back to article Legal goons threaten researcher for reporting security bug

A German software company has threatened legal action against a security researcher who privately reported a critical vulnerability in one of its programs, Dark Reading reports. Legal goons from Magix AG sent a nasty gram to a researcher who goes by “Acidgen” after he reported the stack buffer overflow in the company's Music …

COMMENTS

This topic is closed for new posts.
  1. icedfusion
    FAIL

    ....typical

    rather than say 'thanks for highlighting how crap our software really is' - they try and filler the cavernous security holes with legal threats - how does that help?? Just get on and fix the crap that has been created and learn from them.

    1. Anton Ivanov
      Thumb Down

      It is more "THANKS" than you think

      The continuous release of exploits and zero-days is the biggest factor in forcing users (especially corporates) to do security updates. These nowdays happen over the Internet and allow the software vendor to do license enforcement as well disable pirated copies. Windows black screen of piracy, Panda "buy me or else", etc - you name it.

      Making moves against exploits is genuinely stupid from a business perspective. This damages the company bottom line. If it was not for the endless flow of exploits and updates against them pirated copies would have continued to flourish the way they did in the 90-es.

  2. This post has been deleted by its author

    1. wim

      assuming is easy

      did you read the same article ? It is not mentioned that the researcher was trying to force the company into using his services ?

      "Acidgen also provided suggestions for fixing the flaw, Dark Reading said. He also told the representatives he planned to disclose vulnerability details publicly once a patch was released."

      nowhere is mentioned that Acidgen was setting a date. "Once a patch was released" is not the same as saying that I will release the bug and exploit code at a set date.

    2. Peter Jones 2
      WTF?

      If you read carefully

      "He also told the representatives he planned to disclose vulnerability details publicly **once a patch was released.**"

      To me, that says he was willing to wait for them to fix the problem before telling people. So he simply wanted the credit for finding the hole, and wasn't making any threat of any kind.

      He told the company first before going to the press, offered help to fix the problem he found (yes he would have wanted paying for doing work, what a concept) and either way would keep the problem quiet until it was fixed.

      And this is the response he gets.

    3. Anonymous Coward
      Anonymous Coward

      Depends how it was worded...

      perhaps something like "Hi, your software has bug bla bla bla, one needs to do bla bla bla to exploit it. After you've released a fix for this bug, please notify me as I intend to publish a report and exploit code. Should you need help with fixing the bug, my company bla bla might be of assistance"

      And anyway, UK has a similar law - Computer Misuse Act, section 37.

    4. Oninoshiko
      Troll

      Let me fix that for you:

      Interesting how totally making stuff up can make such a difference to new information

      From the article: "Acidgen also provided suggestions for fixing the flaw." That would be FOR FREE. You know what, anyone who wants to can freely extort ABSOLUTELY NOTHING from me at any time. It really fits solidly into the "I don't mind" department.

      In addition, he didn't make a demand that it be patched in a certain timeframe, he REQUESTED to know when they would release the patch so that he could withhold publishing his research until a fix could be deployed.

      It sound an awful lot like he did all the right things. His FIRST concern was protecting the users of this software, his own ego was a close second. Even after it, apparently, has been patched, he still only disclosed the vulnerability, not the PoC code, WHICH HE APPARENTLY WROTE AT THEIR REQUEST.

      http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/229402356/another-researcher-hit-with-threat-of-german-anti-hacking-law.html

      http://www.corelan.be/index.php/forum/security-advisories/corelan-11-002-magix-music-maker-16-stack-buffer-overflow/

    5. Zobbo
      FAIL

      Re: To be fair ...

      "Acidgen also provided suggestions for fixing the flaw, Dark Reading said. He also told the representatives he planned to disclose vulnerability details publicly once a patch was released."

      How is publicly disclosing a vulnerability *after* a patch fixing it has been released extortion?

    6. No. Really!?
      WTF?

      Huh?

      a) What compensation?

      «Acidgen also provided suggestions for fixing the flaw»

      .

      b) What deadline?

      «He also told the representatives he planned to disclose vulnerability details publicly once a patch was released.»

    7. Eddy Ito Silver badge

      He said, she said

      One side says extortion, the other side says;

      "He also told the representatives he planned to disclose vulnerability details publicly once a patch was released."

      Granted we'll never know what was really said without the original unadulterated emails but even slightly ambiguous language can be taken either way. Add in a dash of meaning lost in translation and you've got suit guns at 20 paces.

  3. Anonymous Coward
    Big Brother

    ... more than typical ... a boomerang ...

    Magix's attorney is totally right:

    'As ... it is illegal to release software which is intended to commit computer sabotage' MAGIX is not allowed to sell/distribute their buggy software by the time they have been informed by Acidgen!!!

    Any bets when this attorney gets fired?

    1. Mrkandid
      Stop

      File an injunction against Magix

      So when is Acidgen going to file an injunction against Magix forcing them to recall all software sold since his private disclosure and stopping all further sale of the software until the vulnerability has been proved fixed? BTW I'm no lawyer, but then again that's probably already clear.

  4. Anonymous Coward
    FAIL

    my company web site...

    ...Once got owned by a group of defacer types. It was pretty much a boilerplate hack. No damage to the actual site, just a new index page. The deface page linked to their IRC server, so I went in, introduced myself, and politely asked what the vuln was and how I could fix it. I figured that if I got nailed so easily I must have done something dumb; no point in getting in a huff.

    They were quite helpful - one of them sent a message to the guy who did the hack to join - and told me what was up. Turns out there was a problem with phpbb, and my isp hadn't updated mine. I asked them what I needed to do, and the hacker said, "nothing - I fixed it after I got in". And he had.

    It makes no sense at all that people respond like this - all you do is piss off someone who's already proven they have the ability to hurt you. It's a bit like the saying about trying to beat up an elephant bare-handed - you get tired and the elephant gets pissed off.

    1. Anonymous Coward
      Thumb Up

      eltiT

      Now that's class, both on your part and on theirs.

  5. jake Silver badge

    "criminalizes the creation or possession of dual-use security tools."

    So, basically, compilers, linkers, standard libraries & scripting languages are all to illegal to possess in Germany?

    1. Ken Hagan Gold badge

      all illegal in Germany

      I believe this point was made at the time, but the lawyers were too stupid to understand.

      Fortunately, I'm sure there are now plenty of people outside Germany now applying such tools to this company's software, and plenty of clued up Germans now looking for alternatives to a piece of software that, even if not already exploited, probably only has a week or so to go before it becomes an unacceptable liability on any sane person's system.

    2. Anonymous Coward
      Happy

      and keys

      they open AND close doors.

      1. DayDragon
        Coat

        Re: and keys

        Actually, keys unlock/lock doors (or the locks fixed to a door). Door handles are used to open and close doors :)

        1. jake Silver badge

          To heck with keys & handles, what about latches and hinges?

          Are latches and hinges illegal to own/operate in Germany?

          What does the rest of the EU have to say on the subject? Oh ... wait ... having a say is probably illegal under the same German law, when you think about it.

          Ah. There's the problem. I invoked the "think" word ... which is probably ALSO illegal under the same German law, if you think^W ponder the concept.

  6. Mark Berry
    Alert

    If you read the article.....

    It does not say there was a deadline on him releasing the information.

    I agree that setting a deadline on the release of the information, and offering to fix it for a fee could be considered extortion.

    However, by the information presented herein, I would assume that there was no deadline. So the info would only have been released after they had patched it, whenever that was, if ever. So, no extortion, just a possible business deal to expedite their release of a patch.

    More info would be nice though.

  7. Big Al
    Grenade

    So next time...

    So next time someone finds an issue with their software, they'll just be lining up to do their social duty and let the company know in a responsible fashion, huh?

    Talk about short-sighted...

  8. Tom 7 Silver badge

    Almost another sony in the making

    but here there are many of FREE software packages that can be used to do what their package does so you can carry making music without worrying about them any more - and save money too!

  9. Robert E A Harvey

    I seem to be alone

    in wondering what is the point at all in publishing this 'research'.

    I see the company would benefit from his initial advice, but I can share their concern about subsequent publication. How would they know all users had patched?

    What value does the wider community get from knowing the entrails, rather than the existence, of this vulnerability? OK, if it is novel then some anonymous details might help other programmers, but otherwise I reckon blurting the works is no more than self agrandisment.

    Even though I am very doubtful about the publication idea, If it were me a polite request to defer and a bottle of champers would be infinitely better than raising the landsharks. That does smack of management-by-panic.

    1. Keith Williams
      FAIL

      The title is required, and must contain letters and/or digits.

      basically, that way it possible for people to learn that there is a vulnerability and a patch available to correct the issue, should they not automatically do updates

      Admittedly there will be many more who never do both

    2. Pawel 1
      Thumb Down

      Put yourself in the shoes of the researcher.

      You've just done a lot of work to work out how to exploit a vulnerability and suggested ways to patch it. You've emailed the company with the info and, being a good boy, have been waiting for them to fix it. No money changed hands. Is it to much to ask to be able to publish details of the vulnerability? If/when this guy is looking for another job in security, a portfolio of discovered and published bugs will help him, just like it helps an artist to have some works of his to hand. It's also, undeniably, an ego gratification. So what?

      Also, you need to be aware that whenever a vendor releases a patch, vulnerability details are already public - it's easy to automatically extract the differences between two file versions and then work out the details of what was wrong - and it is a commonly happening for windows patches, so people who don't patch are already at disadvantage and publication by the discoverer doesn't change a thing.

    3. Anonymous Coward
      Anonymous Coward

      "otherwise I reckon blurting the works is no more than self agrandisment."

      The same could be said of a CV but I assume you have one of those.

    4. Phalamir

      non-reinvention of the failed wheel

      "OK, if it is novel then some anonymous details might help other programmers"

      And no one can know that unless they release the details. You cannot just look at a vulnerability and instantly tell if it is a one-off or may be a hidden booby-trap in other programs - if nothing else, the fact the Germans didn't see this pre-release says it isn't glaringly obvious, yet we know it is not up to snuff. Someone has to make it known publicly, and then people can determine if their software has a similar bug or not.

    5. LaeMing

      The techniques...

      ...used to find the exploit can likely be used by others to spot similar exploits in other software. Publishing them gives the actual code-creators a chance to do the checking for themselves, rather than just the crackers who stumble across the same technique and share it just amongst themselves.

  10. Anonymous Coward
    FAIL

    This is a sure sign of a company that has gone to seed

    Software companies are usually started by enthusiastic, obsessive, types who love what they're doing and actually know a lot about it. Over time they get too rich/bored/fed up of meetings/etc., and move on. Their place gets taken by either business or financial types who think quite differently and whose paranoia (born from the understanding that most people they deal with on a daily basis knows more about the products they make than they do, including many of their customers) makes them see everyone they cannot control as an enemy.

    In western democracies the civilised way of dealing with enemies involves setting the lawyers on them and seeing who has the deepest pockets.

    Free advice? Fuck off...

  11. heyrick Silver badge
    FAIL

    Just proves the old rule

    If you can't win, get legal...

    I bet they were hoping this matter would quietly go away so nothing need be done, thus I feel my choice of icon to be appropriate.

  12. Will Godfrey Silver badge
    Unhappy

    @Oninoshiko

    Thanks for those links, especially the second one.

    That timeline really underlines just how ignorant the legal department of Magix AG have been. Good grief, they even request work from the guy which he supplies free of charge, then have the gall to threaten him.

  13. Anonymous Coward
    FAIL

    Guess we know who's software to not use then...

    If they respond in such a fashion when someone offers to help, I guess the best thing to do is warn people not to use that piece of software, or any software from that company.

  14. Naughtyhorse

    MAGIX

    Meet sony, and Apple, you are going to get along just fine

    dolts!

    1. Chris 3
      Troll

      Fun though Apple-bashing is...

      If you look at the release notes that come with security updates, you'll find that they commonly include a thank-you to the person who reported the initial vulnerability.

      Here's a recent one: http://support.apple.com/kb/HT4581

  15. doperative
    Alien

    researcher was not forcing the company into using his services

    > It is not mentioned that the researcher was trying to force the company into using his services ?, wim

    "They misunderstood that I was getting money for doing this ... and illegally breaking into networks"

    http://tinyurl.com/6g853kg

    http://mobile.darkreading.com/9287/show/87388ff1d2461814c5a84f7207f6f9a3&t=5747b086486247295f80f245d99fd035

    1. Anonymous Coward
      Alert

      erm.....

      The quote you mention is concerning Thomas Roth not Acidgen so not sure what point you're trying to make.......

  16. Cunningly Linguistic

    Just a thought...

    ...was the researcher a resident of Germany?

    If not then it's not like he's governed by the German law anyway.

  17. Ted Treen
    Happy

    Pedantry alert

    Is not the expression "Legal goons" tautology?

  18. fishman

    Stupid?

    Did the company release a fix? If not, they were incredibly stupid, announcing that there was an unpatched security bug in their existing code.

  19. John Smith 19 Gold badge
    FAIL

    Remeber it's not the *application* that matters

    It's what's on the computer *running* the app that can discovered or trashed once an outsider has gained access. That would be the *minimum* damage that could be done. If they can down load stuff or upload your files it's *much* worse

    TBF maybe the company has never had a bug reported to them in this way and responded badly.

    OTOH maybe others *have* tried to report bugs (and there fixes) to them and been dealt with the same way and have stopped *bothering* to help them.

    Fail because in business you can *never* have too many helpful friends and they seem to have managed to turn a friend into at best someone who will not *bother* reporting any more bugs to them or (worse case) someone who is actively hostile toward them.

    Poor management response. V. poor.

  20. Anteaus

    Nothing too unusual

    A while back was running the Spamwise site, which helped to uncover vulns in BBS, Web directories and the like which (mostly through stupid coding mistakes rather than actual intent) were leaking subscribers' email addresses to spammers.

    Most sites thanked us, but a few reacted like this.

    I suppose the bottom line is that some siteowners are more interested in beancounters than binaries, and anything which is seen to damage their business cred is reacted-to with seething hostility.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      "more interested in beancounters than binaries"

      It's called "having an MBA".

  21. This post has been deleted by its author

    1. Destroy All Monsters Silver badge
      Alert

      The constitution doesn't pay legal fees...

      ...and copies of the same on cheap paper can be found in many cold, dead hands.

      "a non-executable documentation is protected by the Federal Republic Of Germany Constitution"

      It may be so in principle. Try to publish and be ready for in order of likelihood: a few "Abmahnbriefe", reduced employment prospects, a costly legal defense and jailtime.

    2. Anonymous Coward
      Boffin

      Given that...

      ...free speech in Germany doesn't extend to such niceties as being able to play Wolfenstein 3D, I would say that "THERE IS INDEED CENSORSHIP".

      Whether or not it's justified in the eyes of the majority, Germany's absurdly draconian (and pointless) "la la la it never happened I can't hear you" laws regarding Nazi imagery are most definitely censorship.

      1. Sabine Miehlbradt
        Boffin

        Actually

        La La La - we can't hear you isn't the point of these laws.

        It's more on the lines of

        a) nobody is allowed to derive any kind of enjoyment from anything related to Nazism, not even shooting at it

        b) You are too stupid to inform yourself from historic sources and will instantly turn into a Nazi if you read anything not vetted by a state-approved authority.

        There was a hell of a stink when some publishing company wanted to reprint 1930s newsletters as their copyright ran out. and don't get me started on the platitudes coming from our government/media in 2006 when everybody suddenly started flying the German flag everywhere for the world championship: Omg - it's 1934 all over again...can we make a law against it...they'll be burning synagogues before half-time.

        I wish I was joking but there actually was an initiative to make a law against private citizens flying the national flag. And to make it worse what stopped it was probably not he fact that such a law is unconstitutional but more likely the insight that it is political suicide to come between a German and his football game. Never mind that the championship was used as a distraction to pass some very ugly laws very quietly.

        Believe me - Nazism is about half of the whole history curriculum in school here. Hell, our national holiday is a day of showing Nazi documentaries on TV and depressive speeches about our heavy historical burden.

        1. Ken Hagan Gold badge

          Re: the German history curriculum

          "Believe me - Nazism is about half of the whole history curriculum in school here. Hell, our national holiday is a day of showing Nazi documentaries on TV and depressive speeches about our heavy historical burden."

          Given the average youth's reaction to being told "you must not do that, ever" I'd say that was a courageous decision on the part of the curriculum planners.

          I'm also curious to know exactly how that works. Do you tell the truth and traumatize the little children, or do you tone it all down and thereby leave them wondering what all the fuss is about?

    3. '); DROP TABLE comments; --
      Stop

      This is the worst mistake Germany could make

      It's a classic example of the old saying regarding those who would destroy that which they most despise end by becoming it. In it's fanatical efforts to deny or suppress Nazi sympathizers, the German government is becoming increasingly Nazi-like in its efforts.

      Furthermore, there is the danger that by repressing Nazi expression, the German government could be creating sympathy for it by virtue of the human tendency to champion the underdog. They would be far better off simply legalizing Nazi memorabilia and expression, and then publicly mocking and ridiculing those who support it - much like people do with the BNP in the UK.

      And as far as what the Nazis actually did - well, most of them are dead, and those who fought them who are still alive are now in their 90s. And memories are short.

      1. Ken Hagan Gold badge

        @DROP TABLE

        Your first two paragraphs are fine. You want to watch the third. Most of us don't need to have been around at the time to "remember" what they did. Such "memories" are not short, and IMHO neither should they be.

        But yeah, banning this stuff just makes everyone behave like thwarted teenagers.

        1. This post has been deleted by its author

  22. Anonymous Coward
    FAIL

    sadly

    there doesn't appear to be a law against distributing shit code.

  23. Anonymous Coward
    FAIL

    ffs....

    Its this type of nonsense from companies and iLawyers that get themselves in the sights of the less than ethical hackers.

    If it was me, I would go ahead and get the details of the vulnerability on every website I could find. I don't think you are obliged to hold off publishing until its fixed, but they would soon learn not to bite the hand that's trying to help....

  24. Anonymous Coward
    Anonymous Coward

    I'd like to see it come to trial

    Despite his good intentions, he gave their lawyers enough to work on to form a twisted view of his intentions, such that a case may be viable. However, if it came to trial then it should become pretty obvious that there is no case to answer, and that the company concerned are truly a bunch of twats.

  25. neverSteady

    Further flaws will not be reported

    It would seem that this company is asking for trouble. If one hole has been advised to them and this is how they react, then would in their right mind would inform them of further holes in their obviously flawed software? No one.

    1. Anonymous Coward
      Anonymous Coward

      Future vulns

      Future vulns will be reported to them, just not in the way they like. POC will be released to the general public, forcing the company to rush a patch. Maybe the consumer will then get wise and look elsewhere for their software needs.

  26. Denarius Silver badge
    Thumb Down

    more like a proverb

    sounds to me like the usual quotation. "No good deed goes unpunished"

    what else do you expect in the ruins of what was western civilisation?

  27. Anonymous Coward
    Grenade

    AC

    I do so hope that the lawyer's attitude doesn't annoy another hacker enough to release the vuln anonymously, or worse find a few more vulns' and then release the whole lot in one go.

    AC 'cos I can't speak German.

  28. Anonymous Coward
    Anonymous Coward

    Yet More Signs of the Coming Lawpocalypse

    "According to the report, Acidgen alerted Magix representatives to the bug in several emails that also included proof-of-concept code that forced the Windows calculator to open, indicating the flaw could be exploited to execute malicious code on a victim's computer."

    He could have opened something a little *less* malicious than Windows Calculator, just for demonstration purposes. No wonder they unleashed the lawyers.

    1. Dan Beshear

      There's a reason for that ...

      Opening the Calculator has been the standard of proof-of-concept proof since Windows 98, maybe even before that. Opening anything else would have made the shysters' point for them, instead of letting them prove their own buffoonery.

    2. Anonymous Coward
      Coat

      Hey, he was being kind...

      ...he could have -really- gone for the jugular, and opened Notepad.

  29. westlake
    Pint

    News For Nerds - The Rupert Murdoch Edition

    "Legal goons threaten researcher.... "

    How about we leave this sort of headline to the tabloid press?

    1. foo_bar_baz

      What?

      The Register IS the IT tabloid press.

  30. CarlC
    FAIL

    Looks like........

    Magix got just what they deserve, lots of publicity about a buggy program that they didn't want anyone to know about........

    Give them a gun, I bet they can shoot themselves in their own feet too.

  31. Anonymous Coward
    Stop

    German Law....

    Doesn't apply *if* he is in the UK so publish and be damned.....?

    1. Ken Hagan Gold badge

      Re: German Law

      You've forgotten about the European Arrest Warrant.

  32. Mectron

    Just like Criminal Sony

    Magix AG need to go down on this, Why is that law enforment let company such as Magix AG, do criminal act out in the open, whitout been punish?

  33. Turbo Beholder
    Badgers

    Translation:

    "the backdoor was intended and we aren't even professional enough to keep a smiling face".

    I mean, if even Billy used to just say "it's not pee, it's rain"...

  34. Fred Flintstone Gold badge

    Possible little snag for Magix

    Now they know that there is a problem and have stupidly acknowledged this via their actions, I can imagine them getting into trouble for continuing to sell the product. They would be knowingly sell a defective product, AFAIK that's illegal in almost any country under consumer laws.

    OTOH, that has never stopped the sale of Windows, so maybe not..

  35. Tigra 07 Silver badge
    FAIL

    Release the code to attack the company or LOIC the sense into them...

    Security reaearcher discovers software flaw.

    Security researcher warns author of said software.

    Security researcher does all the work and offers a fix for free.

    Software company threatens to sue for extortion and in doing so damages their company image, looks massively ungrateful and creates Barbara Streisand effect their company may not recover from.

    If any software I used did this I wouldn't reward their behaviour by staying with them.

    It's unfair and potentially dangerous for their users/customers.

  36. Anonymous Coward
    FAIL

    FAO the CEO of Magix AG

    This is a talented guy, you should be grateful to! I think the CEO of this company should literally kiss the security researcher's ass as a gesture. If he suggested ways, that means HE IS GIVING YOU THE ANSWER, you _fuckwits_!

    It is possible that this was all a geniune misunderstanding, I suppose. i.e. it's concievable that these lawyers were a little bit stupid. If this is the case, I truly hope that this artile at least shames Magix AG to issue an apology to this researcher.

    "WHY WOULD HE DO THIS?" I hear the dumb Magix AG directors saying. It's so that once you fix the flaw (using your in-house coders), he gets to brag about it on his CV. This means he is more likely to land a consultancy job at a major organistation.

  37. Anonymous Coward
    Grenade

    Somebody explain to me....

    How the great IT populace as a whole benefits if this person reveals details on how to exploit a vulnerability?

    Even if a patch has been released, how much time is he giving the universe to apply the patch?

    Some of us have better things to do than have to apply patches a nanosecond after they're released... by unveiling the details of a vulnerability, he is in effect forcing every BOFH to have to snap to every time one of a gazillion vendors releases a patch.

    Oh by the way, did I mention applying patches comes with it's own set of perils to system stability? The vast bulk of system outages are the result of change-induced incidents. Bad patches, or good patches incorrectly applied, or patches that for whatever reason are in conflict with your particular configuration.

    Yeah, let's have to do them all daily, or even better one at at time as they come out because Klem Kaddiddlhopper is going to release the details of how to exploit!

    This a-hole should have his pubic hairs pulled from his scrotum one at a time.

    1. jake Silver badge

      Explain to you?

      How about you re-read TFA, for comprehension this time, instead?

      Re: the rest of your rant ... As a sysadmin, I review, evaluate and apply patches as required for the software running on the systems under my control. If I get sixteen patches in for ten different pieces of software on the same day, I grit my teeth & get on with it. It's been that way since the year dot, and I don't see it changing any time soon. It's a part of running large, complex systems.

      But that's OK, AC. You can always switch to Microsoft-only products, and only have to apply patches on patch Tuesday, once a month, regardless of how critical the bug(s). Doesn't that make you feel better? ::patpatpat::

    2. Anonymous Coward
      FAIL

      Ah, I see...

      You need to have common sense explained to you. Way to go, idiot!

    3. Anonymous Coward
      FAIL

      Sounds like you are in entirely the wrong field for your mindset!

      I assume if the car you drive is recalled for replacement of defective brakes that can fail at any time, you will be all "Meh, I don't have time this month, maybe next month if I feel like it." It is called 'maintenance' and all complex systems need it.

      1. Anonymous Coward
        Anonymous Coward

        Yeah sure

        You all must be running small shops without mission critical applications.

        If you have thousands of servers, running almost every operating system ever invented (NT, Wintel, AIX, Sun, AS/400, z/OS, z/Linux, Linux, Tandem OS, VMS, etc. etc) you cannot one-off your patches. You have a patch cycle, with negotiated outages with the business, that you follow.

        Complex systems my ass! I'll stack the complexity of the environment I have to deal with with anybody else's any day of the week, and complexity is indeed the problem and why a carefully designed patch cycle is key to stability.

        If you have mission-critical systems (in my case hospital systems) you cannot throw patches into production without testing, unless there truly truly is a vulnerability. You also cannot throw patches on unless you have a pre-negotiated window (hint, hospitals run 24X7) or arrange for one based upon special need.

        You cannot patch 20,000+ systems in a heterogenous system every week. You can't even do it every month.

        You DO have to apply critical patches as they come out, but critical is a judgement call of impact and likelihood.

        This yahoo is threatening to increase the likelinood of what he discovered being released in the wild, thanks to his apparent willingness to divulge details. This increases the overall urgency of applying patches, which disrupts a planned patch cycle and adds unnecessary risk.

        To what end?

        For what purpose?

        All I can see is to stroke his ego and to build his resume.

        1. jake Silver badge

          Lots of "Huh? WTF?" flags in there, AC ...

          Argument from authority doesn't work around here, and generally makes the arguer look silly.

          How many OSes does this particular buggy software run on?

          Your "heterogenous"(sic) systems are not my issue. Bad planning on your company's part doth not make me give a shit about your company's bad planning. And again, said insecure software doesn't even come close to running on half the OSes you cite.

          One wonders why said AC allows "critical hospital systems" to be accessed from public networks in the first place. The mind boggles.

          And one also wonders why said AC seems to believe that "planned patch cycles" relate one-to-one on critical software bugs.

          Also, the AC seems to be intentionally ignoring the fact that the security researcher kept the central issue to back-channels, didn't go public, and from all accounts didn't intend to go public until after the problem was fixed.

          AC seems to be entirely confused. Or perhaps a trifle too shrill ... Mayhap it has an investment in the small German company with obviously real security problems who seems to think that throwing lawyers at the problem, instead of programmers, is a good idea?

          Or perhaps said AC is actually a shill for said company. Which would be my guess.

          At least the AC is an anonymous coward, and not trying to stroke it's own ego ... I'm not certain if that's a plus or a minus ;-)

          1. Anonymous Coward
            FAIL

            One last time, because nobody seems to address my basic question...

            "from all accounts didn't intend to go public until after the problem was fixed",

            Yes but....

            Fixed how, when and where? By vendor issuing a patch? That doesn't fix anything. Nothing is fixed until all the users of the software have applied the patch. How much lead time is he giving people? Is he going to wait a day, a week, a month, a year?

            The issue here is not this particular example, the issue is the principle.

            I'm still waiting for someone to explain to me how the IT world in general benefits from him RELEASING THE DETAILS! Not finding and reporting the bug, that was not, is not, and never was the issue. The issue is he said he would release the details. WHY?

            I'm not going to argue my shop doesn't have issues; but when a company is built by acquiring over time various other companies, has a history of weak central IT control (since corrected), has multiple lines of business spread across even more operating regions, all with some degree of autonomy (ever try telling a doctor "no"?), you're going to have some "legacy issues". Shit happens. What I don't need is people making things more difficult than they need to be.

            And yes, our servers are behind appropriate multi-layer firewalls, but then you have things like USB drives, people with laptops who connect on public internets at home or while traveling, then come to work the next day and and log in: so various nasties WILL wind up on your internal networks, firewalls aside. May not be an attack vector in this case, but we're talking principle here.

            And yes, I know the difference between responding to a virus outbreak and proactive patching; just in case you wanted to go down that path. This issue is about proactive patching, and whether or not you can control the number of critical out-of-cycle patches you need to apply due to heightened exposure.

            Then you have the auditors who want to know if you're good with HIPAA, SOX, PCI, and many other legal restrictions; all of which impose various security/vulnerability requirements on us. Doesn't matter if a server is directly visible to the external internet or not.... and you should know that if you really have to maintain a significant server farm in a large business venture that includes personally identifiable information, or financial information, or credit card information, or health care information. Ask Sony about this concept someday.

            So you end up having to patch EVERY vulnerability on EVERY server it could possibly apply to, because proving to an auditor that there is no theoretical attack vector due to firewalls and/or network segregation is more work than just patching things. Plus, you could be wrong.

            So one more time:

            How does DIVULGING DETAILS, not finding and reporting, benefit the greater IT community?

            I'm OK with everybody telling me I'm full of shit if they would address my question, but nobody HAS yet addressed my original question: Why is divulging the details a good thing for US?

            Yeah yeah yeah, good on him for finding and reporting... give him a merit badge, pay him a finders fee, write him a letter of recommendation, let him put it on his resume'.

            What is the upside for us when he divulges attack details?

            Anybody?

            And no, not German; US.

            Not sofware company; Health Care (did work for a US software company in the 80s).

            Don't even run this software, could care less one way or the other.

            I just think this guy (and others who behave similarly, as this seems to be a standard modus operandi in the 'white hat' community) do us no service by releasing 'how to' info, as he has no way of knowing how many users have completed applying the fix, and THEIR TIMETABLE IS NONE OF HIS BUSINESS.

            Shrill? You bet. I just don't understand why the rest of you aren't also pissed off, so I must be missing something... so tell me please: what is the upside to ME of him divulging details? 'Cause I for sure can see the downside.

            Last post on this, promise.

            1. Ken Hagan Gold badge
              Happy

              @Anonymous Coward

              "Last post on this, promise."

              Since you are posting as AC, how will we know?

            2. '); DROP TABLE comments; --
              FAIL

              OK AC, here's an answer

              What are the benefits to the public of releasing the details of this hack?

              1. Sysadmins running this software on their systems can experiment with and and test the vuln to ensure that the patch actually works and their systems are now secured;

              2. Programmers and software engineers in related areas can examine their own code to see if a similar vuln exists in their systems;

              3. A person with effective skills at finding vulns can put the result on his CV, enabling him to get jobs where he can find other vulns and rectify them before they cause real damage, for example in your hospital systems.

              There are reasons why you make such findings public. Those reasons have much to do with a component of standard scientific method commonly known as "peer review".

            3. jake Silver badge

              Yep. You are missing something.

              Learning from other people's mistakes is a part of the learning process. Security by obscurity is, by definition, not security at all. See: Sony.

              @Ken Hagan

              ::grins:: You stole my thunder.

    4. Gerardo Korndorffer
      Happy

      RE: Somebody explain to me...

      Easy to understand if you think a bit about it....let me ask you a little question...do you truly believe only "white hats" discover bugs?

      If not exposed, it could mean that it will be either not fixed nor checked on the rest of the code, (a different part might have the same issue)...so it is nice to have someone cleaning up the zero day vulnerabilities...even if you have to work a bit to make your system stable.

      1. Anonymous Coward
        Anonymous Coward

        You miss my point

        I have no problem with him finding bugs. I applaud him for finding and reporting them. That's not the issue. That's not why the company threatened him.

        I have a problem with him publishing to the world at large how the exploit works.

        This assists any number of black hats in developing attacks. It increases astronomically the number of people not only aware that a vulnerability exists, and tells them how to exploit it. It shortens the window of time people have to apply patches before an exploit hits them.

        Yes, perhaps someone else would have stumbled upon it, but divulging details is irresponsible and serves no purpose to the IT community at large.

  38. Anonymous Coward
    Anonymous Coward

    This sounds more like a job solicitation

    This story sounds more like a job solicitation or possibly even extortion, more than a white hat looking to help.

  39. Charles Smith
    Grenade

    The damage...?

    I buy Magix software for my company, but will think carefully in the future about making such a choice if this story represents their policy in dealing with security vulnerabilities in their software.

    1. Gary Turner

      In the cool light of day

      Since you're a customer, why not ask Magix's sales people and even the CEO (or is it the Managing Director in Germany?) for their responses to the allegations and comments raised in this article? How they respond should be educational, and deserving of being a part of future buying decisions.

    2. Anonymous Coward
      Anonymous Coward

      I buy Magix software for my company

      "I buy Magix software for my company,"

      I do too (Since V 10). I agree with you. I don't like what I am hearing here. Not one bit. The last versions may be the last I purchase. What next, a black hat who doesn't tell them (and us by proxy) squat?

  40. Anonymous Coward
    FAIL

    Streisand effect in operation.

    If the lawyers hadn't heard of it before.

    Someone should send them a link to this thread then see if they try and close it down.

    Free speech, so long as they agree with it...

  41. Henry Wertz 1 Gold badge
    Grenade

    That's what one gets..

    for following the so-called "responsible disclosure" procedures. He should have just released his research straight up.

    "Somebody explain to me.... How the great IT populace as a whole benefits if this person reveals details on how to exploit a vulnerability?"

    No, I will not. If you believe withholding information is a good idea I won't convince you otherwise. You are wrong though.

  42. Acme Fixer

    Alternative???

    I think it may be a good idea to send the email with only a link to the information, with a 'shrink wrap' statement that by clicking on the link, the recipient agrees to abide by the laws of <insert non-German country>, etc. Also the linked info should obviously not be on a server in Germany.

  43. Yet Another Anonymous coward Silver badge

    Explanation

    Can somebody explain to me how we are better off without Thalidomide - some goody-goody reporters try and make a name for themselves by reporting a few problems with a drug and we suddenly have to run around finding a replacement.

    I mean does everybody really need arms anyway?

    Ironically the medical are fighting to allow Thalidomide to be used again - it's a very useful drug.

    Doctors have now discovered a large part of the population who are unlikely to suffer any pregnancy related side effects..

  44. Anonymous Coward
    Alert

    Lesson learned

    next time you discover a vulnerability on this company's software:

    Disclose it anonymously and PUBLICLY.

    Ungrateful bastards need to get a grip.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019