Legal threat against security researcher claims he violated lock's copyright



How dare you find flaws in my product, I will smite you!


The Ars Technica article has attracted some commentary from Mike Davis
himself, who speculates that the real issue is that the locks were not
designed to be upgraded in the field, and that his discovery might put
the manufacturer in the difficult position of having to replace the
locks, rather than upgrading them.

Boo f’n hoo. It’s not the government’s job to protect corporations from customers angry about badly manufactured items. Not to mention the fact that the DMCA goes so very far afield as to the purpose of constitutional purpose of copyright (hint: it’s not for corporations to make money in perpituity), how does copyright apply to a DEVICE? That’s a stretcher right there.


Personally, I’m absolutely fine with the DMCA being used in this instance, as long as it’s being used for the right reasons.

In my opinion, the lock manufacturer has every right to protect their intellectual property–in this case a poorly designed lock, apparently–against reverse engineering by someone looking to reproduce it and sell it. I do not agree that it should apply in this instance–especially if the property is not being used or reproduced for manufacture–because it’s a review (which can be produced for profit.)

Otherwise, how can you justify movie reviews which seek to make money by reviewing poorly designed digital content like Fast and Furious 7–which is protected by the DMCA?

It only stops companies from selling BR-ripping software to Americans. I believe DVD ripping tools are legal to sell, as per this update to DVDFab:

PS 'muricans, You’re welcome that the rest of the world ignores your silly laws:

1 Like

As a useful object, ISTM that the proper protection available for a lock would be based on PATENT rather the COPYRIGHT law…

1 Like

I was under the strong impression that lockpicking groups like Toool and others had trusted members regularly given new locks by the industry to intentionally find flaws. Forensic lockpicking is a legitimate profession, after all, they don’t just make high security locks with new designs without paying someone to try to exploit them and make sure they work.

I am only a layman interested in locksport and forensic lockpicking, and much of what I know comes from following the awesome site Blackbag, now run by Toool, the world’s biggest locksport group. I gathered over the last few years of reading around flaw disclosure that many companies pay good pickers with solid skills, and picking contest victories, to try to pick newer locks they get through special contracts, and the disclosure of any flaws is something that is a grey area- but companies prefer private disclosure to them only, so they have time to fix things without hurting their reputation.

It seems what this guy did wrong (in addition to living in a fucked up world that created the DMCA that is being abused for everything nowadays), is according to Ars, he publicly disclosed the flaw, rather than report it directly to the company, which would have been a more classy and safe approach.

As an aside- to those interested in this sort of thing, and the guts of true high security locks, both new and old- look up the Blackbag site, and the organization Toool. Yes, with 3 o’s. Your mind will be blown. The guy that started the Blackbag site moved on to an equally awesome industry publication site for new designs called Lock Technology News. If you like high security and complicated lock technology, look those up. It’s really an interesting world of mechanics.

There are many people that are into lockpicking as a sport- and not to rob anyone. Honestly. Please remember that. Not everyone into cracking locks is a crook. Educate yourself and you’ll be surprised at the new world of puzzle you will find.

1 Like

Okay, I funadamentally agree with most of your points. But I think your arguments are constructed… Poorly.

No, manufacturers do not have every right to their claimed Intel prop. You walk back the quoted statement a bit, but it comes off as disingenuous.

I do not agree that it should apply in this instance–especially if the property is not being used or reproduced for manufacture–because it’s a review[/quote]

See, that is the problem with the DMCA, and the reason @doctorow is so vocal against it, because it can. So we the plebes need to get the law changed, but that will only happen if we get worked up about it.

Otherwise, how can you justify movie reviews[/quote]

Because the DMCA specifically states circumventing ‘effective’ security controls is illegal.

It is a crap law and makes no rational sense. Which I think we both agree on.


I don’t mean to imply that I think it is being appropriately applied. But if one is going to apply it inappropriately, at least apply it appropriately. :grin:

1 Like

Hold yer ponies there. I have been part of bug bounties, security research, disclosure, reporting, and reverse engineering for decades. (Argument from authority incoming).

What he did wrong was not have a general counsel or retainer. Google, mandiant, and a thousand others do this every day–ie disclose without notification.

1 Like

[quote=“japhroaig, post:8, topic:56923”]
It is a crap law and makes no rational sense. Which I think we both agree on.
[/quote]No question.

I do believe that there is a legitimate right to protect intellectual property, and on an international scale. I do not think that the DMCA or patents do that well.

What I am saying is–in this instance, the law is being inappropriately applied and that I would be okay with it being inappropriately applied–if it were being done for the right reasons. But it’s not.

fist bump

I think our disconnect is I agree with the language Cory uses, we need to get people motivated to change the law. And strong statements as @doctorow uses I think is effective at that mission.

The “right” to defend intellectual property should extend only so far as it supports the common good and not one inch further. That was the entire point of the concept and the laws around it, and the entitled culture of “IP” that exists nowadays is a perverted and disgusting creature indeed.


With respect, but if you had read any of the underlying content you would have seen that the researcher tried contacting the security disclosure line, tried contacting sales, tried contacting media relations to try and communicate the Proof of Concept attack and problem. He then sent them an ultimatum saying that if they did not respond within 30 days he was going to publicly disclose the vulnerability. On Day 29 they send a DMCA Demand/Threat letter. In good faith the researcher held off for a few days for the lawyers/cyberlock to try and work with him to resolve the issue only to be met with “DMCA is god” blockades, so he took the issue to the court of public opinion with carefully redacted information showing how the DMCA was being abused to keep a significant vulnerability from being remedied/disclosed.


Reread- I misread the first part and missed that. Then it seems they are just being assholes- I should have known.

This topic was automatically closed after 5 days. New replies are no longer allowed.