Two Security Companies Battling It Out over Disclosures

Okay, this is weird. FireEye has gone to court to prevent ERNW from disclosing vulnerabilities in FireEye products.

FireEye should know better.

Here's FireEye's statement, BTW.

Posted on September 17, 2015 at 12:56 PM • 24 Comments

Comments

BradSeptember 17, 2015 1:09 PM

To equate threatening researchers with legal injunctions to "protecting your customers" is a farce, especially for a security company.

IanLBSeptember 17, 2015 1:41 PM

>Okay, this is weird. FireEye has gone to court to prevent ERNW from disclosing vulnerabilities in FireEye products.

...to prevent ERNW for disclosing additional information that FireEye considers trade secrets and irrelevant for the vulnerabilities themselves. Not exactly the same thing.

IanLBSeptember 17, 2015 1:56 PM

Couldn't help jumping on this citation from ERNW:

"That some level of contextual detail would be necessary to understand the nature of the vulnerabilities which in turn would subsequently serve the objective of education that is inherent to any responsible disclosure process.”

What kind of bullshit is this. The goal of responsible disclosure is making sure software bugs are corrected, and the population made aware of the problem. It has nothing to do with "Education". Please. That's just a nice sounding role you are giving to yourself. It certainly doesn't trump FireEye's rights to protect their own code base or trade secrets!

VetchSeptember 17, 2015 2:30 PM

Perhaps researchers should go back to disclosing things without contacting the developers if that's how they're going to react.

Anonymous1September 17, 2015 3:38 PM

@Vetch:
I wouldn't be surprised if the next person who finds a vulnerability in FireEye's stuff does exactly that.

TZ-SecuritySeptember 17, 2015 4:28 PM

If this "trend" of lawsuits continue, many researchers will simply sell 0-days instead of thinking how much disclosure is responsible disclosure.

SamSeptember 17, 2015 4:37 PM

"A FireEye spokesman ... says they also planned to disclose source code and information about the software architecture and design of FireEye’s security product ... We had a lot of questions about how they obtained that ... No one was comfortable with that information being disclosed to the public.”

If some other security company has your source code and product architecture, you can be damn sure that any determined hostile party *already has it* too. It's probably unsafe to assume there aren't already operational exploits.

Also, there's this meme thing named after a celebrity you might have heard of, Barbra Streisand?

rgaffSeptember 17, 2015 4:51 PM

@TZ-Security

"If this "trend" of lawsuits continue, many researchers will simply sell 0-days instead of thinking how much disclosure is responsible disclosure."

That WOULD BE PREFERABLE to the company.... Think about it... they don't care about the customer, they don't care about protecting anyone from anything, all they care about is the bottom line.... the ONLY things that affect the bottom line is the PR disaster and the expense of fixing. So avoiding the PR disaster and avoiding fixing anything by encouraging "researchers" to sell vulnerabilities on the black market instead of reporting them, actually helps the company make more money!

And we all wonder why all electronic hardware and software is so broken when incentives are on their head like this...

rSeptember 17, 2015 5:21 PM

@brad, except in this case - companies like fireeye and mandiant? have major government presence and contacts, just the embarrassment could cause harm. This could get interesting?

AnnaSeptember 17, 2015 6:33 PM

This is why responsible disclosure is so important, noting that it is irresponsible to give vulnerability information to the vendor before the public.

Though I suppose you could do like Sotirov et al. with their MD5 hack: make sure everyone getting advance notice has signed an agreement with you first. (An NDA in their case, but you could add a clause saying the company can't interfere with disclosure.)

rgaffSeptember 17, 2015 8:12 PM

@1st Amendment

lol.. "time to investigate and plan" sounds good on the surface... except it ALWAYS turns into "complete utter ignoring it and sitting on it for YEARS AND YEARS" is the problem... NOTHING WILL EVER BE FIXED.... EVER... without imminent (coming very soon) full public disclosure. It's simply never in the company's "bottom line" interest to ever fix anything otherwise. The ONLY reason to fix anything is to slightly lessen the PR disaster from disclosure, they don't make a single cent from fixing otherwise, only lose money paying people to fix. They'd make a LOT more money if they could just stop researchers altogether, or make "researchers" just sell them on the black market and keep quiet, either way works...

rSeptember 17, 2015 10:03 PM

Mr Schneier, Mr Krebs - my most humble of apologies. We exist in the world of reverse engineers, we knew it was a crime punishable by death but we lived by it anyways.

Please, don't let some company bully you for describing a poor implementation or a bad practice IN FULL. WE ARE ALL better for your work.

I'm sure Rob over at errata will have a rant about this later and I like to think I feel the way he does usually, but hold no illusions... everyday one of us sees or publishes assembler snippets, flow charts and or pseudo code that in various levels describe or represent technology protected by our both weak and slanted intellectual property laws.

Anyone who understands reverse engineering knows that the only protection is time, please don't let them vilify you for your diligence.

rSeptember 17, 2015 10:49 PM

I think FireEye is selling a bsd or gnu blackbox.

How else would they say 'holy shit' to the disclosure if it's inner workings hadn't been previously disclosed or identified. Flow-charts, pseudocode and snippets would be the usual content of such a set of slides and I don't believe Vegas wasn't anything but a meeting of the minds.

This reeks of lawyers, they were probably in a severe panic over their black box open source 'IP' getting out or the potential race conditions involved in trying to patch a box completely full of another repositories code.

BSD, MIT or Apache license anyone?
Does a blackbox containing GNU require a sticker?

gummmybearSeptember 17, 2015 11:56 PM

Not surprised at all.

Fireeyes has shareholders to protect. They won't let their profits get in ways of their shareholders nor their shareholders in the way of profits and this ain't security by obscurity but fair use clause at play here.

They recently outed some Cisco hacks so they be doing well.

OctaviaSeptember 18, 2015 12:02 AM

Sammy Visnich • September 17, 2015 2:09 PM
No prizes for spotting the FireEye employee


You can't be serious. :(

Steve FriedlSeptember 18, 2015 10:27 AM

I'm not sure it's reasonable to call the high-level representation of a reverse-engineering process "source code"; does anybody really think ERNW somehow obtained actual FireEye intellectual property?

rgaffSeptember 18, 2015 11:58 AM

It's pretty backhanded to meet and be all smiley chummy hand-shakey and then immediately afterward stab the other party in the back with an injunction...

oboSeptember 20, 2015 12:05 AM

@ rgaff

Strikes me as a stand up character, no stabs in the back, we be talking front door access thru blackboxing. What you say is perhaps the upcoming summit with our neighbor across the other pond?

rSeptember 20, 2015 12:42 AM

@steve friedl,

it's very realistic if their 'IP' is merely an interconnect between existing GNU/BSD/MIT/Apache licensed products.

kind've embarassing too, consider the fact they just fired an employee who turned out to be the creator of dendroid - their IP/'architecture' could already be out there.

even a compiled interconnect between such tools wouldn't be too big to r/e.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.