Once again this heavy-handed legislation does nothing to help the innocent, and everything to protect the guilty.
Researchers at IOActive have been slapped with a DMCA (Digital Millennium Copyright Act) gagging order a day before they planned to release information about security vulnerabilities in the kit of an as-yet unidentified vendor*. A redacted version of the legal notice – posted on Google+ – has reignited the long standing debate …
Am I missing something? Isn't the whole thing about the DMCA that it's optional to comply with? Sure, if you fail to comply, you open yourself to being sued or whatever. But don't act like being 'slapped by a DMCA' means it's compulsory for the recipient to take down their content. It isn't. And if they had the balls, they wouldn't.
The DMCA is a rather large piece of regulation. It contains both the takedown notice mechanism (the Online Copyright Infringement Liability Limitation Act, which I guess is what you're referring to) and the WIPO Copyright and Performances and Phonograms Treaties Implemention Act, which makes it illegal (criminal) to circumvent copy-protection measures and such. There is no "DMCA order" involved here; it's just that the attorneys are threatening that what IOActive plans to do would be a criminal act.
That's the way I understand this whole issue.
DMCA = Guilty until proven innocent. It's a law for corporations, written by corporations (literally, I believe it had certain "edits" discovered that revealed only a CEO's name was changed to that of a senator...of course AFTER it had passed). Way back when I actively tried standing in its way, but I'm not a fortune 500 company, just a pesky
It has been too long to remember it's nooks and cranys, but I do remember that if you were rich, you could throw these things out by the dozens over fabricated "truths" to muzzle anyone who doesn't have money to fight. However, today it no longer matters being the rich are off the leash anyways with bought politicians, which is the reason I suspect you don't see many DMCA takedowns of this nature anymore.
Corporations suppressing the common citizen is a very, very real thing. It doesn't take a tin foil hat to see the other side, to see how this makes sense to the greedy. Shit happens and this law is just fertilizer.
I guess if you cannot name the fault you can say that the item is not free from faults.
In all conscience you can advise that people should only consider using it if they can satisfy themselves there are no issues likely to cause an upset in a deployment.
Frankly stopping someone advising that crap is well crap, should allow anyone caught out by the crap to sue the back, front and two sides off the sloppy crap maker, sorry device builder.
In all conscience you must advise people if you discover some
piece of shit product to be unsafe.
charlatans snake oil purveyors CyberLock(?) directors use RIAA anti-computer-use legislation to attempt to suppress the truth about their warez then in all conscience you still must advise people if you have discovered some piece of shit product to be unsafe.
There's clearly a moral duty here to shake the (rotten) tree and let everyone watch what embarrassing little turds fall out. There's no reason one can't obey the RIAA's DMCA while still alerting potential victims to the existence of the problem to which they're being so recklessly subjected: Just don't publish the specific mechanism of the attack. Or, to be extra safe in the face of these legal menaces, any specifics at all:
"Researchers at IOActive have uncovered serious failures in the security products of CyberLock, Inc. Sadly due to legal action by lawyers representing CyberLock, Inc. we are unable to provide any specific details of the failures." for example might suffice, if you had uncovered serious failures in the security products of CyberLock, Inc.
If CyberLock manufactured an Access Control system that could be easily defeated then they are the ones at fault, NOT the people at IOActive who are trying to show how and why the CyberLock product is faulty.
IOActive at least needs to file a countersuit, and show an independent investigator the results of their tests.
As said elsewhere in this thread, the DMCA does not apply in this situation.
In reality, the greater good is the security work done by IOActive and they should publish it anyway as CyberLock has no case under DMCA.
EVERY Insurance company that paid a claim based on the faulty "security" provided by CyberLock would agree. If you produce a lock intended or advertised to secure life or property as did CyberLock, you automatically must have engineered out such "bugs". If you did not, then anytime there was an assault or theft the manufacturer can be held fully liable.
You will find that whistleblowing may be construed as "terrorist activity" in the New World Order. .... Destroy All Monsters
That perversion of justice and corrupt practice, Destroy All Monsters, is why smarter intelligence servers don't play their crooked rigged games and hack into their systems to reveal catastrophic problems for remote anonymous and/or autonomous party exploitation,and especially so whenever it is algorithm driven and high frequency traded and stealthily exported.
When did IOActive formally advise the vendor of the flaw - I do believe that there is such a thing as a "reasonable" period of time to adress the flaw....
If IOActive told them about it in February, that would be reasonable notice and the DMCA threat means nowt.
If IOActive told them about the threat a week ago, IOActive can get stuffed.
>When did IOActive formally advise the vendor of the flaw - I do believe that there is such a thing as a "reasonable" period of time to adress the flaw....
Cyberlock sell electronic locks & access control devices. It probably isn't possible just to push out a patch and auto-update everything... would you hook up all your building locks to the interwebs?
It would be somewhat irresponsible just to publish a wireless hack for things which aren't easily updated. Even if there were a customer registration system, its unlikely that such things are kept up to date or are even monitored by their customers. That's the snag in replacing real locks with more flexible and more fragile electronic ones.
The upshot is, you can't fire-and-forget sales for electronics like this. You must keep contacts, both electronic, geographical and snail-mail and you must frequently verify them.
I can see why they want to quash the reveal, but they also need to be proactive in talking to their customers about the implications of using their systems.
Having said that... wireless issues? If its a default password or WEP issue, they need a good bashing.
All well and good, until you set yourself up in the business of providing (and promising) security beyond that offered by a decent mechanical locking mechanism, and then utterly failing to deliver on that promise.
IIRC Cybelock's claim was that their electronic "enhancements" EXTENDED and COMPLEMENTED that mechanical security, when in fact it did the exact opposite, by coupling a proprietary (and seriously flawed) security algorithm, with a single (lock) pin pattern deployed enterprise wide. (Might as well be a wardrobe key or bent piece of wire at that point.)
If the highest possible (root level) access can be extrapolated from a guest access key then there is a serious fornicating problem with the implementation, which needs to be addressed right now. Right now as in, sending out a bunch of "We screwed the pooch and you need to change your locks now and send us the bill." letters immediately.
Cyberlock's customers might deserve a certain grace period in which to find a solution to a problem not of their making. Cyberlock deserves nothing but a kick in the corporate teeth.
Strikes me the solution when something like this happens is for a duly appointed entity to step in immediately and notify ALL affected customers. AND for the responsible company to be stripped of limited liability status, and given the choice of providing an IMMEDIATE fix, even if that means deploying a competitors product at their own expense, or the principal stakeholders facing those they've wronged in the courts with ALL OF THEIR ASSETS up for grabs.
Sadly most of the people making the decisions aren't on here (they are lapping up the latest Gartner paid for by suppliers garbage but I digress) but any that are be careful to note who the vendor is and black list them if at all possible. Its not the kind of company you want to be doing business with anyway especially for something as vital as SCADA
Why hasn't the vendor been identified? And possibly the product involved.
I can understand DMCA applying to the necessary reverse engineering and release of proprietary information. That should (rightly) be kept between IOActive and the anonymous vendor until such time it can be established that no fix is forthcoming and the public good can only be served by a release. But I'd like to know (as a potential buyer), if a potential purchase might be defective. And whether I should wait or select an alternative.
The alternative is that I put a hold on all SCADA equipment purchases until such time as the issues become known. And result in harming some completely innocent vendor.
So, if the DMCA was used incorrectly (which, it certainly sounds like it was), one is allowed to file a counternotification indicating the notification was inaccurate. It's also illegal under the DMCA to file false DMCA notifications (which this sounds like it was), and the DMCA allows for damages to be collected for this. The trick is, last I heard NOBODY had ever used the "false notifications are illegal" clause to nail someone to the wall for it -- now's your chance!
"The trick is, last I heard NOBODY had ever used the "false notifications are illegal" clause to nail someone to the wall for it "
The way the false notification part is worded, most companies squeak through by asserting they own copyright to X, therefore Y must be taken down.
The false declaration part is if you claim copyright to Y when you don't.
Interestingly IOActive got slapped with a patent infringement nastygram back in 2007 though I would like to have seen that kind of bullshit manoeuver challenged in court. "I have exclusive permission to build crap according to this patent and I assert it and demand treble damages for filfull infringement". That would be 0.3 USD, then?
"When did IOActive formally advise the vendor of the flaw - I do believe that there is such a thing as a "reasonable" period of time to adress the flaw....
If IOActive told them about it in February, that would be reasonable notice and the DMCA threat means nowt.
If IOActive told them about the threat a week ago, IOActive can get stuffed."
A) The "reasonable period of time" thing is a courtesy, not any sort of legal requirement. I do agree with the sentiment that the vendor should get some time (like a month at least) to respond. But, the flip side of that, some vendors response to advance notice is to try to gag the information from coming out (like this vendor is doing) and then not fix the flaw at all (will the vendor also do this?) I contend the advance notice is to give vendors time to fix the flaw, and vendors whose response is to gag information rather than fix the flaw are a bad actor and do not deserve advance notice at all. (I think this also applies to vendors who just fix flaws in the next version of their software, months or years later (usually a paid update), with no disclosure.) I don't know if the vendor here is in this "bad actor" category but it would not at al surprise me.
B) Given the general state of the SCADA industry, this is probably NOT some subtle flaw they didn't already know about, it's probably a real boner like "if you skip authenticaton the SCADA lets you send it commands anyway" or "no sanity checks whatsoever are run on input to the system" or some such thing.
C) DMCA is a *copyright* law, DMCA simply does not apply
"When did IOActive formally advise the vendor of the flaw
Given the way many companies make formal announcements through the media, I think IOActive announcing the flaw to the trade press can be argued to be a formal advisory, unless the vendor can show the existence of a contract and hence demonstrate breech of contract... Perhaps IOActive's mistake was to not test a couple of other similar devices and post the combined results as a 'review'.
What IOActive have unwittingly done is demolish an entire business. Cyberkey has a thriving business based on an extensive range of products and systems. Demonstrating that they're not that secure will undermine this business, possibly terminally, so you'd expect them to fight back. They do have one thing in their defense as well. Their keysystems may be cryptographically crude but they're adequate for the use that they're being employed for -- after all, you don't need sophisticated algorithms to defeat their locks, a crowbar or bolt cutter will do the job.
Using the DMCA is a dumb move, though. Surely the better thing is to talk to IOActive about minimizing the damage that disclosure will cause and coming up with a plan to remedy any shortcomings in the existing product line?
> What's wrong with a standard piece-of-metal key, then?
If you search Youtube for 'lock picking' you'll see that there's quite a lot wrong with the standard piece of metal key.
Mass manufactured locks seem to have been pieces of shit for .... well, forever really. And this cyber-lock business is simply more of the same.
"What IOActive have unwittingly done is demolish an entire business. Cyberkey has a thriving business based on an extensive range of products and systems. "
There seems to be something about the makers of RF security locking devices that says "We'll knock up some
cheap computationally simple algorithm but no one will ever know because it's a secret"
It seems the "security by obscurity never works" meme has not penetrated the syllabus of MBA course.
TL:DR. Company management did it to themselves
"Surely the better thing is to talk to IOActive about minimizing the damage that disclosure will cause"
Why? It was a management decision to sell something that was cheap to make and insecure in use. If you've decided to do that your "business continuity" or "disaster recovery" planning should have covered the eventuality that your product would be discovered to be a PoS.
"and coming up with a plan to remedy any shortcomings in the existing product line?"
AFAIK all of Cyblerlock trouble is due to internal management decisions. Their development team should have warned them the system was vulnerable (and I hope they kept the emails where they did so). If they didn't it would seem they were pretty incompetent as well.
It seems a whole generation of "managers" have grown up that don't have the ability to stand by their decisions and whine "Oh the market/Board/creditors/partner/voices-in-my-head made me do those things"
You did it because you wanted a big bonus, a big pay rise and stock options. Everything else is self justifying BS.
You want to be a manager, manage the mess you made.
"What IOActive have unwittingly done is demolish an entire business. Cyberkey has a thriving business based on an extensive range of now shown to be unfit for purpose products and systems. "
Don't shoot the messenger.
And if I were a CyberLock customer, or potential customer, I'd just as soon know that there were holes in my security, because I'll bet the Bad Guys already do!
CyberLock can either keep selling what they're currently selling, or use the information provided to improve their product. Their business fortunes will change according to their decision.
.. CyberLock is now directly liable for any breaches of premises with their devices, as they are preventing their clients to find out the details so that they can put countermeasures in place.
I may have missed when this vulnerability was conveyed to CyberLock, but if they had prior notice and didn't brief customers they will be soon in trouble. All it takes is a breach of a large customer and the *real* legal games begin..
...it advertises the following 'case study':
Case Study: Amsterdam Metro
"Some of our employees have literally tried to open all doors with their keys. We can see that in our log files."
I don't know how which way this cuts it in the Netherlands, but bragging about disregarding employee privacy (whether legal or not and whether there is a real operational need or not) doesn't strike me as the cleverest PR move ever.
Biting the hand that feeds IT © 1998–2019