Open Letter On Ending Attacks On Security Research

from the it's-too-important dept

The Center for Democracy and Technology has put together an important letter from experts on the importance of security research. This may sound obvious, but increasingly we're seeing attacks on security researchers, where the messenger is blamed for finding and/or disclosing bad security practices or breaches -- and that makes us all less safe by creating chilling effects.

On April 10, 2018, over fifty experts and expert advocates published a statement in support of security research and against efforts to chill or intimidate security researchers. Computer and network security research, white-hat hacking, and vulnerability disclosure are legal, legitimate, and needed now more than ever to understand flaws in the information systems that increasingly pervade our lives.

Security researchers hesitate to report vulnerabilities and weaknesses to companies for fear of facing legal retribution; these chilling effects invite the release of anonymous, public zero-day research instead of coordinated disclosure. The undersigned urge support for security researchers and reporters in their work, and decry those who oppose research and discussion of privacy and security risks. Harming these efforts harms us all.

I'm proud to have signed onto the letter, which you can read here (or embedded below). In it, we cite two legal cases in which a reporter and security researcher were sued for their work disclosing security vulnerabilities. These kinds of lawsuits are a disgrace and need to stop.

The most recent cases include Keeper v. Goodin and River City Media v. Kromtech ; in the first case, a reporter was sued for reporting on the details of a vulnerability, and in the second case a security researcher is being sued for investigating a publicly accessible spam server. These lawsuits not only endanger a free and open press but risk a “chilling effect” towards research designed to improve cybersecurity. Security researchers hesitate to report vulnerabilities and weaknesses to companies for fear of facing legal retribution; these chilling effects invite the release of anonymous, public zero-day research instead of coordinated disclosure.

It's kind of sad that this kind of letter is even needed, but these kinds of things are happening way too often.

Filed Under: cdt, chilling effects, open letter, security research

Ed Snowden Sends Open Letter To Brazil... Which The Press Blatantly Misrepresents

from the nice-work,-journalists dept

This morning, a Brazilian publication, A Folha, released a very interesting open letter from Ed Snowden. It's worth reading in full, and we'll include the full thing beneath this post, but first, a few snippets. His summary of the overall situation is key:

Today, if you carry a cell phone in Sao Paolo, the NSA can and does keep track of your location: they do this 5 billion times a day to people around the world. When someone in Florianopolis visits a website, the NSA keeps a record of when it happened and what you did there. If a mother in Porto Alegre calls her son to wish him luck on his university exam, NSA can keep that call log for five years or more. They even keep track of who is having an affair or looking at pornography, in case they need to damage their target's reputation.

American Senators tell us that Brazil should not worry, because this is not "surveillance," it's "data collection." They say it is done to keep you safe. They’re wrong. There is a huge difference between legal programs, legitimate spying, legitimate law enforcement — where individuals are targeted based on a reasonable, individualized suspicion — and these programs of dragnet mass surveillance that put entire populations under an all-seeing eye and save copies forever. These programs were never about terrorism: they're about economic spying, social control, and diplomatic manipulation. They're about power.

He then notes that some Brazilian politicians have asked for his assistance into researching what the US has done, and he said that he is willing to help "wherever appropriate and lawful" while also noting that the US pulling his passport and showing its willingness to force planes to land when it suspects Snowden may be on board may limit his effectiveness in helping with the investigation. There's a lot more in the letter as well, but the press seems to be summarizing it as "Snowden offers to swap helping investigating spying for asylum." A few examples:

• USA Today: Snowden to Brazil: Swap you spying help for asylum
• The Guardian: Edward Snowden offers to help Brazil over US spying in return for asylum
• CBS News: Edward Snowden reportedly tells Brazil he’ll help probe NSA spying there if granted asylum
• Fox News: Snowden reportedly offers to help Brazil investigate spying if given asylum
• Reuters: Snowden makes case for Brazil asylum, offers help
• ABC (Australia): Edward Snowden wants asylum in Brazil in exchange for help with investigations into NSA spying

All of these seem to think there's some sort of conditional there. Reading the actual letter, that doesn't seem to be the case at all. While he does mention that without being granted political asylum, the US government "will continue to interfere with my ability to speak," there does not appear to be any quid pro quo setup, in which he's asking for asylum. He's just laying out the situation. Furthermore, he later notes the value of being able to speak freely, and how that's more important than where he lives:

My act of conscience began with a statement: "I don't want to live in a world where everything that I say, everything I do, everyone I talk to, every expression of creativity or love or friendship is recorded. That's not something I'm willing to support, it's not something I'm willing to build, and it's not something I'm willing to live under."

Days later, I was told my government had made me stateless and wanted to imprison me. The price for my speech was my passport, but I would pay it again: I will not be the one to ignore criminality for the sake of political comfort. I would rather be without a state than without a voice.

Of course, the absolute worst of the worst in reporting on this was... CNN. They posted a tweet, claiming that Snowden offered to "spy on the US." Seriously. Thankfully, after lots of people reacted angrily to that, CNN chose to delete the tweet. And people wonder why the media business is struggling these days.

Filed Under: asylum, brazil, ed snowden, journalism, nsa, open letter, surveillance

Denver Post Column That Righthaven Is Suing Over May Have Given Implied Permission To Copy

from the oops dept

We already pointed out that Righthaven has signed up MediaNews and is now suing over people reposting content from the Denver Post, but law professor Eric Johnson is pointing out that the very first such lawsuit Righthaven filed may have some problems, specifically since the content that was "reposted" was written as an "open letter" to Tea Partyers. In his blog post on the subject, he notes that not only is the open letter format potentially suggesting it's okay to repost it, but also that the text itself implies that his column is a part of a grassroots effort. Johnson suggests that there's clear "implied permission" to repost the column. I would imagine that would make for quite a fun court battle.

Filed Under: copying, copyright, denver post, open letter
Companies: medianews, righthaven