Notes from 44CON

On Monday morning I was jamming matchsticks into my eyelids to prop them open. As I was guzzling coffee to stem the onslaught of jet lag I realized that I should write up my experiences at 44CON in London last week.

Last week I was fortunate enough to be able to speak at the 44CON security conference. It was a wonderful experience and the organizers went out of their way to ensure that the speakers were well taken care of. Mind you, no one was screaming, “Where is that kid with my latte?!” So there is that at least.

I speak or attend a fair number of conferences per year and I’ve seen everything across the spectrum. 44CON was very well run and by all accounts their best iteration yet. If you’re a speaker I would highly suggest taking the time to submit a CFP response next year.

One of the more interesting parts of the conference was that the company FireEye lawyered up on a security researcher, Felix Wilhelm of ERNW, who had taken the time to poke at their solution. He laid bare three vulnerabilities which have since been remedied. Now, there is a good way and a bad way to handle this sort of thing and, regrettably, FireEye chose the more litigious route. Reaction to this was quick in the wider security sphere in social media. But, what if we have missed the simple elegance of this event?

The vulnerabilities that were discovered were laughably antique to say the least. One security practitioner quipped, “the 90s called and they’d like their vulnerabilities back.” The lawyers made the focus shift in a blink of a legal maneuver. The discussion rapidly switched from one of derision as it pertains to the trivial nature of some of the bugs that were discussed at the conference to one of a discussion of keystone cop legal antics.


Given there’s quite some speculation and, as we think, misinformation going around we think it’s helpful to add/clarify the following information:

  • we fully comply with the injunction and we have no intentions to violate it. we do not plan to publish any technical information besides the report (agreed upon with FireEye themselves) and the slides (based on the former) anyway. No 3rd parties except for the ones involved (FireEye, lawyers) have received any additional technical information from our side, let alone an earlier version of the report.
  • the injunction covers accompanying details mostly within the architecture space, but not the core vulnerabilities themselves. Those are not part of the injunction.

It is a shame how this played out and I sincerely hope that FireEye has learned from their transgressions. I understand that the firm has a vested interest to protect their intellectual property but, the amount of negative press does not bode well for future discussions with their customer base.

In previous roles I had worked with multiple vendors where I disclosed security vulnerabilities and, for the most part, the reactions were positive. In one case a vendor fixed the issue and issued a patch in less than 24 hours. To be fair that is by no means the norm. Of all the firms I had dealt with I had one who threatened to sue me ‘into oblivion’. I was rather surprised with the response and at the time I didn’t have the motivation to push the matter.

These events are outliers. It doesn't have to be quite so confrontational of a conversation. I’m hopeful that this will serve as a lesson to other vendors in the future to engage rather than enrage.


Copyright © 2015 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline