Online security is a disaster and the people who investigate it are being sued into silence


#1

Originally published at: https://boingboing.net/2018/02/21/we-are-doomed.html


#2

When there is money to be made, safety is not an issue. Read Henrik Ibsen’s “An Enemy Of The People” for more insight.


#3

I know things like this happen frequently. It will never be ok. Gah!


#4

Back before the personal computer, pop culture was rife with paranoid computer references as extensions of government and corporate power and abuse of same. Then, for about 10 minutes (In computer years) it seemed the PC was going to balance the scales.

Turns out, technical fixes for social problems, end up changing the problem without fixing it. Who knew?


#5

[…] Zdnet, “did not publish three security stories after researchers’ abandoned their work, fearing legal threats.”

This is horrifying on many levels. Any organization with an online presence (or digital product) should offer a bounty for the discovery of threats. We need much larger fines for neglecting to take security seriously. If there’s a data breach, and you’ve been legally threatening researchers instead of taking proper steps, you should be shut down for negligence.


#6

Part of the problem is that consumer and corporate protection (for the companies negatively impacted by security breaches) has been reduced or eliminated. Consumers have little to no recourse when known issues are exposed far too late. Corporations sue each other for breaches, but the offenders use their influence to keep fines and penalties low. Hopefully, legislative and enforcement improvements will be made after the elections this year.


#7

Have any of these suits gone all the way to a verdict, and perhaps an appeal?


#8

The more I read about trying to be good about reporting security holes the more I think fuck it just sell it to the black hats and enjoy the $$$


#9

I try to follow ‘this week in law’ but it quite a task in itself


#10

Jeeze, Cory! It’s as if you expect sanity to trump profits!! What the Hell is wrong with you!!! [pun intended]


#11

What the hell is wrong with the judicial system, where so many obviously in-the-wrong parties can just throw fuckloads of money at the problems instead of actually being forced to solve them? Judges need some leeway to step around the terms of reference in order to be able to tell arseholes to fuck off.

:twitch:  


#12

I can see some shades of grey to this. If I found a bug affecting Cisco routers, and disclosed it in a responsible, just-the-facts way, they absolutely shouldn’t (be able to) sue me for that. But if I disclosed it via an Ars post titled “Using Cisco products is like posting your passwords to Russian 4chan!!!”, that would merit a certain amount of light suing. I mean, when that guy flyposted his college, the security card company might be thinking “gee, we sure wouldn’t have had to let so many employees go if he’d just dropped us an email so we could fix the problem”.


#13

However a good portion of opsec researchers have been sued or threatened with legal actions even with them doing everything by the book. It just shows that companies are more interested in security by obscurity, the only way to force them to take real action is to leak or publicly publish the flaws.


#14

As @Grey_Devil said… companies do that… or just ignore it for months till someone else goes public with it just to make the tech world aware of it.
As I said earler the more I read about this shit the more I think fuck em the hackers will pay me $$$ now and not sue me.


#15

There are quite a few companies and government organizations around the world that have bounties for exploits and vulnerabilities so they can weaponize them. And companies threatening and suing researchers is precisely the wrong way to go about it because as you said it might very well be driving people to selling these findings to the wrong hands.


#16

Cory, I think after the actual judgements in a court of law come out you’ll change your mind regarding what rights hackers actually have when it comes to professional disclosure of breach and vulnerability information based on how they’ve acted. I can’t speak for all of the cases listed but knowing the details of one of them I can safely say that ‘disclosure for the public good’ was an afterthought to the parties responsible; and only after they were caught by network operators.


#17

I’m kind of surprised this article doesn’t give a shout out to the EFF. They’re heavily involved in interceding on behalf of researchers who get clobbered for discovering vulnerabilities. They’re near the top of my annual donation list.


#18

Let’s all move to Iceland! (or another country with friendly reverse engineering laws that isn’t third-world.)

I doubt the US is safe for such activities.


#19

This topic was automatically closed after 5 days. New replies are no longer allowed.