A recent UDRP decision by panelist Beatrice Onica Jarka awarded transfer of 2 domain names that I was researching to the Complainant, Lockheed Martin Corporation. Ms. Jarka determined that my registration and use of the domains constituted “bad faith” because, as she stated “It is obvious that it was the Respondent itself [me] that created the alleged vulnerability of the Complainant’s trademark, and his purpose was to offer services to the Complainant, looking for a financial gain. Even if the Respondent [me] has not yet actually requested any payment, the efforts he put in offering unsolicited protection to the Complainant’s trademarks, could be, on the balance of probabilities, an indication that the Respondent’s [my] intent is in pursuing financial gain…“.
Lockheed Martin had made the claim that I created this email vulnerability, and Ms. Jarka decided that this was “obviously” true.
In my submission I disputed this claim as follows: “The Respondent has not created the email vulnerability he is studying, but rather is passively studying a pre-existing information security vulnerability that the Complainant appears to have been not previously aware of, and which the Complainant was previously at risk of malevolent exploitation.” Then later: “The Respondent disputes the Complainant’s claim that the vulnerability had been created solely – or at all – by the Respondent. The email vulnerability being studied was pre-existing and Complainant was not aware of the risks it posed…”
For reasons not clear to me, Ms. Jarka decided that my submission in opposition to Lockheed Martin’s claim was without merit. I have to wonder how many others have got the concepts of “vulnerability” and “exploit” confused. Clearly I did create an exploit for this vulnerability, but that in itself does not cause me to be some malevolent black hat. The only way to gather evidence was to create the exploit, and what I do with the eventual evidence (if there is any) is what determines the legitimacy or good/bad faith of my efforts. If anyone sees a flaw in this line of thinking I would love to hear about it.
I went looking for definitions of “vulnerability” to make sure I’ve got this right.
I see that the Information Systems Audit and Control Association (“ISACA“) defines vulnerability in their Risk IT Framework as “A weakness in design, implementation, operation or internal control“. I feel confident in claiming that I did not create the weakness which allows anyone who registers a mis-spelled domain name to observe email sent to that domain name. This is a generalized weakness of all mis-spelled domain names which Lockheed Martin and many other organizations have failed to notice, or failed to care about.
The ISO/IEC 27005 standard defines vulnerability as “A weakness of an asset or group of assets that can be exploited by one or more threats” according to both Wikipedia and The Eclipse Foundation Security Policy. So again a vulnerability is defined as essentially a weakness. And when does the Dead Letter Office email weakness begin? When I register a mis-spelled domain name? I think not. When I observe email sent to that domain? I doubt it. When I offer to provide disclosure of the vulnerability to the affected organization? Not really.
I see other flaws in Ms. Jarka’s UDRP decision, but will address them in another post at another time. I do have the option of going to court in Arizona to try to have this decision reversed, as long as I do so within 10 days of the decision being made. But I think the cost and effort of doing this is out of scope right now for what I am trying to learn and to accomplish.