Using the Law to Silence Whistleblowers
Disclosure of security vulnerabilities in software may now invite legal action.
Will companies start using legal threats to silence vulnerability whistleblowers?
That may be what happened to Next Generation Security Software
(NGS Software) after it found numerous security holes in a Sybase
database product in late 2004.
NGS recently sent an e-mail to NTBugtraq.com,
my company's security e-mail list, stating that Sybase had threatened legal action if
NGS published details of the holes in its Sybase Adaptive Server Enterprise
NGS, a very responsible security company, informed Sybase of the vulnerabilities
and stated they would publish details in three months. This is perfectly normal
and acceptable practice in the security arena.
Sybase, however, took the extraordinary step of threatening NGS with legal
action. Some compromise was reached shortly thereafter, and a joint NGS-Sybase
press release stated their differences had been resolved. NGS then published
the details they had previously promised to publish.
One has to wonder just what the point of all of this was. It may be that Sybase
wanted additional time for their customers to deploy the patches, which it had
informed its customers about in February. Regardless, the threat of legal action
against vulnerability disclosers could have a chilling effect, as many potential
whistleblowers lack the resources to be able to defend themselves.
Microsoft has filed civil lawsuits against 117 alleged
phishers. The "John Doe" suits were filed
in the U.S. District Court for the Western District of Washington in Seattle,
and are targeted at phishing sites that pretend to be MSN and Hotmail sites.
By filing the suits as "John Doe," Microsoft will be able to obtain
warrants and other orders to collect information that may assist in determining
who is responsible for the phishing sites.
The Ninth Circuit of the U.S. Court of Appeals has
bolstered the legal stance of protest Web sites. It ruled in favor of Michael
Kremer, who runs Wal-MartCanadaSucks.com, stating that the site did not infringe
on Wal-Mart's trademark because it isn't a commercial site.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
The concern here is about the definition of a "commercial" Web site.
A phishing site may or may not be construed as commercial, depending on the
court's intended definition. If it only means sites which offer goods for sale,
then a phishing site may well not be commercial. If, on the other hand, commercial
simply means monetary gain in any form, then a phishing site is commercial.
Hopefully this ruling won't prevent litigation against phishing sites.
Topoff 3, a terrorism defense exercise, will cost
$16 million, the same as Topoff 2, which took place in May 2003. In that scenario
terrorists unleashed a large-scale cyberattack, set off a dirty bomb in Seattle
and released a pneumonic plague in Chicago. The exercise included 8,500 participants
from federal, state and local agencies and 21 from Canada.
Cisco IOS contains vulnerabilities when configured
as an Easy VPN Server that could allow a remote attacker to obtain unauthorized
access to network resources. Updated software is available.
Denial of Service
Cisco IOS with SSH enabled contains vulnerabilities
that could allow a remote attacker to create a denial of service condition on
the affected device. Patches are available.
New Symbian OS malware was launched in the last 24
hours which causes a cell phone to go into infinite reboot if a reboot attempt
Once this loop has begun, it's impossible to get a disinfector on the phone.
Symbian runs on Nokia phones, as well as phones manufactured by Nokia for other
mobile phone vendors.
Police have alleged that Michael Kemly, a cable TV
technician who formerly worked for Adelphia Communications,
cut that company's cable to Martha's Vineyard in two places recently. As a result,
the 4,000 subscribers on the island lost their TV and Internet services.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.