[ Features Index | Silicon Valley | Metroactive Home | Archives ]

Techsploits Shut Up By Annalee Newitz IT IS ALWAYS the same story. Some smart geek is poking around in the routers or software or other gizmos from a major corporation and discovers that—surprise—consumers are getting screwed because said corporation hasn't bothered to make its products secure against bad guys who want to steal your data and make the Internet go boom. Then the smart geek goes to the big corporation and says, "Hey, I found this dangerous vulnerability in the software you run on your routers, and I want to help you fix it." The big company freaks out and agrees to work on a fix. Weeks go by. The fix is built, but deploying it on the thousands of routers running this company's software is onerous at best. Nevertheless, the company agrees to let the public know about the flaw—it's practically a matter of national security, since its products are part of the basic structure of the Internet at this point. So the smart geek and the big corporation agree that the geek will present a paper about the vulnerability at a major computer-security convention in a very hot West Coast state known for its lax gambling laws. And then, wouldn't you know it, the company gets cold feet. Very cold. They tell the geek that he'd better not present that paper after all. They threaten him with a lawsuit. Then his own employer threatens him, too, because it doesn't want the big company mad at it. Finally, after the smart geek delivers the paper, the big company settles on a temporary restraining order against him, which results in several people spending several hours ripping the notes on his presentation out of the program books for the conference. This process is filmed by other geeks, who immediately put it up on various file-sharing networks. The smart geek's talk is distributed in the same way. Eventually, he's invited to Washington, D.C., to help advise government agencies on how to defend against this fatal vulnerability. By now, you've probably figured out that I'm not just telling you a story about a composite person. The smart geek is Michael Lynn; the big company is Cisco; and the conference is Black Hat in Las Vegas. But Lynn's story might as well be a generic one. This kind of thing happens all the time in the security world—it just doesn't get leaked at major conferences and written up in the Washington Post. (OK, it was the Washington Post blog, but still!) Not every geek is as ethical as Lynn was. Smart geeks are being harassed or bribed into silence by major corporations all the time. Imagine if a phone company were suing people who told the public that they'd discovered it was easy for eavesdroppers to overhear everybody's conversations. That's essentially what Cisco did. Their routers are as crucial to the global communications infrastructure as the telephone network is. Now, let's imagine even creepier things about the communications infrastructure. Let's say, for example, that a local post office in the United States decided that it wasn't going to deliver your postcards anymore, because they didn't conform to its arbitrary policies about what kind of mail is appropriate. If you consider that Internet service providers (ISPs) are basically digital post offices for our email, you'll find that this exact sort of capricious refusal to deliver mail is going on all over the country without check. This came to light recently in a court case against the University of Texas, whose campus ISP refused to deliver mail advertising a dating service. There was nothing illegal about the mail—it wasn't spam, at least according to the federal definition in the CAN-SPAM law. It was just advertising. The advertiser sued the university under the First Amendment for refusing to deliver its mail and lost because advertising gets very little protection under the First Amendment. The upshot? It's legal for ISPs to block your email whenever they want, even if the mail isn't illegal. I'm not playing a sad violin for the advertisers, but I am pissed off on behalf of everybody else whose legal email is being blocked for other reasons and who now have even less recourse to the law. Shouldn't ISPs have an obligation to deliver all mail that's legal, even if they don't like what's in it? I mean, the post office faithfully delivers my junk mail along with all the letters I want to read. And I pay my ISP more than I pay the post office, by far. Send a letter to the editor about this story to letters@metronews.com. [ Silicon Valley | Metroactive Home | Archives ]