Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Legal issues in computer security research

Mike Doherty
March 20, 2014
Research
0
810

Legal issues in computer security research

Alternate title: How not to get busted for hacking if you're a security researcher

Presented at AtlSecCon 2014.

Mike Doherty

March 20, 2014
Tweet

More Decks by Mike Doherty

See All by Mike Doherty
Introduction to Perl
doherty
1
100
Writing simple webapps with Dancer
doherty
0
13k
The Death of Tribal Knowledge
doherty
1
530

Other Decks in Research

See All in Research
場所参照表現と位置情報を紐付けるジオコーディングの概観と発展に向けての考察 / 言語処理学会第29回年次大会(NLP2023)
sorami
0
1.3k
Open3Dに実装された平面検出機能の紹介
datalabs
0
210
ふじみ子育てアンケートレポート VOl.2
yowata
0
140
2023 東工大 情報通信系 研究室紹介 (大岡山) / [email protected], Tokyo Tech (Ookayama Campus) 2023
icttitech
0
5.1k
RESEARCH Conference 2023/ユーザーに価値を届け続けるためのアジャイル開発とUXリサーチ
atamaplus
2
320
Phishing Hunging Operations (PHOps)
tatsui
0
2.3k
ニューラル3次元復元入門
shunsukesaito
0
320
Decarbonising Transport: Obstacles, Options and Opportunities
cutcarbon
0
230
Introducing "Instant Neural Graphics Primitives with a Multiresolution Hash Encoding"
daigo0927
0
160
NLPとVision-and-Languageの基礎・最新動向 (1) / DEIM Tutorial Part 1: NLP
kyoun
20
6.5k
CSC570 Lecture 01
javiergs
PRO
0
150
熱を用いた2次元マーカの検討 / UBI77
yumulab
0
420

Featured

See All Featured
Happy Clients
brianwarren
90
6k
For a Future-Friendly Web
brad_frost
166
8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Fireside Chat
paigeccino
18
2.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
35
9.7k
Atom: Resistance is Futile
akmur
256
24k
Agile that works and the tools we love
rasmusluckow
322
20k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
RailsConf 2023
tenderlove
0
97
Product Roadmaps are Hard
iamctodd
39
8.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
13
1.4k

Transcript

  1. View Slide

  2. Who am I?

    View Slide

  3. View Slide

  4. HELLO
    YES
    THIS
    IS
    LAWYER

    View Slide

  5. Motivation

    View Slide

  6. While the only secure computer is one that is turned off,
    the need for running systems overwhelms us.

    View Slide

  7. tech

    society

    View Slide

  8. 3
    Questions
    What
    Why
    How

    View Slide

  9. What

    View Slide

  10. 2 relevant laws

    View Slide

  11. Criminal
    law
    Mischief
    Unauthorized use

    View Slide

  12. Copyright
    law
    Encryption
    Security

    View Slide

  13. Criminal law

    View Slide

  14. Mischief
    in relation to data

    View Slide

  15. View Slide

  16. 4 acts
    Destroy/alter
    Render meaningless
    Obstruct use
    Obstruct use

    View Slide

  17. 10 years

    View Slide

  18. Theft of data

    View Slide

  19. Theft of data

    View Slide

  20. Unauthorized
    use of computer

    View Slide

  21. 4 acts
    Obtain service
    Intercept
    Computer crime
    Have a password

    View Slide

  22. Fraudulently
    and
    without colour of right

    View Slide

  23. View Slide

  24. What is unauthorized?

    View Slide

  25. Terms of service

    View Slide

  26. “You may not do any of the following
    while accessing or using [Twitter]: ...
    probe, scan, or test the vulnerability of
    any system”

    View Slide

  27. View Slide

  28. The core problem

    View Slide

  29. View Slide

  30. Things
    changed

    View Slide

  31. Times
    changed
    Ubiquity
    Public-by-default
    Service-oriented
    Always-on

    View Slide

  32. The bottom line

    View Slide

  33. Copyright law

    View Slide

  34. Fair
    dealing
    Research
    Education
    Criticism
    News reporting

    View Slide

  35. Security & encryption
    research
    (with strings attached)

    View Slide

  36. The
    strings
    Requires copying
    Lawful original
    Notification/consent
    No criminal acts
    “Responsible” disclosure

    View Slide

  37. Legal uncertainty

    View Slide

  38. The bottom line

    View Slide

  39. How

    View Slide

  40. White hat hackers are hired by businesses...
    Black hat hackers,
    who work independently,
    are intent upon destruction

    View Slide

  41. Risk mitigation

    View Slide

  42. Behave responsibly

    View Slide

  43. Plan disclosure
    early

    View Slide

  44. Get lawyers involved
    early

    View Slide

  45. Be wary of software vendors
    who don't know
    they're software vendors

    View Slide

  46. Co-ordinated
    disclosure

    View Slide

  47. View Slide

  48. Recieved disclosure
    13
    48

    View Slide

  49. Recieved disclosure Acknowledgement
    13 28
    48

    View Slide

  50. Recieved disclosure Acknowledgement Fixed the vuln
    13 28 14
    48

    View Slide

  51. Recieved disclosure Acknowledgement Fixed the vuln Public security advisory
    13 28 14 2
    48
    4

    View Slide

  52. Appearances matter

    View Slide

  53. Disclose via an
    intermediary

    View Slide

  54. We deserve better

    View Slide

  55. Advocate for change

    View Slide

  56. Questions
    Mike Doherty
    hashbang.ca / @mikedoherty_ca

    View Slide

  57. Thanks
    Images:
    Emma Poliquin
    Statham Cook collection
    tracktwentynine @ flickr
    blackeycove @ flickr
    rama @ wikimedia

    View Slide