Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Legal issues in computer security research

Legal issues in computer security research

Alternate title: How not to get busted for hacking if you're a security researcher

Presented at AtlSecCon 2014.

Mike Doherty

March 20, 2014
Tweet

More Decks by Mike Doherty

Other Decks in Research

Transcript

  1. HELLO
    YES
    THIS
    IS
    LAWYER

    View full-size slide

  2. While the only secure computer is one that is turned off,
    the need for running systems overwhelms us.

    View full-size slide

  3. tech

    society

    View full-size slide

  4. 3
    Questions
    What
    Why
    How

    View full-size slide

  5. 2 relevant laws

    View full-size slide

  6. Criminal
    law
    Mischief
    Unauthorized use

    View full-size slide

  7. Copyright
    law
    Encryption
    Security

    View full-size slide

  8. Criminal law

    View full-size slide

  9. Mischief
    in relation to data

    View full-size slide

  10. 4 acts
    Destroy/alter
    Render meaningless
    Obstruct use
    Obstruct use

    View full-size slide

  11. Theft of data

    View full-size slide

  12. Theft of data

    View full-size slide

  13. Unauthorized
    use of computer

    View full-size slide

  14. 4 acts
    Obtain service
    Intercept
    Computer crime
    Have a password

    View full-size slide

  15. Fraudulently
    and
    without colour of right

    View full-size slide

  16. What is unauthorized?

    View full-size slide

  17. Terms of service

    View full-size slide

  18. “You may not do any of the following
    while accessing or using [Twitter]: ...
    probe, scan, or test the vulnerability of
    any system”

    View full-size slide

  19. The core problem

    View full-size slide

  20. Things
    changed

    View full-size slide

  21. Times
    changed
    Ubiquity
    Public-by-default
    Service-oriented
    Always-on

    View full-size slide

  22. The bottom line

    View full-size slide

  23. Copyright law

    View full-size slide

  24. Fair
    dealing
    Research
    Education
    Criticism
    News reporting

    View full-size slide

  25. Security & encryption
    research
    (with strings attached)

    View full-size slide

  26. The
    strings
    Requires copying
    Lawful original
    Notification/consent
    No criminal acts
    “Responsible” disclosure

    View full-size slide

  27. Legal uncertainty

    View full-size slide

  28. The bottom line

    View full-size slide

  29. White hat hackers are hired by businesses...
    Black hat hackers,
    who work independently,
    are intent upon destruction

    View full-size slide

  30. Risk mitigation

    View full-size slide

  31. Behave responsibly

    View full-size slide

  32. Plan disclosure
    early

    View full-size slide

  33. Get lawyers involved
    early

    View full-size slide

  34. Be wary of software vendors
    who don't know
    they're software vendors

    View full-size slide

  35. Co-ordinated
    disclosure

    View full-size slide

  36. Recieved disclosure
    13
    48

    View full-size slide

  37. Recieved disclosure Acknowledgement
    13 28
    48

    View full-size slide

  38. Recieved disclosure Acknowledgement Fixed the vuln
    13 28 14
    48

    View full-size slide

  39. Recieved disclosure Acknowledgement Fixed the vuln Public security advisory
    13 28 14 2
    48
    4

    View full-size slide

  40. Appearances matter

    View full-size slide

  41. Disclose via an
    intermediary

    View full-size slide

  42. We deserve better

    View full-size slide

  43. Advocate for change

    View full-size slide

  44. Questions
    Mike Doherty
    hashbang.ca / @mikedoherty_ca

    View full-size slide

  45. Thanks
    Images:
    Emma Poliquin
    Statham Cook collection
    tracktwentynine @ flickr
    blackeycove @ flickr
    rama @ wikimedia

    View full-size slide