back to article Software maker releases the hounds on security vuln reporter

Legal attack dogs for enterprise search provider Autonomy have threatened action against Secunia after the vulnerability publisher asked for information relating to a serious bug in an Autonomy product. A series of nasty grams sent over the past week came in response to requests by Secunia researchers for information relating …

COMMENTS

This topic is closed for new posts.
  1. Morely Dotes
    Flame

    One Man's Opinion

    "When we believe users are going to be misled, presumably for reasons of self promotion, we make every effort to nicely ask that the organization publish full and accurate information. When the issue continues unresolved, we regret we have to ask more forcefully. All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."

    O'Really?

    Well, here's the facts as I understand them:

    1. Secunia discovered a security vulnerability in Autonomy.

    2. Secunia learned that at least one customer of Autonomy may not have patched their Autonomy-based code to close the security hole.

    3. Secunia attempted to engage Autonomy to determine if the hole was, indeed, fixed and if third-party customers such as IBM had or would soon release the patch(es).

    4. Secunia published the "results so far" with, as always, an eye to preventing data breaches (anyone remember TJX?).

    5. Autonomy ignored the attempt to engage and immediately fell into

    "disaster spin control" mode.

    6. Autonomy also threatened litigation if Secunia performed it's ethical duty to inform consumers of a possible security problem; this some 3 days *after* the information had been published.

    So, short version: Autonomy would strongly prefer that consumers who rely on their security product(s) suffer data breaches in ignorance, rather than ensure that all products built with their SDK are properly patched and secured.

    Can anyone guess why I think lawyers are (as a rule) lower on the evolutionary and ethical scales than the Ebola virus?

  2. Aubry Thonon

    Double Standards

    Think upon this:

    If someone finds that a kid's garnment has a flaw in it that makes it flammable, we expect them to report it and the manufacturer to recall the garnments and fix the fault. And heaven help any manufacturer that tries to hush up the problem - most governments will come down on them.

    If someone finds that a car has a flaw in, say, the brake system which can cause the brakes to fail under certain circumstances, we expect them to report it and the car maker to recall the cars and fix the fault. And heaven... (etc).

    If someone finds that a piece of IT software/hardware has a flaw in it which makes them vulnerable to attackes, they get the Lawyers sicced on them and bullied into silence under threat of lawsuits.

    I ask you, what is wrong with this picture?

  3. Jon Tocker

    @Aubry

    That's because computer data "isn't real" - it's not like the security holes are going to cost companies millions of dollars if the data is compromised or citizens are going to be harmed or disadvantaged by their personal data being compromised...

    Oh, no, wait a moment...

  4. Anonymous Coward
    Anonymous Coward

    Secunia

    Did what they are supposed to the lawyers for this company are out of their league and need to go back to school (muppets). Software bugs are no great crime if you fix them promptly, and push out to customers again promptly, how hard can that be. I hate companies who fashionably think their customers are their adversaries.

  5. Anonymous Coward
    Anonymous Coward

    Autonomy hiding behind lawyers

    stupid...stupid...stupid...if they kept their mouth shut it would have been just one of the dozens of advisories that appear everyday and forgotten the next. Now they have their name and lame letters plastered all over. That is what happens when a company is run by morons

  6. Anonymous Coward
    Anonymous Coward

    cisco example

    I wonder if you could start a case against Cisco (or any other company) as a customer of their products when they try to hide security problems ?

  7. Mephistro
    Stop

    I miss the Soviet Union

    While I see the western democracies diluting themselves to oblivion by means of corruption. Thirty years ago, companies needed the government to protect them from the commies, and that brought things like social justice, education for all, socialized medicine, ... . Nowadays, big companies are continuously eroding people's rights by using legal systems, politics and money as their tools.

    Back then there was an enemy outside. Now the enemies are here, inside our countries and above us.

    Rejoice!

    :-P

  8. Anonymous Coward
    Boffin

    Language is a funny thing...

    "When we believe users are going to be misled, presumably for reasons of self promotion, we make every effort to nicely ask that the organization publish full and accurate information."

    There are several interesting ways to interpret that clause "presumably for reasons of self promotion" and most interestingly, it cannot be interpreted as implying that Autonomy believes Secunia is presumably doing thing for reasons of self promotion, because there is no reference to Secunia that can grammatically be linked to the "presumably" clause. Indeed, the most direct interpretation is that Autonomy somehow believes that users are being misled to promote themselves...

    But more interesting is that this entire statement is not relevant to this case, but is a general statement of Autonomy procedure (i.e, when x happens, we do y). It's a great way of trying to make people think, e.g, that they've nicely asked Secunia to publish full and accurate information even though the statement says nothing of the sort.

    "When the issue continues unresolved, we regret we have to ask more forcefully."

    Again, this is a general statement of procedure which is not linked to this issue in any way.

    "All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."

    This is the best one of all. "All Secunia needs to do..." is not the same as "Secunia has not done..." but a lot of people make that assumption. Really, this is a statement of an ideal situation, with no judgement as to whether that ideal has been reached. Since Autonomy has equal ability to publish facts, it is logical to assume that if the ideal had not been reached, Autonomy would publish any missing facts. Since they have remained very tight-lipped about the vulnerabilities, it is logical to assume that Secunia has published the important facts. QED.

    [posted AC in case their lawyers want to go after me, now ...]

  9. TeeCee Gold badge
    Gates Halo

    So......

    From the names mentioned in the article, does this mean that MS software isn't actually less secure than others', it's just that they're the only ones who admit to their issues, welcome constructive criticism, have a mechanism for taking such on board and releasing fixes in an open and informative manner and *don't* sue the shit out of you if you discuss their vulnerabilities publicly?

    (Never thought I'd have a use for *that* icon.....)

  10. David S

    @TeeCee

    Good gracious. You're right. Black *is* white...

    I think I may have to go have a short lie down. There's a lot to take in...

  11. /\/\j17

    Language is a funny thing...

    Picking up on something in a very good post form an AC...

    "All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."

    And the best way to ensure facts are published in full would be... to contact the software supplier and request more details, such as the version of the product affected and the versions that have been released to fix the defect.

    Isn't this where we started?

  12. Anonymous Coward
    Flame

    That lawyer is a bit clueless, isn't he?

    After all, he claims that "All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served".

    Hey foo', guess what, that's exactly what Secunia tried to do! And instead of providing information, Autonomy start this whole palaver about how they'll sue Secunia to high heaven if they dare to publish anything that could be confusing.

    Secunia does not publish things that are confusing. Secunia publishes facts. Stark. Naked. Facts.

    Egg. Face. Jeez.

  13. Pascal Monett Silver badge

    "every effort to nicely ask"

    Yeah, that sounds really credible.

    A bit like a scene from a cop story where the bad guy has just broken every finger in the cops' hand, then sits down in front of the pain-blinded victim, pulls out a gun, puts it to the guys' head and says : "okay, I'll ask you nicely : where did you put the advisory ?".

    In any case, I've just added one more company to my list of who-not-to-deal-with. Thanks for the warning, Autonomy !

  14. Duncan

    It is all in the wording....

    ... but just look at that correspondence.

    You'd think that they would have some common sense in a modern world. Sad thing is you have to wonder is how on earth they expected this not to come out.

    I really hope Secunia continue to do their job, which they do very well, with the impartiality deserved. The day any legal threat like this is treated as companies such as Autonomy wanted - will be a sad and very dark day for the future of security in computing.

    As has already been said - such openess from Autonomy will make me make sure that I will not be using any of their products in future. If you can't trust the company, you can never trust their software.

  15. Steve Renouf

    Foot, Gun, Shoot

    I just love it when asshole companies like this shoot themselves in the foot through their petty arrogance and disdain for their customers!

This topic is closed for new posts.

Other stories you might like