The post’s been delivered and most of us dread any possible bills lurking inside the mailbox. However, as a security researcher there’s a greater fear. That of legal threats, cease and desists and other angry letters from lawyers, big corporations or nation states. After reading Zack Whittaker’s recent article for Zero Days titled Lawsuits threaten InfoSec research — just when we need it most. A follow up, with strategies from someone who has seen some threats of lawsuits seemed good to share.
Don’t freak out, the world is not ending, yet!
The letter or email is opened, perhaps you have also been physically served. Your financial life is flashing by you as you read through the legal jargon. Hands shaking, heart thumping in your throat. Sit down, take a deep breath and follow the sage advice from Douglas Adams, “Don’t panic!” Legal letters are mostly reactionary and aggressive. It’s like prison movies, where to avoid getting, you know… You act like the craziest b*tch in the yard first day, so you aren’t easily messed with. This is what usually how the first few legal letters are. Keep this in perspective.
Check the laws
After you stop shaking and can speak check what is mentioned in the letter versus the actual law.
First case:
My first angry cease and desist came from Baker & McKenzie via Unisys Netherlands. The letter stated the presentation title I was scheduled to give in the USA was obscene and referred to the conference I was speaking at as a place of criminality. One of the attorneys from the law firm also threatened my partner verbally, saying she would sue us into oblivion. A week after we lost our house to a fire and had zero insurance. Happy days but remember don’t panic.
1. The definition of obscenity is established by a three-tiered Miller test in the USA, among others. The talk title did not touch on any definitions.
2. The title The Internet is for Porn is also the tile of a song by a Broadway musical Avenue Q. The location of the talk was blocks away from Broadway, NYC.
3. The conference was in its ninth iteration that year with the theme of anti-censorship. Last H.O.P.E Hacker on Planet Earth, not illegal, not a den of criminals. Nerd Life!
4. The Netherlands has generally stronger laws against censorship than the USA. The legal position was not tenable.
Seasoned professional
Saudi Aramco and the Kingdom of Saudi Arabia were not thrilled my Black Hat USA talk was accepted regarding the Shamoon 2012 attacks. Shortly after my initial elation at the talk being accepted. In my inbox was a polite but nonetheless aggressive legal threat from attorneys with Saudi Aramco. The letters stated various items such as I had no right to. As if working for the Aramco family had stripped me of my basic rights. Various letters listed I had no right to voice my opinion publicly, not allowed to discuss publicly known elements of the attack, other publicly known attacks, near misses or list my employment with them. The reason why many people haven’t heard much if anything about the Shamoon attacks in 2012 is because the Saudi government sends out angry, serious worded threatening legal letters for a chilling effect. There were bonus demands that they approve any presentations and I must gain their permission. I’m a hacker, I don’t do very well with illogical rules and permissions.
1. 1st case number 4
2. What happens in Vegas stays there, I wasn’t talking about Vegas. If the New York Times covered it, anyone can talk about. Non-disclosure agreements do not cover items publicly known in major press.
Don’t even think about discussing public knowledge!
3. My geolocation was no longer Saudi, it was the USA and the Netherlands. Both countries where people have a right to voice their opinions.
4. We stressed it would be professional suicide to discuss private information and argued using logic.
Don’t personally respond, get a lawyer
Whatever you do, do not write a letter back by yourself. Ask lawyers, legal type friends, not Yahoo Answers. Or you’re asking for a bad time. You are an active participant, in the thick of it. Your thoughts will not be unbiased and likely a little irrational from fear of financial ruin. Try to get the best lawyer you can afford. My first attorney against wonderful duo of Baker & McKenzie/Unisys NL had graduated a few months previous and panicked. One of those legal insurance lawyers. Had me pull down my blog, all sorts of things. Sometimes you might need a second lawyer, like a second opinion after a scary medical diagnosis. When Aramco began sending letters, I blew through my savings getting the best lawyer I could.
Be nice, kill them with kindness in a timely manner
The lawyer I obtained during my Aramco troubles gave me sterling advice. Be nice, be super f*cking nice. In the case of Aramco, I used to work with some of the lawyers sending me letters. It was easier to be nice because we had a great working relationship during my employment there. The reason, if you look polite and cooperative, it will look much better if it gets to a judge. Cooperative means ensuring your lawyer responds to every communication in a timely manner. No longer than 1 business week. This will put you in a better light as a party willing to compromise and act professionally.
Dealing with possible harassment
Once one letter comes, expect more, and phone calls, and some blacklisting/blackballing. Nope, it can instead feel like a bad case of herpes, or glitter. In many cases, the organization will use an outside law firm. That outside law firm is in the business of making money, which they do for every communication or minute they consider the case. One thing to keep in mind, the only ones that come out winners in these situations are the lawyers as they lavishly spend all those billable hours. Take a deep breath and try to keep grounded. Then, I suggest talking to friends.
1. Prior to leaving the Netherlands for my anti-censorship talk at Last H.O.P.E. I shared my draft presentation with a journalist Brenno De Winter. After hearing about legal threats, wrote about the situation, making it a national news item in the Netherlands.
2. One major demand was that I remove all references to the talk, scrubbing the internet of its mention. Once something is on the internet, it can never be removed. Instead, news about my talk turned into the Streisand Effect, getting posted to hundreds of websites and forums.
3. Aramco paid an expensive lady lawyer to fly over the Vegas, travel and bought a Black Hat USA briefing pass. Just so moments before I started my talk, she could come over, introduce herself, inform me she was not only representing Aramco but the Kingdom of Saudi Arabia and would be sitting in the front row to observe my talk. Somethings things are just too f*cking funny, 15–20K GBP to try and rattle me for 1 hour. It empowered me instead.
4. On a later date, I was giving the same talk in London. After a similar rattle introduction, I announced at the beginning of my talk that a representative from the Kingdom of Saudi Arabia was in attendance and would be more than happy to answer any questions at the end. She quickly left the room and entire conference.
5. Giving a completely non-Aramco related talk at a Nuclear security conference in Europe. One of the main sponsors threatened to pull all sponsorship if I gave my presentation on security weaknesses in the Panama Paper’s law firm client portal website. The conference organizer, handled it like a pro and mediated. Supposedly the sponsor representative had spoken with the new Saudi Aramco CEO, the Crown Prince himself who mentioned my name during a meeting the week before. Thinking to myself, I’m popular with royalty, booyah. I mentioned what bad press it might be if a European defense manufacturer was outed as censoring a person in Europe on the behest of the Saudi Arabian government and my talk had zero to do with Aramco or KSA.
Its scary but you can do it, use your inner anger
Stress, holy mother of everything that is unholy. Yes, you will be under immense stress, all part of the legal pressure tactics. Sometimes, stress can make you think totally outside the box. For my Last H.O.P.E talk, I called a friend who agreed to be my Ghost Speaker. Another friend suggested I offer a compromise, I could either stand during my talk saying nothing with black tape over my mouth or present with a Ghost Speaker who could talk through all the portions they considered objectionable. I was in a sad state, stress from legal threat plus my house had burst into flames weeks before with me in it. Barely out of hospital, smoke inhalation injuries, lost the cat, barely made it out alive. My Ghost Speaker JK47 had to bring me clothes. I was under a great deal of pressure to walk away, it seemed easier. But not if I would have regretted it for the rest of my days. It was the worst talk I ever sort of gave. Barely stopping myself from throwing up on stage. Regret eating away at your insides is not easier in the long run. It made me angry that anyone would imagine me, a US military veteran easily handing my hard-fought rights over to any sort of censorship. Now any attempts just piss me off.
Conclusion
It isn’t easy being a security researcher, especially in the current environment of privacy threats, consolidation of technology by huge organizations and a seeming glut of attorney’s eager to earn some sweet billable green. If you’re being threatened, there are options:
1. Some countries have digital defense legal organizations that can assist, take a look.
2. Friends in the industry who sadly may have experience.
3. US CERT has a 45-day responsible disclosure policy. If it’s a vulnerability, disclose it to them as well. MITRE, your local country or area CERT might also have similar policies depending on the situation or vendor.
4. Bug Bounty programs are great for announcing a vulnerability if you think you might be sued. Another tactic is to also cross report at Bug Bounty programs as multiple reports might pressure for a fix whilst offering some legal shielding.
5. As a last resort, do you know any journalists? Speaking to journalists can be a double-edged sword. It can end I a happy Hollywood ending or get you into more trouble. Be aware, handle with caution and use encryption.
6. I might get sued for writing this ☹