CNET tech sites: Price comparisons | Product reviews | Tech news | Downloads | Site map
Front PageEnterpriseE-BusinessCommunicationsMediaPersonal TechnologyInvestor

News.context: Special Reports | Newsmakers | Perspectives
Discover a security flaw? Get a lawyer
By Brian Livingston
September 22, 2000, 4:00 AM PT

Some companies have a funny way of thanking computer programmers who find and inform them about security flaws in their software: They sue them.

A manufacturer of computerized gambling equipment, WMS Gaming, of Chicago, earlier this year sued Edmonton, Alberta, software consultant Zues Yaghi for $10 million after he showed the company and Canadian authorities a "back door" he'd discovered in the company's casino slot machines.

In a case that was reported in Canada, but mostly ignored elsewhere, Yaghi went to officials of the Alberta Gaming and Liquor Commission, who videotaped the consultant winning hundreds of dollars, according to The Edmonton Journal. He turned all the money over to the officials on the spot.

Both Yaghi and the manufacturing company say the software error in the machines allowed millions of dollars of fraudulent gains. At least two people other than Yaghi took advantage of the bug at casinos in the United States and Canada before the software was fixed, the company says.

Yaghi may have erred when he proposed to the company that they hire him as a consultant to find and repair such flaws for a fee of $250,000. The company offered $50,000 instead, which Yaghi declined.

The company then obtained an order from a Canadian court to seize computers from Yaghi's home, persuaded the gaming commission to ban him from Alberta casinos, and filed the $10 million lawsuit.

In response, Yaghi is suing WMS Gaming for $1 million and the gaming commission for $3 million.

All these events began in winter 2000, but the story only recently came to light. Canadian Judge Andrea Moen originally sealed the court documents to prevent information about the manufacturer's flaw from spreading. The documents were opened to scrutiny in late June, after which the Canadian press disclosed the case.

Although this unfortunate example revolves around computerized gambling, it illustrates a growing trend of so-called gray-hat hackers in all kinds of e-commerce.

As opposed to white-hat hackers, who work to improve security, and black-hat hackers, or "crackers," who steal goods or credit card information from corporate computers, gray-hat hackers ask companies to hire them to fix security flaws they've found.

In some cases, gray-hat hacking swerves from openly disclosing problems (as Yaghi did by promptly going to the company and authorities) into outright extortion.

FBI agents on Aug. 22 arrested a man in Tarpon Springs, Fla., after he allegedly used public library email terminals to demand $1 million from Boston-based Parametric Technology, according to the St. Petersburg Times.

Parametric received emails from a person threatening to reveal how consumers could "unlock" the company's sophisticated $100,000 engineering CDs without paying, FBI documents say.

In other cases, e-commerce companies are more than happy to pay big sums to gray-hat hackers who find and report weaknesses in their defenses.

A maker of computer products in China, the Hisense Group, last month offered a reward of more than $60,000 to anyone who could break into a server protected by one of its security devices, according to Computerworld.

Law enforcement officials tend to take a hard line on all forms of hacking. They say a person who tests a company's defenses is like a burglar who tries all the doorknobs in a neighborhood until he finds one that's unlocked.

By contrast, Jennifer Granick, a San Francisco attorney who specializes in defending accused crackers such as Kevin Poulsen, says white- and gray-hat hackers aren't burglars and perform a valuable service.

But she cautioned that companies may not be as sympathetic. "That's a fine line for people to walk, because the legal definition of extortion is extremely broad."

Considering today's shifting legal standards, if you happen to discover an e-commerce security flaw, you may want to follow three rules:

 Don't demand a million dollars.

 Don't send emails that say "or else."

 Have a good lawyer negotiate the contract.

Consumer advocate Brian Livingston appears at CNET every Friday. Do you know of a problem affecting consumers? Send info to He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.

More Perspectives

who's speaking?
Brian Livingston has published 10 books, including "Windows 2000 Secrets" and "Windows Me Secrets." He has been a contributing editor at PC World, Windows Magazine, InfoWorld and other magazines for more than 10 years. Before his work as an author, Livingston was a management consultant advising financial institutions on computer technologies. In 1991, he received the Award for Technical Excellence from the National Microcomputer Managers Association for his efforts to develop standards in the computer industry.


Latest Headlines
display on desktop
GE sparks market rally
Loss grows for Corel
Microsoft puts a price on IM features
Prices fall for CD rewritable drives
Homestore execs agree to plead guilty
Hotwire double-bills customers
Penguin on the prowl
Web leak of Linux lets Hat out of the bag
PayPal goes international
Who's living large at Terra Lycos?
Crooks will still be crooks
Handspring lays off 20 percent
Nvidia chips grease faster PC link
Bell Labs fires researcher
Enron auction hampers DoveBid site
China arrests Web writer for subversion
Vivendi lays out new strategy
Study: Stop trying to lock out pirates
Computer makers gird for holiday battle
Ulead updates photo software
This week's headlines

News Tools
Get news by PDA
Get news by mobile
Listen live to CNET Radio

CNET newsletters Daily Dispatch

News.context (weekly)

Investor Daily Dispatch

Week in Review

All newsletters | FAQ
Manage my newsletters

Send us news tips | Contact Us | Corrections | Privacy Policy

   Featured services: CNET SearchBar | Hosting Providers | IT Resources | Back to School Guide | Tech Jobs   
  CNET Networks: | CNET | GameSpot | mySimon | TechRepublic | ZDNet About CNET  

Copyright ©1995-2002 CNET Networks, Inc.All rights reserved. CNET Jobs