From The Industry Standard, apropos the story noted here July 11:
A Dutch court has denied a request from chipmaker NXP to prevent the publication of a scientific study of the security of the firm's Mifare Classic RFID technology....The chipmaker has put out a paper supporting its position; an excerpt:The court ruled that freedom of speech outweighs NXP's commercial interests.... The judge ruled that limitations to the freedom of speech are allowed only if there is urgent and obvious threat to society. "This requires a balancing of interests," the court stated in a press release. "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."
NXP welcomes any feedback about any privacy and security concerns related to its chips. NXP does have no concerns about so called “ethical hackers”, who investigate our products and share with us their findings. This allows for assessment and correction of any security situation of our chips and the products and systems using our chips....The Standard article reports, by the way, that "The researchers with the University of Nijmegen had countered that they have allowed ample time for NXP to repair the issues. Karsten Nohl, a researcher with the University of Virginia previously has pointed out that NXP was first made aware of fundamental flaws in the chip's design in December 2007.... Nohl furthermore charges that NXP has wrongly trivialized the issues and recommends that the firm shifts focus to mitigating the problems instead of fighting security researchers."NXP has, however, concerns about unverified public communications regarding security and privacy of automated systems and its constituent components, and the potential harm to society as a result. This blurs public debate, harms public interests and often builds opinions on false grounds.
Anyone intending to publish any such information should in our view first verify:
1. whether the facts are accurate;
2. how the facts impact on the security or privacy of the system (in which our products are just an element) as a whole (and not just one element thereof);
3. the potentially harmful consequences to society of such information becoming publicly known.
4. the legality of their acts.Legal concerns
Persons involved in hacking, breaking (or attempting to break) into automated systems or falsifying components of such systems should realize that:
* unauthorized possession of secret algorithms or ways to obtain secret keys can be a criminal offense;
* publishing an algorithm and secret keys used in an automated system is a criminal offense;
* publishing a secret algorithm or secret keys (or ways to obtain those) qualifies as a tort, resulting in liability for such person (and often its employer) for all resulting costs and damages.
Thanks to Martin Holterman for the pointer.
Related Posts (on one page):
- Dutch Court Denies Chipmaker's Request to Enjoin Academics' Publication of Security Flaws:
- "Chipmaker Sues To Silence Security Researchers,"
After their dilatory tactic of trying to enjoin the researchers, expressing concern about customers having "insufficient time to switch to safer alternative technologies" fails the giggle test.
I guess the legal issues are not "concerning" unless they like you?
...err, make that "if they like you".
I think that making a patently false statement about "the law" should have a negative legal consequence.
That's about six months ago. I think there is some fundamental misunderstanding about how long it takes to go from the design stage to delivering chips to the customers. If they started on a redesign immediately they might be at the stage of testing samples now. Chips produced in the meantime and sold on to customers would still have any flaws.
This isn't to say that they aren't dragging their feet on this - maybe they are - but you can't snap your fingers and start producing chips of a different design overnight. It takes a while just to do the redesign, and go through all the testing that's required when a single mistake can cost millions of dollars and set you back months.
While it is true that new chips can't be made instantly, it is often possible to find a workaround, in software, firmware, or sometimes even in hardware. In any case, people relying on the chips can be notified of the flaw so that they won't rely on them for security.
It is very expensive and time-consuming to put out a product that you can demonstrate is very, very secure. But there is only a competitive advantage to such products if the market values secure products and punishes insecure ones.
The small pain that will be caused by a quick disclosure today will more than be paid back by the lack of a succession of repeat occurrences. Next time, it may be the bad guys who find the vulnerability first.
Frankly, I am shocked by the succession of security vulnerabilities in commercial products in cases where secure algorithms were well-known and well-understood.
Stupid should hurt.
Also, for the purposes of this expedited procedure, they granted that the researcher's claims were true, though they may not be so generous if there is ever a full procedure. (Which is unlikely, BTW.)
The interesting point about this suit is that NXP was not suing on the basis of direct harms to itself, but effectively was attempting to stop publication on behalf of its customers. There is some pretty nifty legal theory here and some shifty reasoning on NXP's part, but focusing on the technical issues misses the really fun parts.