Another Researcher Hit With Threat Of German Anti-Hacking Law

German software firm warns researcher who disclosed a vulnerability in its software and offered his help

Apr 27, 2011 | 02:38 PM

By Kelly Jackson Higgins
Darkreading 

Another security researcher is facing possible legal action based on the 3-year-old "hacker clause" in a German law that basically forbids anyone from selling and distributing hacking tools.

An independent researcher who goes by "Acidgen" was recently threatened with a lawsuit by a German software company that he alerted about a buffer overflow vulnerability he discovered in the vendor's music application. Acidgen, who is based in Sweden, found a stack buffer overflow bug in Magix AG's Music Maker 16 software (version 16.0.2.4) and promptly passed the information to Magix. After several friendly email exchanges with the vendor in which Acidgen also provided Magix with what he describes as a "nonharmful" proof-of-concept (PoC) to demonstrate how the flaw could be exploited and his plans to publish the flaw and PoC after it was patched, the researcher received a not-so friendly email from company's lawyer threatening a lawsuit for alleged extortion for his plans to release a proof-of-concept on the flaw.

"It came out of nowhere," Acidgen says of the legal threat. He was awaiting word on when the vendor would be issuing a patch: "Then I get back a really threatening lawsuit letter that they are going to press charges for extortion for [the] exploit code," says Acidgen, who says the PoC he gave Magix is a benign one that just starts up the Windows Calculator.

Magix also told him it was alerting antivirus companies of "new viruses" that would "spread" due to his PoC, he says.

Acidgen isn't the only researcher recently to be threatened by the German law: German security researcher Thomas Roth was served with an injunction in January just prior to his talk at Black Hat DC in response to his plans to release an open-source tool at the conference. The tool uses Amazon's GPU processing services to crack SHA1-based passwords at high speeds. His apartment was raided, his bank account frozen, and he had to refrain from releasing his tool during Black Hat.

Roth's legal troubles came after a German newspaper mistranslated English-speaking news reports on his research. The German newspaper incorrectly reported that Roth had said he would be turning a profit as a sort of a hacker-for-hire. That led to a German telecommunications firm taking legal action against the researcher: "They misunderstood that I was getting money for doing this ... and illegally breaking into networks," says Roth, a researcher and consultant for Lanworks AG.

Roth spent the next few months clearing his name and calling out the German newspaper for its inaccurate report and the intent of his tool. The German telecommunications firm that went after Roth accused him of illegally breaking into wireless networks and planning to release rainbow tables to be used for hacking into company networks. He was eventually able to clear up the misunderstanding, and he finally released his tool last month.

Meanwhile, the case against Acidgen doesn't appear to have legs, either, says one security expert knowledgeable about the German law. "This was Magix's legal department doing some sabre-rattling," he says. "It's usually the first thing that a lawyer does: write a letter with an official letterhead and see if the other side backs down."

But Acidgen says he has no intention of backing down. He disclosed the Magix vulnerability yesterday, but stopped short of publishing the PoC. He's still hopeful that Magix will either patch the flaw or provide him with a date when they plan to do so.

His disclosure steps were typical of most researchers -- alerting the vendor of the flaw and asking for its patch time frame. But what might have helped trigger Magix's legal response was Acidgen's offer to help the vendor further: he mentioned that he could fuzz for more vulnerabilities "for free." "I stated and made clear that I'm not trying to extort them or make money," he says.

In the letter to Acidgen from Magix's attorney, the attorney notes that Magix "appreciates" the researcher's sharing his finding with the company, and that it will use the information to "improve its products."

The next paragraph of the letter takes on a different tone: "On the other hand MAGIX does not appreciate that you are intending to publicly release the Exploit and to cause irreparable harm. As you maybe aware it is illegal to release software which is intended to commit computer sabotage (e.g. Sec. 202c I No. 2 German Criminal Law). In addition this announcement together with your offering to have the vulnerability fixed by your company may be considered as an attempted extortion. You may rest assured that MAGIX will enter into all necessary and appropriate legal steps in this regard. In addition MAGIX will inform manufacturers of antivirus software that there might be a new virus based on your code," the attorney wrote.

Magix had not responded to press inquiries as of this posting.

Acidgen thinks the whole thing could be a misunderstanding of how security researchers operate. He says he had no intention of hurting Magix or the security of its clients: That's why he is still awaiting a fix before releasing the PoC.

His case is another example of where the German hacker law is vague and broad, experts say. "The law is very broadly phrased, and any piece of software can really fall under the law," notes the security expert knowledgeable about the hacker law. "What it does help against is the openly selling of tools from Germany. But even then, it's in the way it's advertised."

It's all about intent. "'Evident intent' is everything," he says. "If you advertise something for illegal purposes, you're immediately" operating illegally under the law, he says. Even offering Windows XP for sale for hacking purposes would be considered illegal. Under the law, "intent is everything, not the actual capabilities of the software."

http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/229402356/another-researcher-hit-with-threat-of-german-anti-hacking-law.html

Jobs Tries to Calm iPhone Imbroglio

APRIL 28, 2011

By YUKARI IWATANI KANE And JENNIFER VALENTINO-DEVRIES

Apple Inc. is scaling back how much information its iPhones store about where they have been and said it will stop collecting such data when consumers request it, as the company tries to quell concerns it was tracking iPhone owners.

But Apple's statements, after a week of silence on the growing controversy, raised new questions and criticism about its data-handling practices. Rep. Joe Barton (R., Texas) said Apple apparently "lied" to him and another lawmaker last year when it said its phones don't collect and transmit location-based data when location services such as mapping are turned off.

Apple defended the process it uses to gather location information via the iPhone and unveiled a software update to scale back such practices.

Apple said Wednesday it would fix software "bugs" that let each phone build a database of locations stretching back months, even when related services are disabled by the user.

Apple Chief Executive Steve Jobs, who is on medical leave, was unapologetic in his defense of his company's actions. "Your precise location is never transmitted to Apple," he said in an interview.

Rather, Mr. Jobs said, Apple gathers information from the phone about nearby cellphone towers and local wireless, or Wi-Fi, networks. Apple uses that information to supplement the Global Positioning System already employed on most phones.

Apple and Google Inc., which makes the key software for Android phones, are facing scrutiny from lawmakers and consumers for the way they gather and handle data on the location of smartphones.

WSJ.com Senior Technology Editor Julia Angwin reports Apple's iPhone and Google's Android regularly transmit user location data back to those companies, based on data analyzed by The Wall Street Journal.

Researchers last week said Apple's iPhones store unencrypted databases containing months of location information. Tests conducted by the Journal and independent researcher Samy Kamkar found these databases were updated-and some information sent to Apple-even when the location services were turned off.

That contradicts what Apple told Rep. Barton in a letter last July. "When a member of Congress asks a straightforward question, reputable members of the business community should give a straightforward answer," Mr. Barton said in an interview. "Apparently, they lied to us."

In the interview, Mr. Jobs said Apple in recent days had discovered software "bugs" in how the phones capture and store data. "We were surprised by them and it took us a few days to figure out what was going on," he said.

Beyond the information stored on the phone, the Journal has reported that iPhones, Android phones and some personal computers regularly transmit information about their locations to Apple and Google. Apple said Wednesday an individual can't be located using the Wi-Fi and tower data and that the data are anonymous. It said it discloses the collection practices in privacy policies.

The company said it would release software in coming weeks that would reduce how much location data are stored on the phone to about seven days. The new software will delete the data when location services are turned off. In the next major release of its mobile operating system, the database would also be encrypted, Apple said.

Mr. Jobs said Apple planned to testify at an upcoming congressional hearing. Google said it would testify at a hearing set for May 10.

Other lawmakers said they weren't satisfied with Apple's response. Sen. Al Franken (D-Minn.) said he still has questions about what Apple was doing and what it told users.

"This has raised larger questions of how the locations of mobile devices are tracked and shared by companies like Apple and Google, and whether federal laws provide adequate protection as technology has advanced," Mr. Franken said.

Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) expressed concern in a separate letter, saying it was essential to have "full and accurate information about the privacy risks" as Congress considers updates to federal privacy laws.

Among other makers of cellphone software queried by Congress, Nokia Corp. and Microsoft Corp. have said they only enable location services with a user's consent. Officials at Research In Motion Inc. and Hewlett-Packard Co.

didn't respond.

A Google spokesman said it collects information anonymously and provides "users with notice and control over the collection, sharing and use of location" on Android phones.

In a press release, Apple said the cellphone towers it uses to establish a phone's location could be more than 100 miles from a user's phone. But tests conducted for the Journal by Mr. Kamkar, the researcher, found the addresses of nearby Wi-Fi networks can easily be used to establish a phone's location within 100 feet.

Apple Inc. announced plans Wednesday morning to launch its long-delayed white iPhone 4. Dan Gallagher and Marcelo Prince discuss with Simon Constable on digits.

Apple disclosed Wednesday it is using the information to build a "traffic database" that within a few years will offer traffic-congestion information to iPhone users. Google already uses location data, which Android phones collect every few seconds, to provide such a service.

Other applications routinely use-and share-location data. The Journal reported in December that some of the most popular apps widely share location data and other personal information with outside companies. Twenty-six of 51 popular iPhone apps tested by the Journal shared their location with outsiders.

Scott Forstall, Apple senior vice president of iPhone software, said the company doesn't allow apps, including its own, to use location data without the user's consent.

He said the company allows users to turn location features on and off by app and shows them which ones have used location in the last 24 hours. "We are vigilant about making our location use completely transparent," he said.

Apple acknowledged it was partly responsible for users' concerns because it has not provided enough education about these issues. "We're going to start thinking about that right away and the time to do it is when it's on people's minds," said Mr. Jobs. He added other phone makers needed to make those efforts too.

Write to Yukari Iwatani Kane at yukari.iwatani@wsj.com

Read more:

http://online.wsj.com/article/SB10001424052748703367004576288790268529716.html#ixzz1Kq0jr2kU

http://online.wsj.com/article/SB10001424052748703367004576288790268529716.html?mod=WSJ_hp_MIDDLENexttoWhatsNewsSecond

Amazon packing after House vote

Online retailer cancels contracts, job postings for Cayce site

By TIM FLACH -  tflach@thestate.com

Amazon all but told South Carolina goodbye Wednesday after the online retailer lost a legislative showdown on a sales tax collection exemption it wants to open a distribution center that would bring 1,249 jobs to the Midlands.

Company officials immediately halted plans to equip and staff the one million-square-foot building under construction at I-77 and 12th Street near Cayce.

"As a result of today's unfortunate House vote, we've canceled $52 million in procurement contracts and removed all South Carolina fulfillment center job postings from our (Web) site," said Paul Misener, Amazon vice president for global public policy.

The decision came shortly after state representatives rejected the tax break 71-47.

"People who think this is a bluff don't know Amazon," Lexington County Councilman Bill Banning said. "Too many other states want them."

The partly finished center probably will be completed and then "put into mothballs," he said.

Most Midlands lawmakers supported the exemption, but opposition fanned by a coalition of small merchants, national retailers and Tea Party activists proved insurmountable, even as Misener came to lobby lawmakers Wednesday in a last-ditch bid to save the proposal.

Other measures proposing the tax break remain alive, but a loss that was unexpectedly lopsided makes it unlikely any will be considered.

"This is really devastating," said House Majority Leader Kenny Bingham, R-Lexington. "Anything is possible, but this makes it pretty difficult to resurrect."

The loss of Amazon will be a black eye for future efforts to lure major employers to the state, Amazon allies warn.

"It's beyond a squandered opportunity," Banning said. "It's a disgrace. It's likely no one will even look at coming here for 10 years."

Foes of the tax break said the outcome isn't a blow to economic development but a warning against seeking what they call sweetheart deals designed to benefit a few at the expense of many.

It's also a message that the days of favors such as letting online retailers play to rules that other don't are numbered, they said.

"Amazon has told lawmakers across the country that evading sales tax collection is not central to their business model," said Brian Flynn, executive director of the South Carolina Alliance for Main Street Fairness, a mix of Midlands and national retailers. "Tonight (Wednesday) they've shown their true colors and proven they'll go to any length to protect their unfair advantage. These bullying tactics have been seen across the country.

I want to thank the South Carolina House for standing with small business owners who support our local companies."

The outcome ends a conflict that began after other retailers learned shortly after Jan. 1 that the package of incentives offered Amazon included a promise to seek the tax collection exemption.

Other merchants argued that put them at a competitive disadvantage, since buyers perceive Amazon's untaxed prices as lower.

Amazon's bid for it also suffered a setback when Gov. Nikki Haley - who calls job creation her top goal - took a hands-off approach on a deal shaped under her predecessor without much legislative consultation.

Haley said it's one she wouldn't make but would accept if approved by the Legislature, infuriating fellow Republicans who felt she unfairly put the onus on them.

Amazon allies portrayed the deal as favorable financially, saying it would net state and local coffers $11 million after an exemption costing $2.5 million.

The chorus of criticism increased as social conservatives, Tea Party members and other business groups lined up against the exemption even though Amazon allies warned that opposition endangered jobs badly needed in a struggling economy.

"This rejection is a slap at everyone in unemployment lines," said Scott Adams of Lexington, a telecommunication equipment executive who supported the Amazon proposal.

Other critics called the exemption too much on top of a free site, property tax breaks on equipment, state job tax credits and abolition of longtime Sunday morning sales restrictions in Lexington County to facilitate Amazon's round-the-clock opposition.

In the end, the tide of complaints overcame warnings from business and political leaders about broken promises harming industrial recruitment and the prospect of hundreds of new jobs for the area.

It's probably too late to persuade Amazon to reconsider its pullout, Banning said.

"It's over with," he said. "I don't think there's anything we can do to get them to stay."

Reach Flach at (803) 771-8483.

http://www.thestate.com/2011/04/28/1795776/amazon-packing-after-house-vote.html#ixzz1KpZTLuvD

http://www.thestate.com/2011/04/28/1795776/amazon-packing-after-house-vote.html