Full Disclosure mailing list archives
Re: InfoSec sleuths beware, Microsoft's attorneys may be knocking at your door
From: "Bernie, CTA" <cta () hcsin net>
Date: Wed, 18 Feb 2004 17:27:25 -0500
On 18 Feb 2004 at 13:06, Blue Boar wrote:
Bernie, CTA wrote:Could Microsoft's attorneys go after sleuths who are, have been disclosing vulnerabilities in Microsoft's software and allege that the individual had discovered the vulnerability because they downloaded the code and examined it? ...
There are clear, admitted cases of reverse engineering by vulnerabiity researchers, which are prohibited by EULA, and which MS has so far declined to pursue. Why should this be different? MS afraid the EULA restrictions wouldn't hold up?
<<< Microsoft's EULA is essentially an agreement between the parties. Likewise, prosecution for breach of the terms would mostly full under contract law, and therefore ambiguous, complicated for the Plaintiff to litigate and usually simply blown out by Defendant filing a Summary Judgment Motion (SJM), i.e., demand that Plaintiff present some evidence of material fact on every material issue for which he will bear the burden of proof at trial. If Plaintiff fails to do so, Defendant is entitled to judgment as a matter of law. However, prosecutions under Trade Secret / Copyright law are more costly to defend then contract law type cases, and are harder for the Defendant to simply blow off. Plaintiff could do pre-suit discovery, get interrogatories, and along with affidavits file for summary judgment in its favor to then shift the burden of proof toward the Defendant and/or force settlement. The supposition M does not like the fact that cyber sleuth X has been discovering and disclosing vulnerabilities about its OS. So, M prepares and serves X with pre-suit discovery request (interrogatories, maybe production of documents) and ask questions concerning their knowledge of the leaked OS code, and to describe in detail how they discovered the vulnerability/flaw in M's OS. X did not document exactly how they discovered the vulnerability so they respond claiming the information requested is privileged and essentially go pound sand. M then files a civil lawsuit for copyright infringement and/ or trade secret theft, alleging among other things: a. X is in the Security industry and knew about the leaked OS code b. X posted their discovery of an unpublished vulnerability/flaw in M's OS c. M did pre-suit discovery and asked X how (what tools, when, how) they discovered the Vuln, but X could not describe the process in any reasonable manner. d. Therefore X must have used/examined M's leaked OS in order to discover the flaw e. X used the leaked OS without any authorization from M. f. X knew the M's leaked OS was protected by copyright or trade secret. g. blah blah blah Therefore, M was damaged by X's action and we want money, lots of money After 20 days or so M can motion for summary judgment and force X to produce evidence to prove how he discovered the flaw/vuln. If X can't M could get summary judgment in its favor. However, there are challenges that X could raise, but in the mean time X is spending lots of money on attorneys. So who does M not like? - -- **************************************************** Bernie / cta () hcsin net Chief Technology Architect / Chief Security Officer Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> ******************************************************* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: InfoSec sleuths beware ..., (continued)
- Re: InfoSec sleuths beware ... madsaxon (Feb 18)
- Re: InfoSec sleuths beware ... Byron Copeland (Feb 18)
- Re: InfoSec sleuths beware ... madsaxon (Feb 18)
- Re: InfoSec sleuths beware ... Exibar (Feb 19)
- Re: InfoSec sleuths beware ... Dave Horsfall (Feb 19)
- Re: InfoSec sleuths beware ... Exibar (Feb 19)
- Re: InfoSec sleuths beware ... michael williamson (Feb 19)
- Re: InfoSec sleuths beware ... Calum (Feb 19)
- Re: InfoSec sleuths beware ... Dave Horsfall (Feb 20)
- Re: InfoSec sleuths beware ... Gregory A. Gilliss (Feb 19)