Legal Threats Against Security Researchers
How vendors try to save face by stifling legitimate research
![[Image: Lady Liberty, Gun to Head]](legal_threats.jpg)
It has been clear for years that businesses have dropped ethics in favor of profit. Protecting the bottom line is usually more important than doing the right
thing, even if it means providing a better product to their customers. Companies fear negative publicity, especially if said publicity challenges the security of their
products. It doesn't matter that just about every company and product ships with numerous vulnerabilities, and adding security is a band-aid solution
rather than an integral part of the development life cycle. Rather than work with researchers who are frequently providing what would otherwise be high-dollar
specialized consulting for free, some companies opt to go take the muddy road and pursue legal action against the researchers. This action is one of desperation,
and attempt to silence and stifle legitimate research and free speech. Invariably, this ends up being a huge negative PR move, much worse than what
would occur with the publication of said research without the legal murk.
Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities and coordinate disclosure. This will
go a lot farther toward building customer confidence and help avoid negative publicity.
Researchers: help protect yourself from legal issues. Visit the EFF's Coders' Rights Project. Work with companies
and respect their timelines for implementing fixes.
| When |
Company making threat |
Researchers |
Research Topic |
Resolution/Status |
| 2009-07-18 |
RSA |
Scott Jarkoff |
Lack of SSL on Navy Federal Credit Union Home Page |
 C&D
Sent to Mr. Jarkoff and his Webhost. Information still available
online. (2009-08-12) |
| 2009-07-17 |
Comerica Bank |
Lance James |
XSS / Phishing vulnerabilities on Comerica site |
C&D Sent to Tumblr, information removed but vulnerability still present (2009-07-17) |
| 2008-08-13 |
Sequoia Voting Systems |
Ed Felten |
Voting Machine Audit |
Research still not published (2008-10-02) |
| 2008-08-09 |
Massachusetts Bay Transit Authority |
Zach Anderson, RJ Ryan and Alessandro Chiesa |
Electronic Fare Payment (Charlie Card/Charlie Ticket) |
 Gag order lifted, Researchers hired by MBTA |
| 2008-07-09 |
NXP (formerly Philips Semiconductors) |
Radboud University Nijmegen |
Mifare Classic Card Chip Security |
Research Published |
| 2007-12-06 |
Autonomy Corp., PLC |
Secunia |
KeyView Vulnerability Research |
Research Published |
| 2007-07-29 |
U.S. Customs |
Halvar Flake |
Security Training Material |
Researcher denied entry into U.S., training cancelled last minute |
| 2007-04-17 |
BeThere (Be Un limited) |
Sid Karunaratne |
Publishing ISP Router Backdoor Information |
Researcher still in talks with BeThere, passwords redacted, patch supplied, ISP service not restored (2007-07-06) |
| 2007-02-27 |
HID Global |
Chris Paget/IOActive |
RFID Security Problems |
Talk pulled, research not published |
| 2007-??-?? |
TippingPoint Technologies, Inc. |
/David Maynor / ErrataSec |
Reversing TippingPoint rule set to discover vulnerabilities |
Unknown: appears threats and FBI visit stifled publication |
| 2005-07-29 |
Cisco Systems, Inc. |
Mike Lynn / ISS |
Cisco router vulnerabilities |
Resigned from ISS before settlement, gave BH presentation, future disclosure injunction agreed on |
| 2005-03-25 |
Sybase, Inc. |
Next-Generation Security Software |
Sybase Database vulnerabilities |
Threat dropped, research published |
| 2003-09-30 |
Blackboard Transaction System |
Billy Hoffman and Virgil Griffith |
Blackboard issued C&D to Interz0ne conference, filed complaint against students |
Confidential agreement reached between Hoffman, Griffith and Blackboard |
| 2002-07-30 |
Hewlett-Packard Development Company, L.P. (HP) |
SNOsoft |
Tru64 Unix OS vulnerability - DMCA based threat |
Vendor/researcher agree on future timeline, Additional Tru64 vulnerabilities published,
HP asks Neohapsis for OpenSSL exploit code shortly after |
| 2001-07-16 |
Adobe Systems Incorporated |
Dmitry Sklyarov & ElcomSoft |
Adobe eBook AEBPR Bypass |
Elcomsoft found Not Guilty |
| 2001-04-23 |
Secure Digital Music Initiative (SDMI), Recording Industry Association of America (RIAA) and Verance Corporation |
Ed Felten |
Four Watermark Protection Schemes Bypass - DMCA based threat |
Research published at USENIX 2001 |
| 2000-08-17 |
Motion Picture Association of America (MPAA) & DVD Copy Control Association (DVD CCA) |
2600: The Hacker Quarterly |
DVD Encryption Breaking Software (DeCSS) |
DeCSS ruled 'not a trade secret' |
Notes about this page:
- Companies that broadly use the DMCA may not be included. This page focuses on companies that
specifically use legal threats to stifle security research.
- Many companies may use financial threats to stifle research, threatening to pull funding, support
contracts or influence customers. There is an arguable fine line between legal threats (costly) and financial
threats (also costly). These may be included if they can be properly documented.
- Companies that fire off Cease & Desist (C&D) letters but do not follow-up will be included here if applicable.
The following incidents are not confirmed as legal or financial threats. They are being included here in the hopes that someone will
come forward with additional information or clarification.
Copyright 2008-2009 by Attrition.org. Permission is granted to quote, reprint or redistribute provided the
text is not altered, and appropriate credit is given.
