Legal Threats Against Security Researchers
How vendors try to save face by stifling legitimate research
![[Image: Lady Liberty, Gun to Head]](legal_threats.jpg)
It has been clear for years that businesses have dropped ethics in favor of profit. Protecting the bottom line is usually more important than doing the right
thing, even if it means providing a better product to their customers. Companies fear negative publicity, especially if said publicity challenges the security of their
products. It doesn't matter that just about every company and product ships with numerous vulnerabilities, and adding security is a band-aid solution
rather than an integral part of the development life cycle. Rather than work with researchers who are frequently providing what would otherwise be high-dollar
specialized consulting for free, some companies opt to go take the muddy road and pursue legal action against the researchers. This action is one of desperation
and attempts to silence and stifle legitimate research and free speech. Invariably, this ends up being a huge negative PR move, much worse than what
would occur with the publication of said research without the legal murk.
Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities, and coordinate disclosure. This will
go a lot farther toward building customer confidence and help avoid negative publicity.
Researchers: help protect yourself from legal issues. Visit the EFF's Coders' Rights Project. Work with companies
and respect their timelines for implementing fixes.
| When |
Company making threat |
Researchers |
Research Topic |
Resolution/Status |
| 2011-11-22 |
Carrier IQ |
Trevor Eckhart |
Carrier IQ software logs excessive information |
 Carrier IQ threatens Eckhart and sends a
cease & desist letter. Shortly after negative
attention, Carrier IQ retracts the threat. Research
stays public. |
| 2011-10-13 |
First State Superannuation |
Patrick Webster |
Direct Object Reference vulnerability in FSS website |
Researcher received letter indicating FSS reported him to the police and threatened him with further legal action. After negative publicity,
First State Super withdraws legal threat. |
| 2011-08-01 |
Trans Link Systems |
Brenno de Winter |
OV Transit Payment System Vulnerabilities |
 Researcher learned he may have been facing legal charges. Vendor statement says a criminal complaint was filed and researcher was questioned, but researcher was not the target of the complaint. It is still not clear who the complaint was filed against or if this was a tactic to stifle de Winter's research |
| 2011-04-27 |
Magix AG |
Acidgen |
Buffer overflow in Music Maker 16 software (version 16.0.2.4) |
Research published despite threat. Researchers convinced Magix to change stance on vuln handling. Magix opened a resource for security researches site,
but try to force researchers not to disclose w/o a patch or fix available, in their terms and conditions. |
| 2011-03-21 |
German telecommunications firm (unspecified) |
Thomas Roth |
Amazon EC2-based password cracking software |
Roth's
apartment was raided, his bank account frozen, and he had to refrain from releasing his tool during Black Hat. Injunction had since been revoked, Roth published the research. |
| 2009-07-18 |
RSA |
Scott Jarkoff |
Navy Federal Credit Union Web Site Flaws |
SliceHost / TechMiso challenges RSA, RSA backs down |
| 2009-07-17 |
Comerica Bank |
Lance James |
XSS / Phishing vulnerabilities on Comerica site |
C&D Sent to Tumblr, information removed but vulnerability still present (2009-07-17) |
| 2009-06-06 |
Orange.fr |
HackersBlog |
Multiple Vulnerabilities [1] [2] |
Apparent legal threats, details not published. |
| 2008-08-13 |
Sequoia Voting Systems |
Ed Felten |
Voting Machine Audit |
Research still not published (2008-10-02) |
| 2008-08-09 |
Massachusetts Bay Transit Authority |
Zach Anderson, RJ Ryan and Alessandro Chiesa |
Electronic Fare Payment (Charlie Card/Charlie Ticket) |
Gag order lifted, Researchers hired as consultants by MBTA |
| 2008-07-09 |
NXP (formerly Philips Semiconductors) |
Radboud University Nijmegen |
Mifare Classic Card Chip Security |
Research Published |
| 2007-12-06 |
Autonomy Corp., PLC |
Secunia |
KeyView Vulnerability Research |
Research Published |
| 2007-07-29 |
U.S. Customs |
Halvar Flake |
Security Training Material |
Researcher denied entry into U.S., training cancelled last minute |
| 2007-04-17 |
BeThere (Be Un limited) |
Sid Karunaratne |
Publishing ISP Router Backdoor Information |
Researcher still in talks with BeThere, passwords redacted, patch supplied, ISP service not restored (2007-07-06) |
| 2007-02-27 |
HID Global |
Chris Paget/IOActive |
RFID Security Problems |
Talk pulled, research not published |
| 2007-??-?? |
TippingPoint Technologies, Inc. |
/David Maynor / ErrataSec |
Reversing TippingPoint rule set to discover vulnerabilities |
Bulk of research later published at BlackHat
Briefings 07. |
| 2005-07-29 |
Cisco Systems, Inc. |
Mike Lynn / ISS |
Cisco router vulnerabilities |
Resigned from ISS before settlement, gave BH presentation, future disclosure injunction agreed on |
| 2005-03-25 |
Sybase, Inc. |
Next-Generation Security Software |
Sybase Database vulnerabilities |
Threat dropped, research published |
| 2003-09-30 |
Blackboard Transaction System |
Billy Hoffman and Virgil Griffith |
Blackboard issued C&D to Interz0ne conference, filed complaint against students |
Confidential agreement reached between Hoffman, Griffith and Blackboard |
| 2002-07-30 |
Hewlett-Packard Development Company, L.P. (HP) |
SNOsoft |
Tru64 Unix OS vulnerability - DMCA based threat |
Vendor/researcher agree on future timeline, Additional Tru64 vulnerabilities published,
HP asks Neohapsis for OpenSSL exploit code shortly after |
| 2001-07-16 |
Adobe Systems Incorporated |
Dmitry Sklyarov & ElcomSoft |
Adobe eBook AEBPR Bypass |
Elcomsoft found Not Guilty |
| 2001-??-?? |
Tegam International Viguard Antivirus |
Guillaume Tena (Guillermito) |
Vulnerabilities in Viguard Antivirus |
Suspended fine of 5,000 Euros |
| 2001-04-23 |
Secure Digital Music Initiative (SDMI), Recording Industry Association of America (RIAA) and Verance Corporation |
Ed Felten |
Four Watermark Protection Schemes Bypass - DMCA based threat |
Research published at USENIX 2001 |
| 2000-08-17 |
Motion Picture Association of America (MPAA) & DVD Copy Control Association (DVD CCA) |
2600: The Hacker Quarterly |
DVD Encryption Breaking Software (DeCSS) |
DeCSS ruled 'not a trade secret' |
Notes about this page:
- Companies that broadly use the DMCA may not be included. This page focuses on companies that
specifically use legal threats to stifle security research.
- Many companies may use financial threats to stifle research, threatening to pull funding, support
contracts or influence customers. There is an arguably fine line between legal threats (costly) and financial
threats (also costly). These may be included if they can be properly documented.
- Companies that fire off Cease & Desist (C&D) letters but do not follow-up will be included here if applicable.
The following incidents are not confirmed as legal or financial threats. They are being included here in the hopes that someone will
come forward with additional information or clarification.
The following incidents are related to the ones above, but "cross the line". They
include incidents where it was not "security research", but rather activity that was
considered a crime by current laws (at the time). Instead of following a more ethical
approach or going the route of responsible disclosure, the researcher chose to
research and disclose the details in a manner that was questionable. While the threat of
law suit of such activity is frivilous to most, the companies are being prudent
because the researcher in question likely did break laws in the process.
Finally, the Electronic Frontier Foundation maintains a Takedown Hall of Shame that is related to this topic.
Copyright 2008-2011 by Attrition.org. Permission is granted to quote, reprint or redistribute provided the
text is not altered, and appropriate credit is given.
