| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: cta at hcsin.net (Bernie, CTA) Subject: InfoSec sleuths beware, Microsoft's attorneys may be knocking at your door On 18 Feb 2004 at 13:06, Blue Boar wrote: > Bernie, CTA wrote: > > Could Microsoft's attorneys go after sleuths who are, have been > > disclosing vulnerabilities in Microsoft's software and allege > > that the individual had discovered the vulnerability because > > they downloaded the code and examined it? ... > There are clear, admitted cases of reverse engineering by > vulnerabiity researchers, which are prohibited by EULA, and which > MS has so far declined to pursue. Why should this be different? > MS afraid the EULA restrictions wouldn't hold up? > <<< Microsoft's EULA is essentially an agreement between the parties. Likewise, prosecution for breach of the terms would mostly full under contract law, and therefore ambiguous, complicated for the Plaintiff to litigate and usually simply blown out by Defendant filing a Summary Judgment Motion (SJM), i.e., demand that Plaintiff present some evidence of material fact on every material issue for which he will bear the burden of proof at trial. If Plaintiff fails to do so, Defendant is entitled to judgment as a matter of law. However, prosecutions under Trade Secret / Copyright law are more costly to defend then contract law type cases, and are harder for the Defendant to simply blow off. Plaintiff could do pre-suit discovery, get interrogatories, and along with affidavits file for summary judgment in its favor to then shift the burden of proof toward the Defendant and/or force settlement. The supposition… M does not like the fact that cyber sleuth X has been discovering and disclosing vulnerabilities about its OS. So, M prepares and serves X with pre-suit discovery request (interrogatories, maybe production of documents) and ask questions concerning their knowledge of the leaked OS code, and to describe in detail how they discovered the vulnerability/flaw in M's OS. X did not document exactly how they discovered the vulnerability so they respond claiming the information requested is privileged and essentially go pound sand. M then files a civil lawsuit for copyright infringement and/ or trade secret theft, alleging among other things: a. X is in the Security industry and knew about the leaked OS code b. X posted their discovery of an unpublished vulnerability/flaw in M's OS c. M did pre-suit discovery and asked X how (what tools, when, how) they discovered the Vuln, but X could not describe the process in any reasonable manner. d. Therefore X must have used/examined M's leaked OS in order to discover the flaw e. X used the leaked OS without any authorization from M. f. X knew the M's leaked OS was protected by copyright or trade secret. g. blah blah blah… Therefore, M was damaged by X's action and we want money, lots of money… After 20 days or so M can motion for summary judgment and force X to produce evidence to prove how he discovered the flaw/vuln. If X can't M could get summary judgment in its favor. However, there are challenges that X could raise, but in the mean time X is spending lots of money on attorneys. So who does M not like? - -- **************************************************** Bernie / cta@...in.net Chief Technology Architect / Chief Security Officer Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Powered by blists - more mailing lists