Pro Yearly is on sale from $80 to $50! »

Legal issues in computer security research

Legal issues in computer security research

Alternate title: How not to get busted for hacking if you're a security researcher

Presented at AtlSecCon 2014.

07feb1c4a2aaf22752c9924b95db944f?s=128

Mike Doherty

March 20, 2014
Tweet

Transcript

  1. None
  2. Who am I?

  3. None
  4. HELLO YES THIS IS LAWYER

  5. Motivation

  6. While the only secure computer is one that is turned

    off, the need for running systems overwhelms us.
  7. tech ↕ society

  8. 3 Questions What Why How

  9. What

  10. 2 relevant laws

  11. Criminal law Mischief Unauthorized use

  12. Copyright law Encryption Security

  13. Criminal law

  14. Mischief in relation to data

  15. None
  16. 4 acts Destroy/alter Render meaningless Obstruct use Obstruct use

  17. 10 years

  18. Theft of data

  19. Theft of data

  20. Unauthorized use of computer

  21. 4 acts Obtain service Intercept Computer crime Have a password

  22. Fraudulently and without colour of right

  23. None
  24. What is unauthorized?

  25. Terms of service

  26. “You may not do any of the following while accessing

    or using [Twitter]: ... probe, scan, or test the vulnerability of any system”
  27. None
  28. The core problem

  29. None
  30. Things changed

  31. Times changed Ubiquity Public-by-default Service-oriented Always-on

  32. The bottom line

  33. Copyright law

  34. Fair dealing Research Education Criticism News reporting

  35. Security & encryption research (with strings attached)

  36. The strings Requires copying Lawful original Notification/consent No criminal acts

    “Responsible” disclosure
  37. Legal uncertainty

  38. The bottom line

  39. How

  40. White hat hackers are hired by businesses... Black hat hackers,

    who work independently, are intent upon destruction
  41. Risk mitigation

  42. Behave responsibly

  43. Plan disclosure early

  44. Get lawyers involved early

  45. Be wary of software vendors who don't know they're software

    vendors
  46. Co-ordinated disclosure

  47. None
  48. Recieved disclosure 13 48

  49. Recieved disclosure Acknowledgement 13 28 48

  50. Recieved disclosure Acknowledgement Fixed the vuln 13 28 14 48

  51. Recieved disclosure Acknowledgement Fixed the vuln Public security advisory 13

    28 14 2 48 4
  52. Appearances matter

  53. Disclose via an intermediary

  54. We deserve better

  55. Advocate for change

  56. Questions Mike Doherty hashbang.ca / @mikedoherty_ca

  57. Thanks Images: Emma Poliquin Statham Cook collection tracktwentynine @ flickr

    blackeycove @ flickr rama @ wikimedia