A German software company has threatened legal action against a security researcher who privately reported a critical vulnerability in one of its programs, Dark Reading reports. Legal goons from Magix AG sent a nasty gram to a researcher who goes by “Acidgen” after he reported the stack buffer overflow in the company's Music …
rather than say 'thanks for highlighting how crap our software really is' - they try and filler the cavernous security holes with legal threats - how does that help?? Just get on and fix the crap that has been created and learn from them.
It is more "THANKS" than you think
The continuous release of exploits and zero-days is the biggest factor in forcing users (especially corporates) to do security updates. These nowdays happen over the Internet and allow the software vendor to do license enforcement as well disable pirated copies. Windows black screen of piracy, Panda "buy me or else", etc - you name it.
Making moves against exploits is genuinely stupid from a business perspective. This damages the company bottom line. If it was not for the endless flow of exploits and updates against them pirated copies would have continued to flourish the way they did in the 90-es.
assuming is easy
did you read the same article ? It is not mentioned that the researcher was trying to force the company into using his services ?
"Acidgen also provided suggestions for fixing the flaw, Dark Reading said. He also told the representatives he planned to disclose vulnerability details publicly once a patch was released."
nowhere is mentioned that Acidgen was setting a date. "Once a patch was released" is not the same as saying that I will release the bug and exploit code at a set date.
If you read carefully
"He also told the representatives he planned to disclose vulnerability details publicly **once a patch was released.**"
To me, that says he was willing to wait for them to fix the problem before telling people. So he simply wanted the credit for finding the hole, and wasn't making any threat of any kind.
He told the company first before going to the press, offered help to fix the problem he found (yes he would have wanted paying for doing work, what a concept) and either way would keep the problem quiet until it was fixed.
And this is the response he gets.
Depends how it was worded...
perhaps something like "Hi, your software has bug bla bla bla, one needs to do bla bla bla to exploit it. After you've released a fix for this bug, please notify me as I intend to publish a report and exploit code. Should you need help with fixing the bug, my company bla bla might be of assistance"
And anyway, UK has a similar law - Computer Misuse Act, section 37.
Let me fix that for you:
Interesting how totally making stuff up can make such a difference to new information
From the article: "Acidgen also provided suggestions for fixing the flaw." That would be FOR FREE. You know what, anyone who wants to can freely extort ABSOLUTELY NOTHING from me at any time. It really fits solidly into the "I don't mind" department.
In addition, he didn't make a demand that it be patched in a certain timeframe, he REQUESTED to know when they would release the patch so that he could withhold publishing his research until a fix could be deployed.
It sound an awful lot like he did all the right things. His FIRST concern was protecting the users of this software, his own ego was a close second. Even after it, apparently, has been patched, he still only disclosed the vulnerability, not the PoC code, WHICH HE APPARENTLY WROTE AT THEIR REQUEST.
Re: To be fair ...
"Acidgen also provided suggestions for fixing the flaw, Dark Reading said. He also told the representatives he planned to disclose vulnerability details publicly once a patch was released."
How is publicly disclosing a vulnerability *after* a patch fixing it has been released extortion?
a) What compensation?
«Acidgen also provided suggestions for fixing the flaw»
b) What deadline?
«He also told the representatives he planned to disclose vulnerability details publicly once a patch was released.»
He said, she said
One side says extortion, the other side says;
"He also told the representatives he planned to disclose vulnerability details publicly once a patch was released."
Granted we'll never know what was really said without the original unadulterated emails but even slightly ambiguous language can be taken either way. Add in a dash of meaning lost in translation and you've got suit guns at 20 paces.
... more than typical ... a boomerang ...
Magix's attorney is totally right:
'As ... it is illegal to release software which is intended to commit computer sabotage' MAGIX is not allowed to sell/distribute their buggy software by the time they have been informed by Acidgen!!!
Any bets when this attorney gets fired?
File an injunction against Magix
So when is Acidgen going to file an injunction against Magix forcing them to recall all software sold since his private disclosure and stopping all further sale of the software until the vulnerability has been proved fixed? BTW I'm no lawyer, but then again that's probably already clear.
my company web site...
...Once got owned by a group of defacer types. It was pretty much a boilerplate hack. No damage to the actual site, just a new index page. The deface page linked to their IRC server, so I went in, introduced myself, and politely asked what the vuln was and how I could fix it. I figured that if I got nailed so easily I must have done something dumb; no point in getting in a huff.
They were quite helpful - one of them sent a message to the guy who did the hack to join - and told me what was up. Turns out there was a problem with phpbb, and my isp hadn't updated mine. I asked them what I needed to do, and the hacker said, "nothing - I fixed it after I got in". And he had.
It makes no sense at all that people respond like this - all you do is piss off someone who's already proven they have the ability to hurt you. It's a bit like the saying about trying to beat up an elephant bare-handed - you get tired and the elephant gets pissed off.
Now that's class, both on your part and on theirs.
"criminalizes the creation or possession of dual-use security tools."
So, basically, compilers, linkers, standard libraries & scripting languages are all to illegal to possess in Germany?
all illegal in Germany
I believe this point was made at the time, but the lawyers were too stupid to understand.
Fortunately, I'm sure there are now plenty of people outside Germany now applying such tools to this company's software, and plenty of clued up Germans now looking for alternatives to a piece of software that, even if not already exploited, probably only has a week or so to go before it becomes an unacceptable liability on any sane person's system.
they open AND close doors.
Re: and keys
Actually, keys unlock/lock doors (or the locks fixed to a door). Door handles are used to open and close doors :)
To heck with keys & handles, what about latches and hinges?
Are latches and hinges illegal to own/operate in Germany?
What does the rest of the EU have to say on the subject? Oh ... wait ... having a say is probably illegal under the same German law, when you think about it.
Ah. There's the problem. I invoked the "think" word ... which is probably ALSO illegal under the same German law, if you think^W ponder the concept.
If you read the article.....
It does not say there was a deadline on him releasing the information.
I agree that setting a deadline on the release of the information, and offering to fix it for a fee could be considered extortion.
However, by the information presented herein, I would assume that there was no deadline. So the info would only have been released after they had patched it, whenever that was, if ever. So, no extortion, just a possible business deal to expedite their release of a patch.
More info would be nice though.
So next time...
So next time someone finds an issue with their software, they'll just be lining up to do their social duty and let the company know in a responsible fashion, huh?
Talk about short-sighted...
Almost another sony in the making
but here there are many of FREE software packages that can be used to do what their package does so you can carry making music without worrying about them any more - and save money too!
I seem to be alone
in wondering what is the point at all in publishing this 'research'.
I see the company would benefit from his initial advice, but I can share their concern about subsequent publication. How would they know all users had patched?
What value does the wider community get from knowing the entrails, rather than the existence, of this vulnerability? OK, if it is novel then some anonymous details might help other programmers, but otherwise I reckon blurting the works is no more than self agrandisment.
Even though I am very doubtful about the publication idea, If it were me a polite request to defer and a bottle of champers would be infinitely better than raising the landsharks. That does smack of management-by-panic.
The title is required, and must contain letters and/or digits.
basically, that way it possible for people to learn that there is a vulnerability and a patch available to correct the issue, should they not automatically do updates
Admittedly there will be many more who never do both
Put yourself in the shoes of the researcher.
You've just done a lot of work to work out how to exploit a vulnerability and suggested ways to patch it. You've emailed the company with the info and, being a good boy, have been waiting for them to fix it. No money changed hands. Is it to much to ask to be able to publish details of the vulnerability? If/when this guy is looking for another job in security, a portfolio of discovered and published bugs will help him, just like it helps an artist to have some works of his to hand. It's also, undeniably, an ego gratification. So what?
Also, you need to be aware that whenever a vendor releases a patch, vulnerability details are already public - it's easy to automatically extract the differences between two file versions and then work out the details of what was wrong - and it is a commonly happening for windows patches, so people who don't patch are already at disadvantage and publication by the discoverer doesn't change a thing.
"otherwise I reckon blurting the works is no more than self agrandisment."
The same could be said of a CV but I assume you have one of those.
non-reinvention of the failed wheel
"OK, if it is novel then some anonymous details might help other programmers"
And no one can know that unless they release the details. You cannot just look at a vulnerability and instantly tell if it is a one-off or may be a hidden booby-trap in other programs - if nothing else, the fact the Germans didn't see this pre-release says it isn't glaringly obvious, yet we know it is not up to snuff. Someone has to make it known publicly, and then people can determine if their software has a similar bug or not.
...used to find the exploit can likely be used by others to spot similar exploits in other software. Publishing them gives the actual code-creators a chance to do the checking for themselves, rather than just the crackers who stumble across the same technique and share it just amongst themselves.
This is a sure sign of a company that has gone to seed
Software companies are usually started by enthusiastic, obsessive, types who love what they're doing and actually know a lot about it. Over time they get too rich/bored/fed up of meetings/etc., and move on. Their place gets taken by either business or financial types who think quite differently and whose paranoia (born from the understanding that most people they deal with on a daily basis knows more about the products they make than they do, including many of their customers) makes them see everyone they cannot control as an enemy.
In western democracies the civilised way of dealing with enemies involves setting the lawyers on them and seeing who has the deepest pockets.
Free advice? Fuck off...
Just proves the old rule
If you can't win, get legal...
I bet they were hoping this matter would quietly go away so nothing need be done, thus I feel my choice of icon to be appropriate.
Thanks for those links, especially the second one.
That timeline really underlines just how ignorant the legal department of Magix AG have been. Good grief, they even request work from the guy which he supplies free of charge, then have the gall to threaten him.
Guess we know who's software to not use then...
If they respond in such a fashion when someone offers to help, I guess the best thing to do is warn people not to use that piece of software, or any software from that company.
Meet sony, and Apple, you are going to get along just fine
Fun though Apple-bashing is...
If you look at the release notes that come with security updates, you'll find that they commonly include a thank-you to the person who reported the initial vulnerability.
Here's a recent one: http://support.apple.com/kb/HT4581
researcher was not forcing the company into using his services
> It is not mentioned that the researcher was trying to force the company into using his services ?, wim
"They misunderstood that I was getting money for doing this ... and illegally breaking into networks"
The quote you mention is concerning Thomas Roth not Acidgen so not sure what point you're trying to make.......
Just a thought...
...was the researcher a resident of Germany?
If not then it's not like he's governed by the German law anyway.
Is not the expression "Legal goons" tautology?
Did the company release a fix? If not, they were incredibly stupid, announcing that there was an unpatched security bug in their existing code.
Remeber it's not the *application* that matters
It's what's on the computer *running* the app that can discovered or trashed once an outsider has gained access. That would be the *minimum* damage that could be done. If they can down load stuff or upload your files it's *much* worse
TBF maybe the company has never had a bug reported to them in this way and responded badly.
OTOH maybe others *have* tried to report bugs (and there fixes) to them and been dealt with the same way and have stopped *bothering* to help them.
Fail because in business you can *never* have too many helpful friends and they seem to have managed to turn a friend into at best someone who will not *bother* reporting any more bugs to them or (worse case) someone who is actively hostile toward them.
Poor management response. V. poor.
Nothing too unusual
A while back was running the Spamwise site, which helped to uncover vulns in BBS, Web directories and the like which (mostly through stupid coding mistakes rather than actual intent) were leaking subscribers' email addresses to spammers.
Most sites thanked us, but a few reacted like this.
I suppose the bottom line is that some siteowners are more interested in beancounters than binaries, and anything which is seen to damage their business cred is reacted-to with seething hostility.
"more interested in beancounters than binaries"
It's called "having an MBA".
The constitution doesn't pay legal fees...
...and copies of the same on cheap paper can be found in many cold, dead hands.
"a non-executable documentation is protected by the Federal Republic Of Germany Constitution"
It may be so in principle. Try to publish and be ready for in order of likelihood: a few "Abmahnbriefe", reduced employment prospects, a costly legal defense and jailtime.
...free speech in Germany doesn't extend to such niceties as being able to play Wolfenstein 3D, I would say that "THERE IS INDEED CENSORSHIP".
Whether or not it's justified in the eyes of the majority, Germany's absurdly draconian (and pointless) "la la la it never happened I can't hear you" laws regarding Nazi imagery are most definitely censorship.
La La La - we can't hear you isn't the point of these laws.
It's more on the lines of
a) nobody is allowed to derive any kind of enjoyment from anything related to Nazism, not even shooting at it
b) You are too stupid to inform yourself from historic sources and will instantly turn into a Nazi if you read anything not vetted by a state-approved authority.
There was a hell of a stink when some publishing company wanted to reprint 1930s newsletters as their copyright ran out. and don't get me started on the platitudes coming from our government/media in 2006 when everybody suddenly started flying the German flag everywhere for the world championship: Omg - it's 1934 all over again...can we make a law against it...they'll be burning synagogues before half-time.
I wish I was joking but there actually was an initiative to make a law against private citizens flying the national flag. And to make it worse what stopped it was probably not he fact that such a law is unconstitutional but more likely the insight that it is political suicide to come between a German and his football game. Never mind that the championship was used as a distraction to pass some very ugly laws very quietly.
Believe me - Nazism is about half of the whole history curriculum in school here. Hell, our national holiday is a day of showing Nazi documentaries on TV and depressive speeches about our heavy historical burden.
Re: the German history curriculum
"Believe me - Nazism is about half of the whole history curriculum in school here. Hell, our national holiday is a day of showing Nazi documentaries on TV and depressive speeches about our heavy historical burden."
Given the average youth's reaction to being told "you must not do that, ever" I'd say that was a courageous decision on the part of the curriculum planners.
I'm also curious to know exactly how that works. Do you tell the truth and traumatize the little children, or do you tone it all down and thereby leave them wondering what all the fuss is about?
This is the worst mistake Germany could make
It's a classic example of the old saying regarding those who would destroy that which they most despise end by becoming it. In it's fanatical efforts to deny or suppress Nazi sympathizers, the German government is becoming increasingly Nazi-like in its efforts.
Furthermore, there is the danger that by repressing Nazi expression, the German government could be creating sympathy for it by virtue of the human tendency to champion the underdog. They would be far better off simply legalizing Nazi memorabilia and expression, and then publicly mocking and ridiculing those who support it - much like people do with the BNP in the UK.
And as far as what the Nazis actually did - well, most of them are dead, and those who fought them who are still alive are now in their 90s. And memories are short.
Your first two paragraphs are fine. You want to watch the third. Most of us don't need to have been around at the time to "remember" what they did. Such "memories" are not short, and IMHO neither should they be.
But yeah, banning this stuff just makes everyone behave like thwarted teenagers.