If you were at BSides Manchester in England this week, you hopefully caught James Williams’ presentation on the shortcomings of some commercial antivirus tools.
If not, and you hoped to watch it on YouTube, you may be out of luck for a while.
That’s because one of the vendors mentioned – SentinelOne – is rather upset with the talk, funnily enough titled “Next-gen AV vs my shitty code.” To stop people seeing it, the Silicon Valley biz filed a copyright-infringement complaint to make YouTube remove a recording of the presentation from the BSides Manchester channel.
El Reg has asked for clarification on what exactly the infringing content was – because a breach of the antivirus maker’s terms-of-service is not a valid reason to take down a video – and has yet to hear back at the time of publication. We also asked Williams to comment on SentinelOne’s allegations about bug disclosure methods.
And if you want to see what all the fuss is over, Williams gave a very similar talk last month at SteelCon, a hacker gathering in the north of England, which happens to be online here…
…and you can find the slides and more resources on GitHub over here. ®
UPDATE: Cory has his take up at Boing Boing, to which I have little to add:
From Antivirus maker Sentinelone uses copyright claims to censor video of security research that revealed defects in its products / Boing Boing
Among the companies thus humiliated was Sentinelone, who responded by sending a censorship request to Youtube claiming that Williams had violated copyright law (presumably Section 1201 of the DMCA, which bans bypassing access controls for copyrighted works), its terms of service (which corporations and US federal prosecutors have said is a violation of the Computer Fraud and Abuse Act) and trademark laws (this is pure bullshit, as trademark has an absolute “nominative use” defense that allows you to use trademarks to identify the products and services they’re associated with).
If you’re a Sentinelone customer, you should be really worried. Sentinelone argues that their products are “protecting…critical global enterprises” — but since Williams’ presentation apparently demonstrated that the version of their product he analyzed is a flaming garbage heap (they don’t really dispute this, they merely say that he should have been more polite when he outed them for their defective goods), they are not actually protecting those critical enterprises. They’re failing to protect them. So if you rely on Sentinelone’s products, or worse, if you’re a customer of one of those “critical global enterprises,” then, it seems, you are putting your trust in something that is unfit for purpose.
This is why it’s so dangerous that good actors like Mozilla, Tesla and Dropbox have published security policies that promise not to sue researchers who follow their rules. Because these companies are making the case that researchers who don’t follow the rules can be sued, they are exposing the entire research community to risks from bad actors like Sentinelone, who use the “good guys'” arguments to justify their own censorship.
Remember that these legal threats only work against people who don’t plan on attacking users of the affected products. If you’re a surveillance contractor or criminal who has found a bug in Mozilla, or Dropbox, or Tesla, or Sentinelone, you don’t need to worry about getting sued for revealing your findings, because you don’t plan on revealing your findings. You want to keep them secret for as long as possible, while you attack the unsuspecting customers of these corporations with impunity.
I am constantly surprised by the hubris of companies that think containing security testing in their pre-defined legal box will yield much of value. I expected this from Tesla and Dropbox, but that Mozilla is employing similar arbitrary constraints further contributes to my conflicted relationship with the company.