part of

researchers and a good faith effort to notify victims of any exploits prior to publishing any work.

It also requires that researchers do not publish until adequate time has been given for victims to

build a patch or close loopholes.

Another recommended practice involves limited publication. This practice requires that

researchers publish the concept, not fully functional exploit. This would prevent bad actors from

taking advantage of exploits that have not been or cannot be patched. Also included in limited

publication is that researchers only publish to a limited audience – peers, business, and

government entities. By keeping to a smaller “pond”, researchers limit the number of fish that

get to feed.

Both of these practices are a win-win for everyone involved, and show a level of

professionalism and mutual respect for security partners.

Fix bad/broken legislation

Current legislation has not kept pace with the state of the industry. Almost every facet of

current legislation has weaknesses – the DMCA, copyright/patent law, criminal/international

law, even business and civil law. While pointing out weaknesses is easy (and would take all

day), coming up with a solution is not so simple. One good first step would be to limit or

redefine lobby access and the legislative process to include advocates from within the industry,

from researchers, from business concerns, and from our legislative representatives. I’m not sure

how to make that work, either, but change needs to start somewhere.

Proposed Future Practices

Going forward, in addition to the steps outlined in “solve the problem”, a new mindset should

be developed. Some recommendations are to redefine the business model or philosophy to

embrace early and ubiquitous reporting of vulnerabilities and exploits. This has huge

implications for national security as well as business. Without a fundamental change of mindset,

however, this will never happen. This change can be facilitated by adopting an “Open Source”

mindset between all stakeholders (business, government, researchers).

References

Anonymous. (2001, Apr 20). RIAA Challenges SDMI Attack. Retrieved Apr 3, 2013, from Extra - The Register UK: http://www.theregister.co.uk/extra/sdmi-attack.htm

Anthony, S. (2011, Sep 1). Black hat down: What happened to the world’s most famous hackers? Retrieved Mar 3, 2013, from Extremetech.com: http://www.extremetech.com/extreme/94647-black-hat-down-what-happened-to-the-most-famous-hackers/2

Attrition.org. (2013, 01). Legal Threats Against Security Researchers. Retrieved 03 15, 2013, from attrition.org: http://attrition.org/errata/legal_threats/

Buchanan, E., Aycock, J., Dexter, S., Dittrick, D., & Hvizdak, E. (2011, Jun). Computer Science Security Research and Human Subjects: Emerging Considerations for. Journal of Empirical Research on Human Research Ethics: An International Journal, 6(2), 71 - 83.

Burstein, A. J. (2008, Apr 14). Conducting Cybersecurity Research Legally and Ethically. Retrieved Mar 13, 2013, from usenix.org: http://static.usenix.org/event/leet08/tech/full_papers/burstein/burstein.pdf

Electronic Frontier Foundation. (2013). A "Grey Hat" Guide. Retrieved Mar 5, 2013, from Pages - EFF.org: https://www.eff.org/pages/grey-hat-guide

Electronic Frontier Foundation. (2013). Coders’ Rights Project Vulnerability Reporting FAQ. Retrieved Feb 23, 2013, from Issues - Coders - EFF.org: https://www.eff.org/issues/coders/vulnerability-reporting-faq

Felten, E. (2013, Mar 29). The Chilling Effects of the DMCA. Retrieved Apr 3, 2013, from Articles - Technology - slate.com: http://www.slate.com/articles/technology/future_tense/2013/03/dmca_chilling_effects_how_copyright_law_hurts_security_research.html

Fisher, D. (2003, Sep 29). Security Expert Geer Sounds Off on Dismissal . Retrieved Apr 16, 2013, from Security - eweek.com: http://www.eweek.com/c/a/Security/Security-Expert-Geer-Sounds-Off-on-Dismissal/

Goodin, D. (2007, Apr 17). ISP ejects whistle-blowing student. Retrieved Mar 22, 2013, from Security - The Register UK: http://www.theregister.co.uk/2007/04/17/hackers_service_terminated/

Hafele, D. M. (2004, Feb 23). Three Different Shades of Ethical Hacking: Black, White and Gray. Retrieved 03 22, 2013, from SANS Institute InfoSec Reading Room: http://www.sans.org/reading_room/whitepapers/hackers/shades-ethical-hacking-black-white-gray_1390

Hurley, E. (2004, Feb). Cyberspace security liability lawsuits on the rise? Retrieved Mar 10, 2013, from Information Security Laws, Investigations and Ethics - Information Security Magazine: http://searchsecurity.techtarget.com/Cyberspace-security-liability-lawsuits-on-the-rise

Kravets, D. (2013, Apr 24). Man Convicted of Hacking Despite Not Hacking. Retrieved Apr 25, 2013, from Threat Level - Wired Magazine: http://www.wired.com/threatlevel/2013/04/man-convicted-of-hacking-despite-no-hacking/

Lemos, R. (2002, Sep 23). New laws make hacking a black-and-white choice. Retrieved Mar 25, 2013, from CNET News: http://news.cnet.com/2009-1001_3-958129.html

Lemos, R. (2002, Aug 2). Security pros create resource on flaws. Retrieved Mar 22, 2013, from CNET News News - Business Tech: http://news.cnet.com/2100-1001-948127.html

Lemos, R. (2003, Nov 13). GameSpy warns security researcher. Retrieved Mar 13, 2013, from CNET News - Enterprise Security: http://news.cnet.com/2100-7355_3-5107305.html

Lemos, R. (2011, Oct 17). Security suffers when firms sue researchers who report flaws. Retrieved Mar 5, 2013, from Tech Watch - InfoWorld: http://www.infoworld.com/t/web-security/security-suffers-when-firms-sue-researchers-who-report-flaws-176281

Lohmann, F. V. (2010, Feb). Unintended Consequences: . Retrieved Mar 6, 2013, from EFF.org: https://www.eff.org/sites/default/files/eff-unintended-consequences-12-years_0.pdf

Loup-Richet, J. (2012, Oct 30). Why Security Research Should Be Protected Speech. Retrieved Mar 5, 2013, from Censorship - Information Systems Research: http://www.information-systems-research.com/blog/2012/10/30/why-security-research-should-be-protected-speech/

Masnick, M. (2005, Jul 28). Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities. Retrieved Apr 4, 2013, from Legal Issues - TechDirt: http://www.techdirt.com/articles/20050728/0259209.shtml

McCullagh, D. (2001, Jul 23). Russian Hacker Arrested. Retrieved Mar 15, 2013, from Cryptome.org: http://cryptome.org/dmitry-bruce.htm

McCullagh, D. (2002, Jul 30). Security warning draws DMCA threat. Retrieved Mar 15, 2013, from CNET News - Digital Media: http://news.cnet.com/2100-1023-947325.html

Menn, J. (2012, Oct 29). Legal fears muffle warnings on cybersecurity threats. Retrieved Mar 13, 2013, from Featured Articles - Computer Security: http://articles.chicagotribune.com/2012-10-29/business/sns-rt-us-cyberwar-infrastructurebre89s1ah-20121029_1_cyber-attacks-cybersecurity-stuxnet

Mills, E. (2008, Jul 9). Dutch chipmaker sues to silence security researchers. Retrieved Apr 5, 2013, from News Blogs - CNET: http://news.cnet.com/8301-10784_3-9985886-7.html

Mills, E. (2011, Aug 01). Journalist faces charges over transit card flaw reports. Retrieved Mar 7, 2013, from News - CNET: http://news.cnet.com/8301-27080_3-20086613-245/journalist-faces-charges-over-transit-card-flaw-reports/?part=rss&subj=news&tag=2547-1_3-0-20&dlvrit=142337

Moody, G. (2013, Jan 24). Banking Equipment Vendor Tries To Censor Security Research With DMCA Notice -- Then Backs Down When Called Out For It. Retrieved Mar 19, 2013, from Abusing the system - TechDirt: http://www.techdirt.com/articles/20130118/10002721726/banking-equipment-vendor-tries-to-censor-security-research-with-dmca-notice-then-backs-down-when-called-out-it.shtml

Ou, G. (2006, Aug 20). Vicious orchestrated assault on MacBook wireless researchers. Retrieved Mar 22, 2013, from Real World IT - zdnet.com: http://www.zdnet.com/blog/ou/vicious-orchestrated-assault-on-macbook-wireless-researchers/300

Ou, G. (2007, Mar 20). How Apple orchestrated web attack on researchers. Retrieved Mar 27, 2013, from Repost from Real World IT - ZDNet: http://www.zdnet.com/blog/ou/how-apple-orchestrated-web-attack-on-researchers/451

Pauli, D. (2011, Oct 14). Security researcher threatened with vulnerability repair bill. Retrieved Mar 5, 2013, from Risk - SC Magazine: http://www.scmagazine.com.au/News/276780,security-researcher-threatened-with-vulnerability-repair-bill.aspx

Schneier, B. (2001, Nov 15). Full Disclosure. Retrieved Apr 4, 2013, from Crypto-Gram Newsletter - Schneier.com: http://www.schneier.com/crypto-gram-0111.html

Schneier, B. (2002, Jun). Fixing Network Security by Hacking the Business Climate. Retrieved Mar 15, 2013, from UCSC.edu: http://classes.soe.ucsc.edu/cmps122/Spring04/Documents/schneier.pdf

Schneier, B. (2011, May 24). New Siemens SCADA Vulnerabilities Kept Secret. Retrieved Mar 5, 2013, from Schneier on Security - Schneier.com: http://www.schneier.com/blog/archives/2011/05/new_siemens_sca.html

Search Security. (2008, Aug 14). MIT case shows folly of suing security researchers. Retrieved 2013 Feb, 2013, from Security Laws, Investigations and Ethics - Searchsecurity.com: 28

Silverman, J. (n.d.). 10 Famous Hackers and Hacks. Retrieved Mar 13, 2013, from Communications - Discovery Channel: http://dsc.discovery.com/tv-shows/curiosity/topics/10-famous-hackers-hacks.htm

Stop The Hacker. (2012, Jul 23). The Five Most Famous Good Guy Hackers. Retrieved Mar 22, 2013, from stopthehacker.com: http://www.stopthehacker.com/2012/07/03/five-most-famous-good-guy-hackers/

Stubblefield, A. B., & Wallach, D. S. (2001, July). Dagster: Censorship-Resistant Publishing Without Replication. Retrieved Mar 13, 2013, from cs.rice.edu: http://www.cs.rice.edu/~dwallach/pub/dagster-tr.pdf

University of Exeter. (2012, Nov 12). Attitudes towards security threats uncovered. Retrieved Apr 5, 2013, from News - Phys.org: http://phys.org/news/2012-11-attitudes-threats-uncovered.html

Vijayan, J. (2011, Jan 21). Sony sends 'dangerous' message with PS3 lawsuit, says EFF. Retrieved Mar 5, 2013, from Legal News - Computer World: http://www.computerworld.com/s/article/9205885/Sony_sends_dangerous_message_with_PS3_lawsuit_says_EFF

Wikipedia. (2013, Apr 20). Edward Felten. Retrieved Apr 25, 2013, from wikipedia.org: http://en.wikipedia.org/wiki/Edward_Felten

Wikipedia. (2013). Gary McKinnon. Retrieved Apr 3, 2013, from wikipedia.org: http://en.wikipedia.org/wiki/Gary_McKinnon

Wikipedia. (2013, Apr 29). United States v. Elcomsoft. Retrieved Apr 30, 2013, from wikipedia.org: http://en.wikipedia.org/wiki/United_States_v._ElcomSoft_and_Sklyarov

Appendix A

Legal Threats Against Security Researchers: How vendors try to save face by stifling legitimate

research

(Note – this table was taken in its entirety from http://attrition.org/errata/legal_threats/ and is

intended for use as an overview of trending topics.)

WhenCompany making threat

Researchers Research Topic Resolution/Status Link

1/20/2013Dawson College / Skytech

Ahmed Al-Khabaz)

Vulnerabilities in Skytech's

Omnivox portals, used

by schools

Found vulnerability that exposed 250k student records, brought it

to attention of college. Did not try to conceal his identity, did not

misuse the information, did not try to profit. Skytech threatened to press charges and send him to

jail if he did not sign an NDA.

http://www.nationalpost.com/

m/wp/news/canada/blog.html?

b=news.nationalpost.com/2013/01/20/youth-

expelled-from-montreal-college-after-finding-sloppy-coding-that-

compromised-security-of-250000-students-

personal-data

10/25/2012

(unknown internationa

l utility)(unknown)

Nuclear power plant vulnerabilitie

s (SCADA)

Talk was cancelled last minute at the 12th ICS Cyber Security

Conference An unnamed vendor objected to the talk on the

grounds that "the review would disclose problems in its

equipment" and threatened to sue, "even though plant officials

had approved the presentations". This is one of two talks cancelled at the conference, according to

the conference organizer.

http://gadgets.ndtv.com/

internet/news/legal-fears-muffle-warnings-

on-cyber-security-threats-286061

10/25/2012

(unknown internationa

l utility)

Ralph Langner

Nuclear power plant vulnerabilitie

s (SCADA)

Talk was cancelled last minute at the 12th ICS Cyber Security

Conference An unnamed vendor objected to the talk on the

grounds that "the review would disclose problems in its

equipment" and threatened to sue, "even though plant officials

had approved the presentations". This is one of two talks cancelled at the conference according to

the conference organizer.

http://gadgets.ndtv.com/

internet/news/legal-fears-muffle-warnings-

on-cyber-security-threats-286061

5/28/2012 E-Soft (UK) Eric Romang Video of Metasploit

Digital Music Pad SEH overflow

exploitation module

E-Soft sent a bogus copyright claim to YouTube to have the video removed. It has been

reposted to the same site once by another individual. The video

remains available, and there have been no reported attempts to

http://attrition.org/errata/legal_threats/e-

soft/

silence news of the exploit in other manners.

1/31/2012

Smart Grid/Meter

Vendor (unspecified

)

Don Weber /

InGuardians

Smart Grid Meter

Security Assessment Tool Release

Researcher cancelled the talk last minute, citing the desire to work with the vendor. Note: a reliable

source tells Attrition that InGuardian did not reach out to the vendor until weeks after the

ShmooCon CFP. Further, Weber says there was no

vulnerabilities being disclosed, suggesting that InGuardian may

have cancelled the talk when the unspecified vendor agreed to

become a client.

https://twitter.com/cutaway/status/

165923445698347008

11/22/2011 Carrier IQ Trevor

Eckhart

Carrier IQ software logs

excessive information

Carrier IQ threatens Eckhart and sends a cease & desist letter.

Shortly after negative attention, Carrier IQ retracts the threat.

Research stays public.

10/13/2011

First State Superannua

tion

Patrick Webster

Direct Object Reference

vulnerability in FSS

website

Researcher received letter indicating FSS reported him to the police and threatened him

with further legal action. After negative publicity, First State

Super withdraws legal threat.

8/1/2011 Trans Link Systems

Brenno de Winter

OV Transit Payment System

Vulnerabilities

Researcher learned he may have been facing legal charges. Vendor

statement says a criminal complaint was filed and

researcher was questioned, but researcher was not the target of the complaint. It is still not clear

who the complaint was filed against or if this was a tactic to

stifle de Winter's research

4/27/2011 Magix AG Acidgen

Buffer overflow in

Music Maker 16 software

(version 16.0.2.4)

Research published despite threat. Researchers convinced

Magix to change stance on vuln handling. Magix opened a resource for security

researches site, but try to force researchers not to disclose w/o a

patch or fix available, in their terms and conditions.

3/21/2011

German telecommu

nications firm

(unspecified)

Thomas Roth

Amazon EC2-based

password cracking software

Roth's apartment was raided, his bank account frozen, and he had to refrain from releasing his tool during Black Hat. Injunction had

since been revoked, Roth published the research.

http://www.darkreading.com/

end-user/researcher-overcomes-legal-

setback-over/229301362

7/26/2010

Financial Industry

Client (unspecified

)

Varun Uppal and Gyan

Chawdhary

High-Speed Trading

System Hacks

Due to financial pressure (i.e. loss of a client), the talk was pulled

and not presenter anywhere else.

7/15/2010 Taiwanese Government

Wayne Huang,

The Chinese Cyber Army:

Two weeks before the conference, the talk was

http://www.eweek.com/c/a/

Armorize Technologie

s Inc.

An Archaeological Study from 2001 to 2010

cancelled due to "pressure from the Taiwanese government."

Security/China-Cyber-Army-Talk-Pulled-From-

Black-Hat-668887/

7/18/2009 RSA Scott Jarkoff

Navy Federal Credit Union

Web Site Flaws

SliceHost / TechMiso challenges RSA, RSA backs down

http://techmiso.com/2434/navy-federal-

credit-union-web-site-operating-with-security-

issue/

7/17/2009 Comerica Bank Lance James

XSS / Phishing

vulnerabilities on

Comerica site

C&D Sent to Tumblr, information removed but vulnerability still

present (2009-07-17)

http://dl.dropboxusercontent.c

om/u/634884/Letter%20to%20Tumblr

%20from%20P.%20Bertrand%207-17-

09.PDF

6/6/2009 Orange.fr HackersBlogMultiple

Vulnerabilities [1] [2]

Apparent legal threats, details not published. 404 not found

8/13/2008Sequoia Voting

SystemsEd Felten

Voting Machine

Audit

Research still not published (2008-10-02)

https://freedom-to-tinker.com/blog/appel/

judge-suppresses-report-voting-machine-

security/

8/9/2008

Massachusetts Bay Transit

Authority

Zach Anderson,

RJ Ryan and Alessandro

Chiesa

Electronic Fare Payment

(Charlie Card/Charlie

Ticket)

Gag order lifted, Researchers hired as consultants by MBTA

https://www.eff.org/press/archives/

2008/12/22

7/9/2008

NXP (formerly

Philips Semiconduc

tors)

Radboud University Nijmegen

Mifare Classic Card Chip Security

Research Publishedhttp://news.cnet.com/

8301-10784_3-9985886-7.html

12/6/2007 Autonomy Corp., PLC Secunia

KeyView Vulnerability

ResearchResearch Published

http://archives.neohapsis.com/archives/fulldisclosure/

2007-12/0152.html

7/29/2007 U.S. Customs Halvar Flake

Security Training Material

Researcher denied entry into U.S., training cancelled last minute

http://addxorrol.blogspot.com/

2007/07/ive-been-denied-entry-to-us-

essentially.html

4/17/2007 BeThere (Be Un limited)

Sid Karunaratne

Publishing ISP Router

Backdoor Information

Researcher still in talks with BeThere, passwords

redacted, patch supplied, ISP service not restored (2007-07-06)

http://www.theregister.co.uk/

2007/04/17/hackers_service_termin

ated/

2/27/2007 HID GlobalChris

Paget/IOActive

RFID Security Problems

Talk pulled, research not published

http://www.infoworld.com/d/

security-central/lawsuits-patent-claims-silence-black-hat-talk-

720

2007-??-??TippingPoint Technologie

s, Inc.

/David Maynor / ErrataSec

Reversing TippingPoint

rule set to discover

Bulk of research later published at BlackHat Briefings 07.

https://www.blackhat.com/

presentations/bh-usa-07/

vulnerabilities

Maynor_and_Graham/Whitepaper/bh-usa-07-maynor_and_graham-

WP.pdf

7/29/2005Cisco

Systems, Inc.

Mike Lynn /ISS

Cisco router vulnerabilitie

s

Resigned from ISS before settlement, gave BH presentation,

future disclosure injunction agreed on

http://www.securityfocus.com

/news/11260

3/25/2005 Sybase, Inc.

Next-Generation

Security Software

Sybase Database

vulnerabilities

Threat dropped, research published

http://www.securityfocus.com

/news/10827

9/30/2003Blackboard Transaction

System

Billy Hoffman and Virgil

Griffith

Blackboard issued C&D to Interz0ne conference,

filed complaint

against students

Confidential agreement reached between Hoffman, Griffith and

Blackboard

http://www.chillingeffects.org/

weather.cgi?WeatherID=383

7/30/2002

Hewlett-Packard

Development

Company, L.P. (HP)

SNOsoft

Tru64 Unix OS

vulnerability - DMCA based

threat

Vendor/researcher agree on future timeline, Additional Tru64 vulnerabilities published, HP asks Neohapsis for OpenSSL exploit

code shortly after

http://news.cnet.com/2100-1023-947325.html

7/16/2001

Adobe Systems

Incorporated

Dmitry Sklyarov

&ElcomSoft

Adobe eBook AEBPR Bypass

Elcomsoft found Not Guilty http://news.cnet.com/2100-1023-978176.html

2001-??-??

Tegam Internationa

l Viguard Antivirus

Guillaume Tena

(Guillermito)

Vulnerabilities in Viguard

AntivirusSuspended fine of 5,000 Euros

http://news.cnet.com/France%20puts%20a%20damper%20on

%20flaw-hunting/2100-7350_3-5606306.html?

tag=techdirt

4/23/2001

SDMI, RIAA and Veranc

e Corporation

Ed Felten

Four Watermark Protection Schemes Bypass -

DMCA based threat

Research published at USENIX 2001

http://en.wikipedia.org/wiki/

Edward_Felten#SDMI_Lawsuits

8/17/2000 MPAA &DVD CCA

2600: The Hacker

Quarterly

DVD Encryption Breaking Software (DeCSS)

DeCSS ruled 'not a trade secret'http://

www.linuxinsider.com/story/32672.html

The following incidents are not confirmed as legal or financial threats. They are being included here in the hopes that someone will come forward with additional information or clarification.

WhenCompany making threat

Researchers Research Topic Resolution/Status

8/1/2008 AppleCharles

Edge / 318 Inc.

FileVault encryption

system weaknesses

NDA between Edge/Apple existed already, Apple called Edge on it. Researcher "rescinded talk" but BH CFP team shows no record of

talk being submitted in first place.

http://news.cnet.com/8301-1009_3-10004627-

83.html

Attrition Theory: Incident used as press fodder for 318/Edge

attention.

12/7/2006 Oracle Corporation Argeniss

Week of Oracle Bugs

(WoOB)

WoOB cancelled, rumors of financial/legal threats 404 not found

The following incidents are related to the ones above, but "cross the line". They include incidents where it was not "security research", but rather activity that was considered a crime by current laws (at the time). Instead of following a more ethical

approach or going the route of responsible disclosure, the researcher chose to research and disclose the details in a manner that was questionable. While the threat of law suit of such activity is frivilous to most, the companies are being prudent

because the researcher in question likely did break laws in the process.

WhenCompany making threat

Researchers Research Topic Resolution/Status

8/23/2010 n/a Hari Prasad, Netindia

Voting Machine

vulnerability research

Prasad arrested, machine given to him was apparently stolen

http://www.wired.com/

threatlevel/2010/08/researcher-arrested-in-

india

9/12/2008 Carleton University

Mansour Moufid

Used keylogger to

expose student

information

Moufid charged with computer crime

http://www.canada.com/

ottawacitizen/news/city/story.html?

id=25110a8f-a73a-43a0-a2a5-1daa08d147d1

4/28/2006University

of Southern California

Eric McCarty

Database programming error allows disclosure of student SSN

and more

McCarty charged with computer crime

http://www.wired.com/

politics/law/commentary/circuitcourt/

2006/05/70857

8/18/2003Tornado

Development, Inc.

Bret McDanel

Secure Webmail Session

Hijacking discovery

Arrested, tried, convicted and sentenced to 16 months of prison

time

http://www.securityfocus.com

/columnists/179

3/18/2002

Harris County District Court

Stefan Puffer

Insecure wireless network discovery

Faces 5 years and $250,000 fine. The jury deliberated for 15

minutes before acquitting Puffer.

Over the years, many talks have been cancelled for various reasons. Sometimes, the rumor of legal threats dominate the venue and/or news, but never happened. This table will list such events, to help clarify what happened. As time allows, any

case of a security talk being cancelled will be added.

When

Company making

request or threat

Researchers Research Topic Resolution/Status

10/19/2012

Hewlett-Packard

Kurt Grutzmache

r

Huawei / H3C router

vulnerabilities

Grutzmacher coordinated disclosure via US-CERT in August.

Days before Toorcon 2012, HP sent a polite request for him to cancel, saying patches were not

ready. Grutzmacher cancelled his talk. Two days later, HP released

the patch, casting doubt over their intention behind the

request.10/10/201 (none) Pirate Bay Talk titled Neij's lawyer advised his client not

2

founders Peter Sunde and Fredrik

Neij

"Data is Political"

to travel to a highly visible public conference centered on hacking. Sunde was reportedly too ill to

travel.

7/29/2012 (unknown)

Sergey Gordeychik

/ Denis Baranov, Positive

Technologies

SCADA vulnerabilitie

s including Siemens

The talk "SCADA Strangelove: How I Learned To Start Worrying

And Love The Nuclear Plants" was cancelled a week before the

conference and replaced with a different SCADA talk by another

person not affiliated with Positive Technologies. No confirmation as to why, speculation is the talk was

pulled due to vendor pressure.

1/31/2012

Smart Grid Meter

Vendor (unnamed)

Don Weber /

InGuardians

Smart Grid Vulnerabilitie

s

Was asked to pull talk from ShmooCon 2012, complied.

Presented later at BSidesLV 2012.

8/16/2011 (none)

Riley Hassel / Shane

Macaulay

Google Android

Vulnerabilities

BlackHat Briefings Las Vegas 2011 Hassel/Macaulay scheduled to

give "Hacking Android for Profit" talk at BlackHat Briefings Las

Vegas 2011. Neither presenter showed for their talk. Subsequent articles point out that Google said

"The identified bugs are not present in Android", and that the

presenters backed out in "fear criminals would use it attack Android phones". In another

work, Hassel said "that some of their work may have replicated previously published research, and they wanted to make sure

they properly acknowledged that work."

5/18/2011

Siemens / Department

of Homeland

Security (DHS)

Dillon Beresford /

NSS Labs

SCADA vulnerabilitie

s

TakeDownCon 2011 talk titled "Chain Reactions - Hacking SCADA" was cancelled by

Beresford after concerns from Siemens/DHS were expressed. Beresford said "DHS in no way

tried to censor the presentation."

7/15/2010

Taiwanese / Chinese agencies

(unnamed)

Wayne Huang,

Armorize CTO

Analysis of China's

government-backed hacking

initiatives

Talk pulled from BlackHat Briefings 2010 in Las Vegas, announced by Caleb Sima,

Armorize CEO on Twitter. An earlier version of the talk was given to a small conference in

Taiwain in 2007.

6/29/2010ATM

Vendors (unnamed)

Raoul Chiesa

ATM Vulnerabilitie

s

Initial reports said that Chiesa was threatened by ATM vendors

and forced to cancel last minute. according to Chiesa, no threats were made. The talk was

cancelled for "logistical issues that day". Some in the industry have classified this as a publicity

stunt, to garner more attention for the talk at a subsequent date.

6/30/2009

ATM Vendors

(unnamed, presumed

Triton)

Barnaby Jack /

Juniper Networks

ATM Vulnerabilitie

s

BlackHat Briefings Las Vegas 2009 talk cancelled by Juniper after

ATM vendor expressed concerns about disclosure before

customers were fully protected. Information published at BlackHat

2010.

7/2/2008 AppleUnamed 'Apple

Insiders'

Apple Security

Response Team

According to Trey Ford, BlackHat general manager, a panel of Apple

insiders were to have a panel to discuss "the company's security-response team". When Apple's

marketing department heard, the panel was abruptly cancelled.