About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search
Home » Industry Watch » The Technological


The Doom of the World has Arrived. It's pink and its name is Orlando Smith, Esq.

Dear Messrs. LMH and Finisterre: I certainly hope that you two have taken counsel and have adequate resources to defend against the lawsuits of anyone injured by your joint act of publishing security flaws that exposes users of Mac OS X to security risks, before notifying Apple of those flaws and affording Apple a fair opportunity to patch any such flaws. In society, we owe each other a duty of care. That duty evolves over time as new circumstances, such as new technology, present new risks associated with social behavior. It is now well established that the responsible way to investigate and publish any alleged security flaw in an operating system (OS) is to first inform the maker of that OS and afford them a reasonable period of time to patch the flaw before publishing that flaw and/or any code exploiting that flaw. It is also clear that you must be aware of the responsible way of publishing security flaws and the risks that you pose to others by not adopting it, because of the many emails to you and reports in the press discussing your departure from the responsible method publishing security flaws and the risks that such conduct poses to others. In my opinion, your decision to instantly publish both security flaws and exploits, before affording Apple or any other manufacturer of an OS a reasonable opportunity to patch those flaws, raises a prima facie issue of whether that decision violates your duty of care to others, so that your are liable to anyone injured by that decision under a theory of negligence.

Orlando Smith, Esq.

Thanks bro... if it gets to that point... I'll give Jennifer Granick a call...

Are you saying that Apple has Zero responsibility for the holes that they created?

Gentlemen: What I am saying is that you may have liability in tort for the way that you disclose security flaws. Whether Apple or any of its agents or employees would have liability for the security flaws in its software is a question that the courts have settled. Where a company, such as Apple, makes no warranty or representations regarding the function or quality of its software, where there is no intentional or reckless flaw in the design of its software, and where the design of its software meets the accepted standards of the state of the art, neither Apple, Microsoft, or any other company has any liability to the users of its software. Even in the case United States' intelligence agencies, makers of software are not liable to federal government for security flaws, provided that they satisfy government's standards and tests for design and operation of the software. Given the conditions, supra. an ordinary user's sole remedy for security flaws in OS X is to not use Mac OS X. The only jurisdictions that may have a different rule are certain foreign countries.

However, disclosing security flaws in the circumstances that I described in my earlier email, infra, is something new that has usually, almost always, been associated with criminals. Who else but a criminal, who is seeking to benefit from crime, or someone, who has no regard for how his actions could harm others, would publish a security flaw without first taking reasonable and prudent measures to ensure that publishing the security flaws won't harm others, especially when it is so easy and inexpensive to take those measure, i.e., notifying Apple and giving it an opportunity to patch the flaw. As for contacting Ms. Granick, now is the time to do that. Taking her counsel and conforming your behavior to it--and I speak from experience--is far cheaper than calling on her after you've been sued.

Orlando Smith, Esq.

Look bro... I appreciate the advice. Its not the first time I have been threatened via lawsuit for my disclosure practices... see SNOSoft vs HP ala DMCA.

I've been disclosing live exploits for years now... not much is different here. I have the same level of liability for my educational work to be abused when idiots don't patch their machines even after the vendor has fixed it.

I certainly do not agree with your generalization that WHO else would do this but a criminal... etc... but honestly that mentality makes me question your own ethics in with regard to this matter. Kinda reminds me of the old ambulance chasers... you are not out by chance trying to gather a list of people that have been harmed by MOAB are you ... so you can get a little extra cash for your practice?

Reasonable prudent measures.... sir I've been disclosing bugs to apple for YEARS... I have several issues queued up now that have been waiting for over 6 months... please don't talk to me about prudence until you examine that of Apple.

I thank you for your time.

Gentlemen: Right now, my interest is academic. Should the law of tort be expanded to impose liability on a person who discloses security flaws without first affording the maker thereof an opportunity to patch the software? I think the answer is yes, so I am certainly interested in a test case going to court. As for ambulance chasing, it only happens after someone has been run down in the street. I submit that you and LMH have been driving recklessly. If Apple or any other ISV declines to patch a security flaw after having had a fair opportunity to do so, you have another case. But in the instant circumstances, it appears that you haven't afford Apple an opportunity to remedy your alleged security flaws. Your failure to give Apple that opportunity and the risks that imposes on innocent third parties raises interesting question about whether you and others like you should be subject to liability under tort law. And I doubt that /SNOSoft vs HP/ will give you much comfort or protection, because tort theories have nothing to do with the DMCA.

Your other comments are misplaced. When I stated earlier--see comments, infra--that the only remedy that a user of Mac OS X has for security flaws is to not use OS X, I was speaking about legal remedies. Your other comment about criminals not disclosing security flaws is simply wrong on the facts. The FBI and others have discovered that not only do criminals disclose security flaws, but they have a black market for selling exploits, which makes sense, because an exploit becomes public the instant that you use it. At that instant, it is discovered and analyzed, and the forces of good begin working on counter measures. Criminals depend, as you should well know, not on secrecy, but on the interregnum between the introduction of an exploit and introduction of a patch for it and on the time it takes for persons to install the patch. By immediately publishing a security flaw, you maximize the time between the exploitation of that flaw and the introduction of a patch. It is that interval between exploit and patch, not secrecy, that criminals use to steal passwords, break into accounts, steal identities, and commit all the other mischief that malware enables.

Now, I am not sure what delusion makes you believe that, by discovering and immediately disclosing security flaws, you are performing a public service, but a moment of reflection by even an idiot on a slow day immediate shows the folly of your belief. Since the interval between the introduction of an exploit and its patch is the period of danger, shortening that period by disclosing the security flaw to those who are most able to patch it and distribute that patch to users is what best serves the public interests and affords the most protection to innocent third parties. Publishing the flaw before giving the makers of the vulnerable software an opportunity to patch it maximizes the time when innocent third parties are exposed to malware. That can't possibly be in the public interest.

Let me guess that you, Mr. Finisterre, are in your twenties or thirties and that LMH, based on his response, hasn't yet reached the age of majority. Among the most disturbing things about your conduct in immediately disclosing your discovered security flaws is the utter narcissism of your conduct and the specious reasoning that you use to justify it. Gee, I can show that I am a big bad programming super geek by discovering security flaws in an extremely complex piece of software with millions of lines of code by discovering security flaws in that program. And if immediately publishing those flaws exposes others to danger, that is okay, because I am performing a public service. What a load of crap. First, any graduate student in any good computer science program can do what you and LMH have done. I hope that the reason that they don't do what you've done is because they are more profitable employed with activity that truly does benefit society and because their ethical bearing aren't distorted by their narcissism. For example, the software engineers who make Vista, OS X, and Linux have contributed greatly by making operating systems that let us all do wonderful things.

Unfortunately, some considerable amount of their efforts is diverted by the need to harden their code against criminals and dilettantes who exploit the flaws arising from the complexity of their code for crime, fun, and the aggrandizement of their tiny egos. Second, as explained supra, even the briefest exposure to the light of reason shows that your conduct unnecessarily and foreseeably endangers innocent users of Mac OS X. For these reasons, and not for the two nickels that you and LMH might have between you, I would be delighted to take a test case to a court of competent jurisdiction to determine whether you and those like you are liable in tort for publishing security flaws in software before affording the maker of that software an opportunity that is reasonable under the circumstances to patch those flaws.

Orlando Smith, Esq

Look dude... I have not read this letter any further than the first few lines... please stop sending me harassing emails immediately.

Gentlemen: I have not threatened or harassed either of you. I have simply stated that your actions present a novel question of whether you should be liable in tort for what you have done. I will of course comply with your requests that I not have any further communication with you, unless it is my professional capacity. As for publishing this colloquy, I may do that myself in an article on implications for tort law of conduct such as yours or in other articles discussing your conduct in publishing security flaws in software before affording the maker thereof an opportunity to correct those flaws.

It's already been published. The ambulance got away.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search
Copyright © Rixstep. All rights reserved.