The only thing worse than driving a car with defective brakes is unknowingly driving a car with defective brakes — and learning about them the hard way.
That's why Zack Whittaker's excellent roundup of civil lawsuits filed against infosec researchers and journalists is so fucking terrifying. Deep-pocketed, thin-skinned companies are able to abuse the law in bids to become the custodians of who can utter inconvenient truths about the defects in their products. Whittaker describes these suits and threats used against young, independent researchers, senior researchers at large corporations, and journalists who report on their findings.
He also reveals that in the past year his own employer, Zdnet, "did not publish three security stories after researchers' abandoned their work, fearing legal threats."
The belligerents involved in these suits run the gamut as well: there's Keeper Security, suing Ars Technica and reporter Dan Goodin over news of a defect in their flagship password manager; River City Media is suing veteran security researcher Chris Vickery, reporter Steve Ragan and his publisher CSO over an investigation into evidence that River City had been running a "massive, illegal spam operation…using illegal IP hijacking techniques during some of their campaigns"; PwC threatened to sue a researcher who found a defect in a security product; Ashley Madison threatened to sue a reporter who obtained information suggesting the company had hacked its competition; drone maker DJI threated to sue a researcher who submitted a critical bug to its bug-bounty program.
Whittaker quotes researchers who say they're now just dumping bugs anonymously, rather than risking civil liability for going through channels.
Securing computers is hard. Getting it right requires, at a minimum:
1. The right to investigate computers;
2. The right to tell the truth about what you find in those investigations; and
3. The right to reconfigure computers to try to fix defects affect you or people you want to help.
This is the minimum, necessary precondition for security. But laws like the CFAA and DMCA 1201, as well as license agreements, civil threats, weak anti-SLAPP protections and patchwork cost-shifting mechanisms for people victimized by corporations seeking to silence them means that all of these are under threat.
Our world is made of computers; they are woven into devices in our bodies and devices we put our bodies into — they hold the power of financial security, integrity in our health and personal information, and even life-or-death. Unless we get this right, we are in enormous trouble.
Johnny Xmas may be best known for releasing the master key for luggage locks used by the Transportation Security Administration two years ago. In his early days, his hobby-hacking led him to uncover a flaw in the magnetic stripe found in his university's student ID cards. Each student's information was easily accessible — including their Social Security number — and all he needed was a student's card, "which everyone lost like once a month," he said.
"I thought I'd let everyone in the school know about the issue the same way I let them know about my band's shows: by wallpapering the hallways in flyers," he explained in an email.
"The school of course caught wind, verified the issue, and attempted to sever their contract with the ID company citing a breach in a clause where the company agreed to secure the personal identifiable information," he said.
That company, which he did not name, was "livid at the loss of a huge client" and sued him directly for slander — a claim he denies, "as my claims were verifiably true," he said.
Xmas was also expelled from his school.
He was later forced to settle out of court after the company, in his words, "dragged the case out until I ran out of funds to pay my counsel." He denied ever committing slander.
Lawsuits threaten infosec research — just when we need it most [Zack Whittaker/Zdnet]