Sybase invokes licence gag in flaw disclosure row

NGSSoftware negotiations

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Database maker Sybase will likely drop legal threats against a UK-based security company this week, allowing the company to publish details on six flaws, a source familiar with the negotiations said on Monday.

The potential agreement between Sybase and Next-Generation Security Software comes after a two-week dispute over whether the security firm could publish additional details of six flaws it had found last year in the database maker's products. NGSSoftware had been scheduled to released its detailed advisories on 22 March.

"NGSSoftware believes we have solved the issues with Sybase, and we are working on a joint announcement," said David Litchfield, managing director for the London-based NGSSoftware. Litchfield would not say more on the possible deal, since the negotiations are ongoing.

Despite the probable resolution, attorneys and software-security experts warn that the recent legal attacks on vulnerability researchers could signal a resurgence of corporate interest in using the law to silence critical software reports.

Last month, a French court levied a €5,000 ($6,500) fine against a part-time security researcher, Guillaume Tena, on intellectual property violations stemming from the researcher's analysis of an antivirus company's software. While the French court suspended Tena's fine and Sybase has likely resolve its dispute with NGSSoftware, the companies' moves highlight the legal minefield of which vulnerability researchers have to increasingly be wary, said Jennifer Granick, executive director for Stanford Law School's Center for Internet and Society.

"Researchers feel that software companies have so many different legal options - if they want to come after (the researchers), there are so many ways they can," she said. "The choice over whether they want to do their job now comes with more risk."

While many firms have seemingly been content to work with vulnerability researchers in recent years, following the passage of the Digital Millennium Copyright Act (DMCA), several software makers attempted to use the law against researchers who published flaw details against the developer's wishes.

Failed, but chilling, legal tactics

Almost four years ago, multimedia software maker Adobe helped authorities bring charges against a programmer for Moscow-based ElcomSoft for his part in the creation of a program that exploited flaws in Adobe's e-book format. In July 2002, technology giant Hewlett-Packard sent legal notices to researchers at Secure Network Operations after one flaw finder posted details of a vulnerability in the company's Tru64 operating system. And e-mail service provider Tornado Development succeeded in helping prosecutors obtain a guilty verdict against a former employee, Bret McDanel, which resulted in a 16-month prison sentence.

In each case, the security researchers involved won out, eventually. ElcomSoft and its employee, Dmitry Sklyarov, were exonerated, HP backed off its charges against SNOSoft, and McDanel was declared innocent on appeal, but only after serving out a 16-month sentence in prison.

While the US Department of Justice backed away from the arguments used against McDanel, the government still reserved the right to go after people who put information in the public domain with the intent that it be used for a crime, said Granick.

"That makes people worried about these forums and being held responsible for the actions of their listeners," she said. Granick recently published a paper in International Journal of Communications Law and Policy arguing that vulnerability disclosure is an important quality check on software.

Sybase's warnings to NGSSoftware focused on a more controversial legal tactic: Exercising the "no publishing benchmarks" clause commonly included in the shrink wrap license accompanying most software.

NGSSoftware's policy is to report flaws to the software maker and release a general advisory when that company releases its patch, followed by more detailed advisories three months later. Sybase allowed the company to publish general information on the flaws it found in Sybase's Adaptive Server Enterprise (ASE) database software, but warned that if the company released more detailed information, it would consider it a breach of the software license agreement.

"Sybase does not consent to the disclosure of the vulnerabilities and will consider such disclosure a material breach of the ASE Developer Edition's license agreement," the company stated in the letter sent to NGSSoftware.

The company could not be reached for comment on vulnerability disclosure issues, but in a previous statement, the firm voiced concerns that too much detail in a vulnerability advisory could hurt its clients.

Sybase is not the first company to threaten legal actions against vulnerability researchers based on perceived violations of the terms of the software license agreement. Still, the legal basis under which software companies attempt to enforce no-benchmarking and no-reverse-engineering clauses is not clear, according to an analysis of reverse engineering written by two professors at the University of California at Berkeley and published in the Yale Law Review in April 2002.

"The enforceability of such restrictions has been a highly contentious legal issue both in the US and abroad," Pamela Samuelson, professor of law and information management, and Suzanne Scotchmer, professor of economics and public policy, wrote in the paper.

The future may find that such contracts have more force, however. Since the provisions that concern security researchers, do not apply to the average consumers, the lion's share of a software maker's market will not be worried about the stipulations, said Stanford's Granick.

"The problem with contractual arguments is that people can waive all sorts of rights in a contract," she said. "And these mass-market contracts waive a lot of rights that hurt security."

Increasingly, security researchers are quick to condemn the practice, emphasizing that vulnerability advisories act to inform consumers about the safety of software products.

"To use a software license agreement essentially as a gag order to prevent people from disclosing information on a vulnerable product is a horrible way to do business," said Mark Rasch, chief security counsel of security firm Solutionary.

"This is the kind of activity you want to reward," he said. "If you don't, then they will post it anyway - anonymously on blogs."

Copyright © 2005, SecurityFocus logo

Related stories

French security researcher fined
Elcomsoft not guilty - DoJ retreats from Moscow
California enacts full disclosure security breach law
Show us the bugs - users want full disclosure
Security through obsolescence

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.