At this week's B-Sides Manchester security conference, James Williams gave a talk called "Next-gen AV vs my shitty code," in which he systematically revealed the dramatic shortcomings of anti-virus products that people pay good money for and trust to keep them safe — making a strong case that these companies were selling defective goods.
Among the companies thus humiliated was Sentinelone, who responded by sending a censorship request to Youtube claiming that Williams had violated copyright law (presumably Section 1201 of the DMCA, which bans bypassing access controls for copyrighted works), its terms of service (which corporations and US federal prosecutors have said is a violation of the Computer Fraud and Abuse Act) and trademark laws (this is pure bullshit, as trademark has an absolute "nominative use" defense that allows you to use trademarks to identify the products and services they're associated with).
The video went dark (though an earlier version of Williams's talk was already online; here are his slides) (Youtube seems to have reconsidered their takedown and restored the video).
In their defense, Sentinelone says that they welcome critics, provided that the criticism is funneled through their "common disclosure practices in place" — that is, you can criticize Sentinelone, provided that they get to decide when and how your criticism is published.
If you're a Sentinelone customer, you should be really worried. Sentinelone argues that their products are "protecting…critical global enterprises" — but since Williams' presentation apparently demonstrated that the version of their product he analyzed is a flaming garbage heap (they don't really dispute this, they merely say that he should have been more polite when he outed them for their defective goods), they are not actually protecting those critical enterprises. They're failing to protect them. So if you rely on Sentinelone's products, or worse, if you're a customer of one of those "critical global enterprises," then, it seems, you are putting your trust in something that is unfit for purpose.
This is why it's so dangerous that good actors like Mozilla, Tesla and Dropbox have published security policies that promise not to sue researchers who follow their rules. Because these companies are making the case that researchers who don't follow the rules can be sued, they are exposing the entire research community to risks from bad actors like Sentinelone, who use the "good guys'" arguments to justify their own censorship.
Remember that these legal threats only work against people who don't plan on attacking users of the affected products. If you're a surveillance contractor or criminal who has found a bug in Mozilla, or Dropbox, or Tesla, or Sentinelone, you don't need to worry about getting sued for revealing your findings, because you don't plan on revealing your findings. You want to keep them secret for as long as possible, while you attack the unsuspecting customers of these corporations with impunity.
We strongly support the work of BSides and participated in the conference earlier this year by sending our own researchers. We're always open to feedback, but we expect that feedback to come through the use of a supported version of our product and this video showed our 1.8.4 version which reached its end of life earlier this year (our notification from March can be found here).
In addition, as we are protecting critical global enterprises, if a party believes there's a bug in our product, we expect them to follow the common disclosure practices in place that protect the entire community.
From a legal perspective, the video breached our terms of service, copyright laws, and trademark laws. It was removed lawfully after being reviewed by YouTube. With that said, we've invited the author to collaborate with us on a supported version and look forward to that opportunity.
SentinelOne makes YouTube delete Bsides vid 'cuz it didn't like the way bugs were reported [Shaun Nichols/The Register]
