[Infowarrior] - IOActive researcher being DMCA'd for findings

[Richard Forno]

(x-posted)

Lawyers threaten researcher over key-cloning bug in high-security lock

"CyberLock" securing police and airports has critical vulnerabilities, report warns.

by Dan Goodin - May 5, 2015 6:05pm EDT

Critical vulnerabilities in a market-leading line of digital locks securing hospitals, airports, and water treatment facilities makes it possible for rogue employees or outside attackers to clone digital keys, researchers reported late last week.

Thursday's advisory from security firm IOActive is notable not only for the serious security issues it reported in the CyberLock line of access control systems, which are certified to meet a wide range of US governmental requirements and certifications. The report is also the topic of a legal threat from CyberLock attorneys who invoked draconian provisions of the Digital Millennium Copyright Act if IOActive disclosed the vulnerabilities. A redacted version of a letter CyberLock outside attorneys sent IOActive researcher Mike Davis has reignited a long-standing tension between whether it should be legally permissible for researchers to publicly disclose unfixed vulnerabilities in the products they test.

"Of course, as you know, the public reporting of security vulnerabilities can have significant consequences," Jeff Rabkin, a partner at the Jones Day law firm wrote in a letter dated April 29,  one day before IOActive published the advisory. "[Redacted company name] also takes the protection and enforcement of its intellectual property rights seriously and, prior to any public reporting, wants to ensure that there has been no violation of those rights, including [redacted company name]'s license agreements or other intellectual property laws such as the anticircumvention provision of the Digital Millennium Copyright Act. Presumably, IOActive is aligned with ensuring responsible disclosure and compliance with the laws."

The Digital Millennium Copyright Act of 1998 makes it a felony to circumvent technology intended to prevent access to copyrighted material. It also provides substantial civil penalties copyright holders may recover. Word of the letter touched off wails of protest on social media sites from security researches and privacy advocates. They characterized it as an abuse of the legal system that threatens the public's right to know about vulnerabilities in products they use to secure their property and secrets. Officials from CyberLock didn't respond to e-mails seeking comment for this post.

“Unclonable” no more

IOActive's five-page advisory warns that some of the bugs undermine fundamental assurances about the security of the product, which looks and acts like a traditional lock, but is locked and unlocked with a programmable digital key known as a CyberKey. That allows a CyberLock to impose tight-knit restrictions on each key holder that among other things controls the times of day someone can access a particular area or locked storage container and the duration of time the key is valid. It also allows each access or access attempt to be logged to create a detailed audit trail. CyberLock marketing materials also stress assurances that a CyberKey can't be duplicated or changed. According to the IOActive advisory …..

< - >

http://arstechnica.com/security/2015/05/05/lawyers-threaten-researcher-over-key-cloning-bug-in-high-security-lock/

--
It's better to burn out than fade away.