Re: InfoSec sleuths beware, Microsoft's attorneys may be knocking at your door

[Blue Boar <BlueBoar () thievco com>]

Bernie, CTA wrote:
> Could Microsoft's attorneys go after sleuths who are, have been 
> disclosing vulnerabilities in Microsoft's software and allege 
> that the individual had discovered the vulnerability because 
> they downloaded the code and examined it? Good tactic to impede 
> pen testing, security research, or disclosure of security 
> threats, which in the past have cast a ominous shadow on MS, is 
> it not?  
>
> It may be wise for security sleuths to fully document their 
> vulnerability / exploit discovery process, when, how, what, why. 
> I'm sure Microsoft's attorneys will be serving production of 
> documents request upon a select group. Note that under US 
> Federal law, limited discovery to perpetuate testimony regarding 
> any matter can be performed before a lawsuit is actually filed.

There are clear, admitted cases of reverse engineering by vulnerabiity
researchers, which are prohibited by EULA, and which MS has so far
declined to pursue.  Why should this be different?  MS afraid the EULA
restrictions wouldn't hold up?

                                        BB


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html