back to article Security bods gagged using DMCA on eve of wireless key vuln reveal

Researchers at IOActive have been slapped with a DMCA (Digital Millennium Copyright Act) gagging order a day before they planned to release information about security vulnerabilities in the kit of an as-yet unidentified vendor*. A redacted version of the legal notice – posted on Google+ – has reignited the long standing debate …

  1. Will Godfrey Silver badge
    Unhappy

    Bar Stewards

    Once again this heavy-handed legislation does nothing to help the innocent, and everything to protect the guilty.

  2. Anonymous Coward
    Anonymous Coward

    Man up

    Am I missing something? Isn't the whole thing about the DMCA that it's optional to comply with? Sure, if you fail to comply, you open yourself to being sued or whatever. But don't act like being 'slapped by a DMCA' means it's compulsory for the recipient to take down their content. It isn't. And if they had the balls, they wouldn't.

    1. Frank Bitterlich

      Re: Man up

      The DMCA is a rather large piece of regulation. It contains both the takedown notice mechanism (the Online Copyright Infringement Liability Limitation Act, which I guess is what you're referring to) and the WIPO Copyright and Performances and Phonograms Treaties Implemention Act, which makes it illegal (criminal) to circumvent copy-protection measures and such. There is no "DMCA order" involved here; it's just that the attorneys are threatening that what IOActive plans to do would be a criminal act.

      That's the way I understand this whole issue.

      1. asdf Silver badge

        Re: Man up

        DMCA is also US only which along with some other short bus laws and customs should provide a strong incentive for IT security companies to locate overseas away from the land of the "free".

        1. Anonymous Coward
          Anonymous Coward

          Re: Man up

          DMCA = Guilty until proven innocent. It's a law for corporations, written by corporations (literally, I believe it had certain "edits" discovered that revealed only a CEO's name was changed to that of a senator...of course AFTER it had passed). Way back when I actively tried standing in its way, but I'm not a fortune 500 company, just a pesky citizen consumer.

          It has been too long to remember it's nooks and cranys, but I do remember that if you were rich, you could throw these things out by the dozens over fabricated "truths" to muzzle anyone who doesn't have money to fight. However, today it no longer matters being the rich are off the leash anyways with bought politicians, which is the reason I suspect you don't see many DMCA takedowns of this nature anymore.

          Corporations suppressing the common citizen is a very, very real thing. It doesn't take a tin foil hat to see the other side, to see how this makes sense to the greedy. Shit happens and this law is just fertilizer.

        2. elDog Silver badge

          Re: Man up

          Oh - just you wait for some more Trans-xxx-Partnerships and all your rights will be sold to the lowest bidder.

          This ain't just a USofA problem if it becomes part of the trade treaties - at least as much as we are allowed to read (none).

    2. LosD

      Re: Man up

      Gotta love when the ones not risking anything decides that those that are in the line of fire are cowards... While hiding their own identity.

  3. Richard Jones 1
    Mushroom

    Unable to Confirm Fault Free?

    I guess if you cannot name the fault you can say that the item is not free from faults.

    In all conscience you can advise that people should only consider using it if they can satisfy themselves there are no issues likely to cause an upset in a deployment.

    Frankly stopping someone advising that crap is well crap, should allow anyone caught out by the crap to sue the back, front and two sides off the sloppy crap maker, sorry device builder.

    1. Anonymous Coward
      Anonymous Coward

      Re: Unable to Confirm Fault Free?

      Absolutely!

      In all conscience you must advise people if you discover some piece of shit product to be unsafe.

      If the charlatans snake oil purveyors CyberLock(?) directors use RIAA anti-computer-use legislation to attempt to suppress the truth about their warez then in all conscience you still must advise people if you have discovered some piece of shit product to be unsafe.

      There's clearly a moral duty here to shake the (rotten) tree and let everyone watch what embarrassing little turds fall out. There's no reason one can't obey the RIAA's DMCA while still alerting potential victims to the existence of the problem to which they're being so recklessly subjected: Just don't publish the specific mechanism of the attack. Or, to be extra safe in the face of these legal menaces, any specifics at all:

      "Researchers at IOActive have uncovered serious failures in the security products of CyberLock, Inc. Sadly due to legal action by lawyers representing CyberLock, Inc. we are unable to provide any specific details of the failures." for example might suffice, if you had uncovered serious failures in the security products of CyberLock, Inc.

      1. Anonymous Coward
        Anonymous Coward

        Ethical hack, ethical outcome

        Refer to title

      2. Dan Paul

        Re: Unable to Confirm Fault Free?

        If CyberLock manufactured an Access Control system that could be easily defeated then they are the ones at fault, NOT the people at IOActive who are trying to show how and why the CyberLock product is faulty.

        IOActive at least needs to file a countersuit, and show an independent investigator the results of their tests.

        As said elsewhere in this thread, the DMCA does not apply in this situation.

        In reality, the greater good is the security work done by IOActive and they should publish it anyway as CyberLock has no case under DMCA.

        EVERY Insurance company that paid a claim based on the faulty "security" provided by CyberLock would agree. If you produce a lock intended or advertised to secure life or property as did CyberLock, you automatically must have engineered out such "bugs". If you did not, then anytime there was an assault or theft the manufacturer can be held fully liable.

  4. Velv Silver badge
    Holmes

    I suspect the laws on whistleblowing trump the DCMA, but I'm not a lawyer.

    If something is unsafe or insecure then disclosure is in the public interest

    1. Destroy All Monsters Silver badge

      You will find that whistleblowing may be construed as "terrorist activity" in the New World Order.

      1. amanfromMars 1 Silver badge

        It never rains but it pours ...

        You will find that whistleblowing may be construed as "terrorist activity" in the New World Order. .... Destroy All Monsters

        That perversion of justice and corrupt practice, Destroy All Monsters, is why smarter intelligence servers don't play their crooked rigged games and hack into their systems to reveal catastrophic problems for remote anonymous and/or autonomous party exploitation,and especially so whenever it is algorithm driven and high frequency traded and stealthily exported.

    2. Robert Helpmann?? Silver badge
      Childcatcher

      Trumped Up

      I suspect the laws on whistleblowing trump the DCMA,

      The problem in this is that in order to make that determination the case would still have to go through the legal system which costs money even for the wrongly-accused.

      1. Alan Brown Silver badge

        Re: Trumped Up

        "which costs money even for the wrongly-accused."

        Especially in the USA, which doesn't have provisions for making plaintiffs cough up if they lose.

  5. This post has been deleted by its author

    1. asdf Silver badge

      the public can never know how greedy and incompetent we are

      Warrant canaries (which this isn't but reminds me of) say a lot more about the state of our political and legal systems than our tech industry.

  6. Alistair Silver badge
    Coat

    There is a reasonable process....

    When did IOActive formally advise the vendor of the flaw - I do believe that there is such a thing as a "reasonable" period of time to adress the flaw....

    If IOActive told them about it in February, that would be reasonable notice and the DMCA threat means nowt.

    If IOActive told them about the threat a week ago, IOActive can get stuffed.

    1. P. Lee Silver badge

      Re: There is a reasonable process....

      >When did IOActive formally advise the vendor of the flaw - I do believe that there is such a thing as a "reasonable" period of time to adress the flaw....

      Cyberlock sell electronic locks & access control devices. It probably isn't possible just to push out a patch and auto-update everything... would you hook up all your building locks to the interwebs?

      It would be somewhat irresponsible just to publish a wireless hack for things which aren't easily updated. Even if there were a customer registration system, its unlikely that such things are kept up to date or are even monitored by their customers. That's the snag in replacing real locks with more flexible and more fragile electronic ones.

      The upshot is, you can't fire-and-forget sales for electronics like this. You must keep contacts, both electronic, geographical and snail-mail and you must frequently verify them.

      I can see why they want to quash the reveal, but they also need to be proactive in talking to their customers about the implications of using their systems.

      Having said that... wireless issues? If its a default password or WEP issue, they need a good bashing.

      1. This post has been deleted by its author

      2. Black Betty

        Re: There is a reasonable process....

        All well and good, until you set yourself up in the business of providing (and promising) security beyond that offered by a decent mechanical locking mechanism, and then utterly failing to deliver on that promise.

        IIRC Cybelock's claim was that their electronic "enhancements" EXTENDED and COMPLEMENTED that mechanical security, when in fact it did the exact opposite, by coupling a proprietary (and seriously flawed) security algorithm, with a single (lock) pin pattern deployed enterprise wide. (Might as well be a wardrobe key or bent piece of wire at that point.)

        If the highest possible (root level) access can be extrapolated from a guest access key then there is a serious fornicating problem with the implementation, which needs to be addressed right now. Right now as in, sending out a bunch of "We screwed the pooch and you need to change your locks now and send us the bill." letters immediately.

        Cyberlock's customers might deserve a certain grace period in which to find a solution to a problem not of their making. Cyberlock deserves nothing but a kick in the corporate teeth.

        Strikes me the solution when something like this happens is for a duly appointed entity to step in immediately and notify ALL affected customers. AND for the responsible company to be stripped of limited liability status, and given the choice of providing an IMMEDIATE fix, even if that means deploying a competitors product at their own expense, or the principal stakeholders facing those they've wronged in the courts with ALL OF THEIR ASSETS up for grabs.

  7. DryBones

    Streisand Effect in 3, 2, 1...

    Someone is going to get creamed over this. And I don't think it's the researchers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Streisand Effect in 3, 2, 1...

      Yep, I'll be sending a copy of "Hello Dolly" to CyberLock

  8. asdf Silver badge

    to all those with access to the purse strings or product decisions

    Sadly most of the people making the decisions aren't on here (they are lapping up the latest Gartner paid for by suppliers garbage but I digress) but any that are be careful to note who the vendor is and black list them if at all possible. Its not the kind of company you want to be doing business with anyway especially for something as vital as SCADA

  9. Paul Hovnanian Silver badge

    Why hasn't the vendor been identified? And possibly the product involved.

    I can understand DMCA applying to the necessary reverse engineering and release of proprietary information. That should (rightly) be kept between IOActive and the anonymous vendor until such time it can be established that no fix is forthcoming and the public good can only be served by a release. But I'd like to know (as a potential buyer), if a potential purchase might be defective. And whether I should wait or select an alternative.

    The alternative is that I put a hold on all SCADA equipment purchases until such time as the issues become known. And result in harming some completely innocent vendor.

  10. Henry Wertz 1 Gold badge

    Counternotification and charges?

    So, if the DMCA was used incorrectly (which, it certainly sounds like it was), one is allowed to file a counternotification indicating the notification was inaccurate. It's also illegal under the DMCA to file false DMCA notifications (which this sounds like it was), and the DMCA allows for damages to be collected for this. The trick is, last I heard NOBODY had ever used the "false notifications are illegal" clause to nail someone to the wall for it -- now's your chance!

    1. Alan Brown Silver badge

      Re: Counternotification and charges?

      "The trick is, last I heard NOBODY had ever used the "false notifications are illegal" clause to nail someone to the wall for it "

      The way the false notification part is worded, most companies squeak through by asserting they own copyright to X, therefore Y must be taken down.

      The false declaration part is if you claim copyright to Y when you don't.

  11. phil dude
    Stop

    t-shirt, 1st amendment?

    How about a t-shirt with the exploit summarised....?

    It worked for RSA, CSS, etc....

    P.

  12. Destroy All Monsters Silver badge
    Holmes

    Interestingly IOActive got slapped with a patent infringement nastygram back in 2007 though I would like to have seen that kind of bullshit manoeuver challenged in court. "I have exclusive permission to build crap according to this patent and I assert it and demand treble damages for filfull infringement". That would be 0.3 USD, then?

  13. Henry Wertz 1 Gold badge

    A few points

    "When did IOActive formally advise the vendor of the flaw - I do believe that there is such a thing as a "reasonable" period of time to adress the flaw....

    If IOActive told them about it in February, that would be reasonable notice and the DMCA threat means nowt.

    If IOActive told them about the threat a week ago, IOActive can get stuffed."

    A) The "reasonable period of time" thing is a courtesy, not any sort of legal requirement. I do agree with the sentiment that the vendor should get some time (like a month at least) to respond. But, the flip side of that, some vendors response to advance notice is to try to gag the information from coming out (like this vendor is doing) and then not fix the flaw at all (will the vendor also do this?) I contend the advance notice is to give vendors time to fix the flaw, and vendors whose response is to gag information rather than fix the flaw are a bad actor and do not deserve advance notice at all. (I think this also applies to vendors who just fix flaws in the next version of their software, months or years later (usually a paid update), with no disclosure.) I don't know if the vendor here is in this "bad actor" category but it would not at al surprise me.

    B) Given the general state of the SCADA industry, this is probably NOT some subtle flaw they didn't already know about, it's probably a real boner like "if you skip authenticaton the SCADA lets you send it commands anyway" or "no sanity checks whatsoever are run on input to the system" or some such thing.

    C) DMCA is a *copyright* law, DMCA simply does not apply

    1. Roland6 Silver badge

      Re: A few points

      "When did IOActive formally advise the vendor of the flaw

      Given the way many companies make formal announcements through the media, I think IOActive announcing the flaw to the trade press can be argued to be a formal advisory, unless the vendor can show the existence of a contract and hence demonstrate breech of contract... Perhaps IOActive's mistake was to not test a couple of other similar devices and post the combined results as a 'review'.

    2. Alan Brown Silver badge

      Re: A few points

      "But, the flip side of that, some vendors response to advance notice is to try to gag the information from coming out"

      The moment a vendor does that, they lose any consideration of a response time.

  14. Anonymous Coward
    Anonymous Coward

    Barbara Straisand,

    is that you?!

  15. martinusher Silver badge

    Oops

    What IOActive have unwittingly done is demolish an entire business. Cyberkey has a thriving business based on an extensive range of products and systems. Demonstrating that they're not that secure will undermine this business, possibly terminally, so you'd expect them to fight back. They do have one thing in their defense as well. Their keysystems may be cryptographically crude but they're adequate for the use that they're being employed for -- after all, you don't need sophisticated algorithms to defeat their locks, a crowbar or bolt cutter will do the job.

    Using the DMCA is a dumb move, though. Surely the better thing is to talk to IOActive about minimizing the damage that disclosure will cause and coming up with a plan to remedy any shortcomings in the existing product line?

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Oops

      What's wrong with a standard piece-of-metal key, then?

      1. 2+2=5 Silver badge

        Re: Oops

        > What's wrong with a standard piece-of-metal key, then?

        If you search Youtube for 'lock picking' you'll see that there's quite a lot wrong with the standard piece of metal key.

        Mass manufactured locks seem to have been pieces of shit for .... well, forever really. And this cyber-lock business is simply more of the same.

    2. John Smith 19 Gold badge

      Re: Oops

      "What IOActive have unwittingly done is demolish an entire business. Cyberkey has a thriving business based on an extensive range of products and systems. "

      Wrong.

      There seems to be something about the makers of RF security locking devices that says "We'll knock up some cheap computationally simple algorithm but no one will ever know because it's a secret"

      It seems the "security by obscurity never works" meme has not penetrated the syllabus of MBA course.

      TL:DR. Company management did it to themselves

    3. John Smith 19 Gold badge
      FAIL

      @martinusher

      "Surely the better thing is to talk to IOActive about minimizing the damage that disclosure will cause"

      Why? It was a management decision to sell something that was cheap to make and insecure in use. If you've decided to do that your "business continuity" or "disaster recovery" planning should have covered the eventuality that your product would be discovered to be a PoS.

      "and coming up with a plan to remedy any shortcomings in the existing product line?"

      Again, why?

      AFAIK all of Cyblerlock trouble is due to internal management decisions. Their development team should have warned them the system was vulnerable (and I hope they kept the emails where they did so). If they didn't it would seem they were pretty incompetent as well.

      It seems a whole generation of "managers" have grown up that don't have the ability to stand by their decisions and whine "Oh the market/Board/creditors/partner/voices-in-my-head made me do those things"

      No.

      You did it because you wanted a big bonus, a big pay rise and stock options. Everything else is self justifying BS.

      You want to be a manager, manage the mess you made.

    4. Peter Simpson 1
      WTF?

      Re: Oops

      "What IOActive have unwittingly done is demolish an entire business. Cyberkey has a thriving business based on an extensive range of now shown to be unfit for purpose products and systems. "

      Don't shoot the messenger.

      And if I were a CyberLock customer, or potential customer, I'd just as soon know that there were holes in my security, because I'll bet the Bad Guys already do!

      CyberLock can either keep selling what they're currently selling, or use the information provided to improve their product. Their business fortunes will change according to their decision.

    5. Adrian 4 Silver badge

      Re: Oops

      Would you say the same thing about someone peddling patent medicine, claiming cures where none exist ? Because a security device that fails to offer adequate security is the same. It's fraud.

  16. Anonymous Coward
    Anonymous Coward

    So, if I get this right..

    .. CyberLock is now directly liable for any breaches of premises with their devices, as they are preventing their clients to find out the details so that they can put countermeasures in place.

    I may have missed when this vulnerability was conveyed to CyberLock, but if they had prior notice and didn't brief customers they will be soon in trouble. All it takes is a breach of a large customer and the *real* legal games begin..

  17. Anonymous Coward
    Anonymous Coward

    Perusing this Cyberlock website...

    ...it advertises the following 'case study':

    Case Study: Amsterdam Metro

    "Some of our employees have literally tried to open all doors with their keys. We can see that in our log files."

    I don't know how which way this cuts it in the Netherlands, but bragging about disregarding employee privacy (whether legal or not and whether there is a real operational need or not) doesn't strike me as the cleverest PR move ever.

    1. Black Betty

      Re: Perusing this Cyberlock website...

      What employee's privacy? What names were named?

      What do we know? That SOME (less than all of a quite large workforce) employees of Amsterdam Metro tried lots of doors they knew they shouldn't open.

      1. Alan Brown Silver badge

        Re: Perusing this Cyberlock website...

        "That SOME (less than all of a quite large workforce) employees of Amsterdam Metro tried lots of doors they knew they shouldn't open."

        For all you know they might be encouraged to do so in order to test that security is actually working.

    2. Christian Berger Silver badge

      Re: Perusing this Cyberlock website...

      Well... they know about the ones who haven't just exploited issue 7... using a magnet!

  18. Anonymous Coward
    Anonymous Coward

    "Cyber"

    Are there any worthwhile companies or products with Cyber in the name or is it always an ill-advised portent of doom [e.g. Sirius Cybernetics]

  19. This post has been deleted by its author

    1. Fred Flintstone Gold badge

      Crude as it is, I would opt for another letter substitute (L to C)..

  20. hayzoos

    DMCA?

    There is no copyright protection mechanism being circumvented, DMCA does not apply. Draw a new straw and see what other legal mechanism can be leveraged to gag the nasty business plan killing security researchers long enough to cash out and lay low.

  21. Graves
    FAIL

    Well, there's one company that can forget about any sort of 'responsible disclosure' from now on, provided this massive cockup doesn't just kill their business outright.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019