Opinion: It's a shame when the only companies free to speak in the security world are those with legal teams big enough to fight possible patent litigation.
After receiving a letter threatening possible patent litigation
that caused IOActive to cancel his Feb. 28 Black Hat briefing, IOActive R&D director Chris Paget did give his Hacking RFID talk after all.
With the ACLU on hand.
In a briefing with all references to radio-frequency identification card maker HID expunged, and with attendees lugging manuals that were lighter after having the associated materials gouged from their middles, Paget delivered the first half of his planned presentation.
He stopped when he got to the point in his slideshow that had originally listed specs of "a particular RFID tag implementation."
"It was only technical information [including] frequency and number of bits in the code," he told the audience. "HID did request that we refrain from singling them out as a particularly bad RFID vendor.
So were not doing that; we removed the material titled mechanism of operation."
In fact, the information from that slide was identical to any type of RFID tag, not just to HID, Paget said.
Could IOActive have sent over its presentation materials to prove that they in fact did not contain HIDs schematic, as the company feared?
Yes, it could have. If it didnt have good legal counsel, Paget said.
Paget said that the letter from HID went something like this:
"The following are not proper subjects for your presentation this week and in future public demonstrations," the letter read. The letter went on to refer to any materials that might teach someone "not skilled in the art" how to build a device that infringes on HIDs patents, Paget said.
"To a layman, something like this seems relatively reasonable," Paget said. However, any patent attorney will recognize that the term "skilled in the art" has a very specific meaning. Essentially, someone "skilled in the art" refers to one who is able to rebuild the content of HIDs patent application.
Therefore, IOActive was prohibited from teaching the security community anything covered by HIDs patent. "The translation to real English: We cannot paraphrase something from HIDs patent in order to explain it to someone who doesnt already understand it," Paget said.
HIDs letter continued, saying that the company would have "no recourse but to pursue all available remedies against [Paget] and IOActive."
Frantic negotiations ensued, beginning Feb. 22 or 23, after IOActive had received the letter and had a chance to run it by legal counsel. When considering whether to show HID the presentation materials, IOActive requested that HID provide "a covenant not to sue."
"What, forever and ever?" said HIDs Mike Davis, with an air of disbelief after Pagets presentation, talking to the press who huddled around him, digital recorders blinking away in spite of his demand that they be turned off. Davis is director of technology, Intellectual Property, at HID Global.
"We unfortunately cannot risk a talk in this environment," Paget said.
What are the financial realities behind Pagets reference to taking a "risk"?
In a talk with IOActives Joshua Pennell after the briefing, he told me that just to go in and investigate whether theres any possibility that IOActive infringed on HIDs patent would have cost $30,000 in legal fees right out of the gate. If the situation ever reached litigation, going into court would cost between $150,000 and $1 million.
Just to reiterate, just to make sure we all understand exactly what this means to anybody who wants to share vulnerability information with security professionals, even if that information was published in a white paper two years ago (as IOActives material was) and is available online in multiple sources: Even if completely innocent, a small company or individual security researcher can be forced into silence by the mere threat of copyright infringement.
The presentation material in question relates to the security of RFID, a technology that the ACLU proved years ago could be subverted easily by pass-by readers. And understand one other thing: The only reason that IOActive planned to use HID technology as a (very generally outlined) example is that IOActive shares a building with the Federal Emergency Management Agency
and was curious to know just how good that buildings security was.
ACLU has cause for concern.