It's Hackers v. Hackers in Dispute Over Security Flaw Disclosures
The technology world is full of hackers and they're not all identity thieves, anti-adultery activists, or Chinese saboteurs. Instead, many are so-called "white hat" hackers, computer security experts who specialize in finding flaws in others' systems. These white hat hackers are an important, respected part of the computer security ecosystem.
Which is what makes a recent dispute between computer security companies so surprising. FireEye is a security firm that reports on flaws in Adobe, Apple, and Google, and provides its own malware protection products. And now it's suing a German security firm to keep it from doing essentially the same thing that FireEye does -- reporting dangerous flaws in FireEye's own products.
The Good-Guy Hackers
White hat hacking has a long tradition in the technology industry. Computer security experts who identified errors in a product would report the flaw, usually initially to the product's maker and then publicly. By finding and reporting flaws, the hackers prevent those weaknesses from persisting unnoticed and being exploited. Publicizing the flaws can allow the public to take action to protect themselves and can add extra pressure on software companies to fix the errors.
This sort of hacking doesn't operate in the shadows, either. Google pays out $1.5 million a year to white hat hackers who help find bugs in its systems. The NSA offers a certificate in "ethical hacking." These security experts often run successful firms and consultancies and are often brought in-house by the company's they hack.
Not Everyone Likes Their Errors Being Aired
But not everyone likes it when you point out their flaws. FireEye sure doesn't, even though its business is finding errors in other companies' products. Recently, a German security consultancy, ERNW, found five major flaws in FireEye's malware software, including ones which could allow backdoor access to the host system. It disclosed those flaws to FireEye, but says the company took no action, Arstechnica reports. Instead, four months later, FireEye sued ERNW in Germany to prevent it from making information about the errors public.
The suit is "generation howls of protest among security professionals," according to Ars. Enno Rey, ERNW's founder, has said that it's "an inappropriate strategy to sue researchers responsibly reporting security vulnerabilities." FireEye, for its part, is claiming that it's just looking out for its customers. It claims ERNW's proposed disclosures had included proprietary information that would "put our business and customers at risk." FireEye says the vulnerabilities were fixed in a patch this Tuesday.
- Major Web Security Company Sought to Conceal That it Ran Compromised Servers (The Stack)
- As Machines Learn, Will They Learn the Law? Will They Follow It? (FindLaw's Technologist)
- Corporate Lawyers Are the Easiest Lawyers to Phish (FindLaw's Technologist)
- Is Your Email Secure Enough for Client Communications? (FindLaw's Technologist)
You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help
Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.