(Background: I'm a computer security researcher and lawyer at Stanford.)
When a security researcher gets threatened, there's a tendency to lambast the lawyers. I think that's unfortunate.
It is, very often, the client that demands an aggressive response. A lawyer should counsel against, since nastygrams to researchers tend to summon negative attention. Not being a jerk is also a plus.
That said, if a client insists--and they often do--the lawyers have little choice. Professional ethics generally require following the client's direction, and there isn't sufficient time to withdraw as counsel.
So, for the most part: Don't blame the lawyers, blame the DMCA. It's the law that's broken.
That's a fair argument for not blaming the lawyers. But I don't think that line of reasoning deflects blame away from the company demanding they pursue legal action.
What about when EFF tries to kill bogus patents and trial lawyers lobby against it because they make too much money from bogus patents? Can we blame then lawyers then?
What I'm trying to say is that perhaps the sometimes it's not just the law's fault - but the lawyers also like having said law and abusing it.
Also, this is going to get even worse if Obama has his way with the new "enhanced" CFAA law that can jail people even for breaking a company's ToS.
According to that one, it is not acceptable for a lawyer to file the petition his client wants him to file, if that petition doesn't meet the court's standards. If judges can censure lawyers for acceding to their clients' demands, so can the rest of us.
How much time does it take to withdraw as counsel?
I can see why the judge would see this as an important difference, but I don't see that it actually is one. Why do I care which option wastes the court's time?
You have responsability for your actions even if you're legaly forced to them. This sane principle was officialized in the Nuremberg trials [1].
Edit0: In fact, the principles were more specific to international law vs national law and orders. However, the idea behind is still sane even if you don't violate international law.
Edit1: It's about recognizing personal responsibility.
Many state bar associations have rules like that one. Lawyers can make good-faith arguments that their client's behavior isn't illegal. They can't break the law for their clients or help their clients break the law.
No one should be stuck, unable to get a lawyer and put up a fair legal fight, just because some part of the population condemns them as amoral, but can't pass a law expressing that condemnation that stands up to civil liberties challenge. Lawyers should serve hated people, too, and ideally do for them just as they would do for themselves if they understood the law and the system.
Lawyers who can do that for truly loathsome clients are superheroes. They often set aside deep feelings and strongly held personal convictions in the service of the greater value of a fairer legal system. It's a real-life Gom Jabbar test, and repeat sittings have driven many good lawyers to self-destruction, one way or another.
So: If you don't want lawyers helping assholes, try and pass a law against being an asshole. It would be vague. Prejudiced assholes would wield it against legitimate non-assholes. Good lawyers defending actual assholes would kill it in court.
They probably feel that the Nuremberg trials are a hyperbolic example here, and worry that line of argument brushes a little too close to Godwin's Law.
Upshot, we probably all agree with you that everyone has personal responsibility for their actions. There are still situations where we want attorneys to listen to their clients though.
Godwin's law is a overused to shut down legitimate topics. And while the point may be the most extreme, it is still a very valid point. If one wants to say it is different, one needs to articulate why.
Thank you for bringing sense into this discussion.
I wouldn't say extreme, but fundamental. I referenced the Nuremberg Principles because they are so fundamental and I genuinely don't know a better example.
Several people in the community misuse down-votes. They down-vote on-topic, constructive and serious discussions which disagree with their opinion instead of simply articulating their criticism.
Godwin said, "I wanted folks who glibly compared someone else to Hitler or to Nazis to think a bit harder about the Holocaust"[0]
I suppose because "Godwin's law" is in the dictionary now you are free to add meaning as you like, but I wouldn't be happy about this stackoverlow like meta trivial pursuit at the expense of logic if I were Godwin.
He understood memes and introduced species enough to introduce a meme as a predator to a different meme, but ignored that introduced species with no predators quickly become invasive themselves.
So if he's not happy, he's only got himself to blame.
A story about a two year old learning about agency would be a better example, there are millions of better examples for this context.
The most extreme example of a thing you can find is not usually the ideal example to use for most contexts. Rather than clarifying things, if it dwarfs the context, it then appears automatically ridiculous even if the basic argument is sound.
I provided a valid example. It was admittedly a bit of a rubbish example, but then it was intended to be. But nevertheless, a story about a two year old learning about agency, as in, concepts of personal choice and consequence of action, is an example much better suited to the context of whether lawyers should send out strongly worded cease and desist letters when their clients tell them to, than relying on the court response to the Nuremburg defense in the face of genocide.
I asked for "a better example where personal responsibility was officially upheld". Your example was explaining a child agency, which _does not_ include officially upholding personal responsibility.
Furthermore, I did not draw any comparison between the Nuremberg Trials and the case in question, but used them only to substantiate my argument for personal responsibility. Reread what I wrote if you are doubting.
Don't assume everybody does cheap puns and invalidly makes up connections between what was said. If I mean it, I say so.
I asked for "a better example where personal responsibility was officially upheld".
Add an adult to the story then. Hell, add a teacher, knock yourself out. For making the point of not merely doing as instructed though and having personal responsibility, this need for official confirmation in the metaphor seems awfully weird.
Don't assume everybody does cheap puns and invalidly makes up connections
I didn't, I said I thought you were probably being unintentionally funny.
Add an adult to the story then. Hell, add a teacher, knock yourself out.
I don't know a better example. If I had one, I wouldn't have asked. In my experience people defend themselves by saying they were told to do it or that there are laws forcing them.
For making the point of not merely doing as instructed though
and having personal responsibility, this need for official
confirmation in the metaphor seems awfully weird.
There are lot of things we might think that should be, but many are not officially recognized. Having my point officially recognized is essential for its substance.
It is not a metaphor.
However, I think we were just misunderstanding each other. My question was serious and genuine.
If all that Hitler had done was get Goebbels to send out threatening letters to people who remarked that he had left his door unlocked, then referencing Nuremberg over lawyers sending cease and desist letters on behalf of a padlock manufacturer might not seem quite so ridiculous.
There is value in doing your legal duty, even if some people think your duty is to do a bad thing. "I was just doing my job" is not considered a sufficient defense of Nazi actions because their actions were so terrible that being legally required to do them does not mitigate that. Threatening legal action, on the other hand, is an ordinary event that can be easily excused as "just what lawyers have to do for their clients."
I don't know this for sure, but I seem to recall that lawyer's professional rules of conduct require them to not leave clients in the lurch, without providing them ample warning to find new counsel.
I believe this is what the GP poster is mentioning when he says that there often isn't "sufficient time to withdraw."
There are plenty of times that one has a duty to violate the law. Consider that the US Supreme Court does not render advisory opinions; to overturn an unconstitutional law, one must violate it first, then defend oneself all the way to the Supremes.
This is a very risky proposition as it happens all the time that the Supreme Court will deny certiori over some petty issue.
If you wonder why I use my real name here and elsewhere online, it's because I regard it as my duty to - someday - defend myself before the Supreme Court.
> Consider that the US Supreme Court does not render advisory opinions; to overturn an unconstitutional law, one must violate it first, then defend oneself all the way to the Supremes.
Please don't take this the wrong way: Research this topic further!
> The advisory went on to say that "site keys" are stored in unencrypted, "cleartext" form that can be recovered from the lock cylinders.
Why do developers keep doing this? As a programmer, I've never worked with crypto implementation and I don't really know much about it on a practical level, but the one thing I do know is that you never store anything sensitive in plaintext. Ever! So how do so many devs who have, at the very least, spent far more time than I have Googling about crypto implementation, keep missing this?
It's as if there was an epidemic of wet kitchen floors sweeping the nation because thousands of plumbers, working independently, all repeatedly forgot to install traps under their sinks. Why does this one rank-amateur mistake keep happening?
I don't see how this is an amateur mistake. Presumably the key material on the device needs to be available to its onboard computer. So, the computer needs to load it or work with it. You could encrypt it, sure, but with what key? Another key stored locally in plaintext?
Could you explain what alternative should be used in this case?
You can't decrypt information or validate a public key's signature with the hash of a private key. You need the actual private key unencrypted at some point; we solve this in most of our certs by encrypting them with a password that the user has to enter to decrypt, but access to the unencrypted private key is absolutely required at some point.
Thanks. Is it just a plaintext password? The exact mechanism wasn't obvious to me from the article, though I see the tech report has more detail. If authentication is based on storing a password on the key and sending it over the wire, then there's nothing to prevent capturing that and cloning a key. I guess that's the point. I agree that if the auth is a password challenge, then hashing it will prevent recovery of the key from the cylinder though.
Sounds like their lock is really just a "digital key", with wires sending bits that take the place of tumblers.
That is true, but considering that this isn't your average website, but high security certified products there should have been security trained professionals working on the hardware, at the very least when they got the notice - they have no excuse.
IOActive's findings enable a very difficult but devastating man-in-the-middle attack against anyone buying or storing these locks. It's really hard to clone a key to these locks, but once that's done the lock can be reassembled, and the attacker can use the copy to open it.
It's NOT like you can walk up to one with a thumb drive and pwn it.
IOActive's findings allow an attack where you can obtain one sample of the lock and gain the master key for the entire lock system.
So you walk up to the unguarded bike shed, take your time chopping off the lock with a hacksaw, and now you have access to the storage area. Normally the guard would come around before you'd be able to cut off that lock, but since you now have a key it's much quicker, and you wouldn't look suspicious to the guard anyway.
Unclear on the concept: Moreover, IOActive's reverse engineering process required the use of skilled technicians, sophisticated lab equipment, and other costly resources not generally available to the public
This works so long as attackers have no more resources than the average guy in the street.
Publish the fact that it can be done without publishing how to do it (yes, you have to be reputable). I think it's interesting that the lawyer focused on the fact that they depackaged the chip when the (in my mind) bigger vulnerabilities don't require that.
I think it would be interesting to sue a company like CyberLock for false advertising ... "impossible to clone keys" is clearly false.
Indeed, if you do so you must word your blog post very carefully not to make any claims you can't fully back-up with a PoC. Such as being very specific about what versions/configurations are vulnerable.
It'll force you to hire expensive lawyers for all the pre-court maneuvering, which tends to be a good deterrent to any small agency or freelance consultant.
Depending on you purpose you could publish it anonymously - just make damn sure it can't be traced back to you. It won't help you much if your goal is to built reputation or you want to be able to talk about it.
Not really. Despite the name and theme, Microcorruption was about the kinds of vulnerabilities that exist in desktop and server systems; actual embedded exploration is very different. Typically there's a site key sent from the lock to the key, which authenticates itself with a second site key - often all in plaintext, on the more insecure systems. So you just sniff the communications.
Were these vulnerabilities disclosed to CyberLock at all before the results were published? If not, I can't blame them for being angry. Not saying they shouldn't be publicly disclosed in addition to private disclosure, but you have to give a company a fair chance to review the vulnerabilities and at least respond to you before you publish.
According to a comment from phar (one of the researchers) on the article, they gave a month's notice and CyberLock ignored it for 29 days:
we started a 30 day clock and if at any point someone had responded and said "we need more time", we could have provided more time (to some limit of course).. we even gave them a few extra days after they contacted us on day 29 since no one has done the math
A convenient approach since it lets them whine like children about how they weren't given enough lead time.
>Not saying they shouldn't be publicly disclosed in addition to private disclosure, but you have to give a company a fair chance to review the vulnerabilities and at least respond to you before you publish.
Why? They are the ones who let a vulnerable system onto the market. Why should I be forbidden from going public with legally obtained information when I have no contract with them? I should not share in any blame for their security vulnerabilities as I was never allowed to share it any of their profits (monetary or otherwise).
Simple ethics. If you contact them, you can at least give them time to patch the flaw for software, or time to start producing a new line of locks in this case. If you release it to the world before they're even aware of it, there's a gap where there is absolutely no mitigation whatsoever.
>If you contact them, you can at least give them time to patch the flaw for software, or time to start producing a new line of locks in this case.
Will I be paid for the effort? Or am I expected to give them information for free when they would never do the same for me? Ethics is a two way street and after superfish (among other issues) I owe this company no ethical obligations.
>If you release it to the world before they're even aware of it, there's a gap where there is absolutely no mitigation whatsoever.
Quite a convenient way to blame me for their security flaw in their product. No, this is solely on them, and as I already pointed out, they have aready burned up any professional ethical obligations.
That's a significantly short amount of time to be able to address an issue before knowledge of the vulnerability becomes public knowledge.
I'm all for releasing a vulnerability after it a) is mitigated or b) becomes clear the responsible party has no plans to address the vulnerability in a timely fashion.
One day is in no way responsible unless the researchers were told pointedly that there was no plan to address the issues.
They (claim they) gave the company 30 days, and assert they could have extended it if it seemed a fix was upcoming and a few more days were necessary, but they only ever got ignored or lawyer-threatened over it.
In a later PDF, the lawyer complains about IOActive wanting access to company engineers on "a few days notice".
I really don't support people throwing around the DMCA, but if the company's lawyer's complaints are accurate (if) then IOActive sounds like they prioritized having a quasi-journalistic "scoop" over professionalism.
> Slander/Libel, in the UK where this isn't, has to contain falsehoods.
Be careful this is a dangerous interpretation of UK law. Slander/Libel must contain some element that the person doing the saying/publishing cannot prove in court. Note the burden of proof lies on the person saying/writing rather than the person sueing.
(I am not a lawyer and this post does not constitute legal advice.)
sorry, yes, I am aware that the burden of proof is on the accused slanderer, since these are civil rather than criminal cases. I appreciate that that wasn't clear from my original comment.
People can launch all kinds of suits which can't possibly result in victory. The courts won't try a case before they try it to see if the plaintiff would win.
That'll just get you unrestricted access to that one area. This flaw lets you get the master key, and with that, you have unrestricted access to every locked room in the facility.
When a security researcher gets threatened, there's a tendency to lambast the lawyers. I think that's unfortunate.
It is, very often, the client that demands an aggressive response. A lawyer should counsel against, since nastygrams to researchers tend to summon negative attention. Not being a jerk is also a plus.
That said, if a client insists--and they often do--the lawyers have little choice. Professional ethics generally require following the client's direction, and there isn't sufficient time to withdraw as counsel.
So, for the most part: Don't blame the lawyers, blame the DMCA. It's the law that's broken.