Alternate title: How not to get busted for hacking if you're a security researcher
Presented at AtlSecCon 2014.
View Slide
Who am I?
HELLOYESTHISISLAWYER
Motivation
While the only secure computer is one that is turned off,the need for running systems overwhelms us.
tech↕society
3QuestionsWhatWhyHow
What
2 relevant laws
CriminallawMischiefUnauthorized use
CopyrightlawEncryptionSecurity
Criminal law
Mischiefin relation to data
4 actsDestroy/alterRender meaninglessObstruct useObstruct use
10 years
Theft of data
Unauthorizeduse of computer
4 actsObtain serviceInterceptComputer crimeHave a password
Fraudulentlyandwithout colour of right
What is unauthorized?
Terms of service
“You may not do any of the followingwhile accessing or using [Twitter]: ...probe, scan, or test the vulnerability ofany system”
The core problem
Thingschanged
TimeschangedUbiquityPublic-by-defaultService-orientedAlways-on
The bottom line
Copyright law
FairdealingResearchEducationCriticismNews reporting
Security & encryptionresearch(with strings attached)
ThestringsRequires copyingLawful originalNotification/consentNo criminal acts“Responsible” disclosure
Legal uncertainty
How
White hat hackers are hired by businesses...Black hat hackers,who work independently,are intent upon destruction
Risk mitigation
Behave responsibly
Plan disclosureearly
Get lawyers involvedearly
Be wary of software vendorswho don't knowthey're software vendors
Co-ordinateddisclosure
Recieved disclosure1348
Recieved disclosure Acknowledgement13 2848
Recieved disclosure Acknowledgement Fixed the vuln13 28 1448
Recieved disclosure Acknowledgement Fixed the vuln Public security advisory13 28 14 2484
Appearances matter
Disclose via anintermediary
We deserve better
Advocate for change
QuestionsMike Dohertyhashbang.ca / @mikedoherty_ca
ThanksImages:Emma PoliquinStatham Cook collectiontracktwentynine @ flickrblackeycove @ flickrrama @ wikimedia