Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Businesses The Almighty Buck Technology

Lawsuits Threaten Infosec Research -- Just When We Need it Most (zdnet.com) 51

This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. From a report: Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of -- from companies threatening to call an editor to demand a correction -- or else -- to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution. With nation state attackers targeting elections and critical national security infrastructure on a near-daily basis, security research is needed more than ever.
This discussion has been archived. No new comments can be posted.

Lawsuits Threaten Infosec Research -- Just When We Need it Most

Comments Filter:
  • SLAPP? (Score:5, Interesting)

    by Registered Coward v2 ( 447531 ) on Wednesday February 21, 2018 @10:53AM (#56163213)

    IANAL, but i would seem some of the threats border on using threats of a lawsuit to silence critics. Unfortunately, it takes money to defend yourself so it may be less painful simply to shut up.

    I wonder if the threat of discovery and fighting to keep it public would stop some lawsuits as it would force companies to reveal potentially damaging information. You want to sue? I'll prove what I said is materially correct by demanding your code, internal memos, etc. related to bugs. I guess we'd need a high powered lawyer who is interested in security to decide to do one pro-bono.

    The other option is to anonymously release bug data as soon as they are discovered to screw over companies that threaten lawsuits. If they don't want to play nice it's time to stand up to them in other ways.

    • Maybe some precedents linking SLAPP to malicious prosecution, then lawyers would take the case on spec to harvest the settlement
  • by postbigbang ( 761081 ) on Wednesday February 21, 2018 @10:54AM (#56163217)

    Although some CEOs believe any PR is good PR, this will not end well for them. The screwed up. The problem was reported. It was fixed. That was reported. But they go for the throat of the reporter anyway.

    It's pretty ugly karma.

  • How about wiki-sec? Anon white-hat dumping ground.
    • How about wiki-sec? Anon white-hat dumping ground.

      There are plenty of anonymous (not Anonymous) dumping grounds. Here's one: https://pastebin.com/ [pastebin.com]

      There are many varied options. You don't make money by publishing articles on pastebin, though.

      • okay ... see below... if I make secsleaks.org, what would be a cool "bounty" model? Maybe a kickstarter for leaks? Have a payout scale on the verifiable data, based on the gravitas of the info. Anything to move good info away from fucking blogs.
    • Security Stat Leaks - secsleaks.org should be the name.
  • Regarding "If they can make up and fabricate events and have a jury believe them -- well that's going to have a far greater effect than chilling researchers and data breach reporting," I wonder if a blockchain might be useful to allow multiple people including journalistic outfits in different countries to confirm the facts at identifiable points in time. This might weaken the ability of rich, illegal operations to attempt to sue lone security researchers.

    • by jd ( 1658 )

      There are easily enough company employees and astroturfers out there to exceed the 50%+1 needed to falsify a blockchain. You'd end up with "hard evidence" which proved that the moon landings were fake, McDonald's provided food, and that the defendants were in league with Satan.

  • What you sow... (Score:4, Insightful)

    by jbmartin6 ( 1232050 ) on Wednesday February 21, 2018 @11:57AM (#56163545)
    Any company that sues researchers in this way should be assumed to be relinquishing any claim to responsible disclosure in the future.
    • Perhaps, some of the folks who don't bother with " responsible disclosure " simply know what we are just now learning about.

      It's easier and cheaper for the Company in question to simply sue, or threaten to sue, any individual who dares to shine a light on a security flaw.
      As a result, why be nice about it ?

      If you can't coerce them with a carrot, there is always the stick.

  • by forkfail ( 228161 ) on Wednesday February 21, 2018 @12:23PM (#56163731)

    Don't they know that the best security is security through obscurity?

    That if the bad guyz don't know about the h@x0rz that they can't hax teh big ironz n cloudz? /reallyBadSnarkOrSomething

  • by SlaveToTheGrind ( 546262 ) on Wednesday February 21, 2018 @02:06PM (#56164721)

    If Keeper wins this, they'll win because of misstatements/overstatements in Goodin's initial article that he significantly walked back multiple times, as laid out in Keeper's complaint [documentcloud.org]. The research prompting Goodin's and other similar articles was not the issue.

Imagination is more important than knowledge. -- Albert Einstein