This must be imagined: Through the work of a security researcher, a software manufacturer is informed that one of its programs has a critical security gap. All user data could be stolen via these. The affected company quickly released a hotfix. And instead of an appreciation or even reward for the find, the company’s attorneys threatened with an action for copyright infringement and computer misuse.
Why is an advertisement threatened?
This has happened in the United Kingdom over the last few weeks. The security researcher is called Zammis Clark, the company listens to the name Impero and is responsible for the software Impero Education Pro. With this, IT officers in schools can monitor and restrict the surfing behavior of pupils. The program is widespread on the island.
What is his charge?
At the beginning of June Clark reported from his find on Twitter, with a link to the platform Github, on which he published a so-called proof-of-concept-code. This serves to cover attack possibilities. The practice of making such a code public is a common practice in the security world.
What do you say about this?
What made Clark doom was not to communicate directly and confidentially with Impero. But this is not really a reason to sue someone who provides more security in his own home and thus protects those responsible against potentially even worse consequences - not even at Apple. Clark, according to his own data, among other things, lacked knowledge about where he should have turned. In addition, Clarks questions about security at a technology fair in January at Impero were thrown as deaf as he wrote on Github (via GoogleCache)
After Impero learned about the leak in his own program, a hot fix was released - the detour was by the way, that Clark was informed about the possibilities of contact to the responsible persons in the Impero forum, and then got it from users. Apart from the fact that the school play is rather bad as well as right, as The Guardian has found, the patch according to Clark is also not effective. The gap still exists if you easily adjust Clarks Fund.
Instead of working with the security investigator to find a solution, Clark next heard of Impero's attorneys. A letter reached him: he had violated the license agreements by modifying the software without permission, without the goal of achieving a higher compatibility of the program with other platforms. In addition, lawyers charge him to have confidential information on the program.
This allows each attacker to exploit the vulnerability and create malicious programs. Clark's approach had led to "direct loss and damage" for the company, which would lead to a loss of reputation and potential damage to numerous IT systems in schools. The case would now go to court to prevent Clark from taking further action and to seek financial compensation for the company.
After Clark asked for legal advice, Imperos steered lawyers and said it would be enough for the security investigator to delete his on-line findings and works. This happened on Thursday afternoon. As the story goes on, it remains to be seen.
Compared to the file sharing blog Torrentfreak told Clark that the company's approach was counterproductive. In the future, security researchers would consider twice whether they report a gap or not. Attackers would find and exploit gaps even without people like him.
Also security experts and former member of the "Lulzsec" hacker collective - Mustafa al-Bassam - says the threats against Clark are bizarre. The company should be glad that the gap was made public, instead of selling it to malware manufacturers such as hacking team. Because companies do not even pay so badly.
No comments:
Post a Comment