Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Legal issues in computer security research

Legal issues in computer security research

Alternate title: How not to get busted for hacking if you're a security researcher

Presented at AtlSecCon 2014.

Mike Doherty

March 20, 2014
Tweet

More Decks by Mike Doherty

Other Decks in Research

Transcript

  1. View Slide

  2. Who am I?

    View Slide

  3. View Slide

  4. HELLO
    YES
    THIS
    IS
    LAWYER

    View Slide

  5. Motivation

    View Slide

  6. While the only secure computer is one that is turned off,
    the need for running systems overwhelms us.

    View Slide

  7. tech

    society

    View Slide

  8. 3
    Questions
    What
    Why
    How

    View Slide

  9. What

    View Slide

  10. 2 relevant laws

    View Slide

  11. Criminal
    law
    Mischief
    Unauthorized use

    View Slide

  12. Copyright
    law
    Encryption
    Security

    View Slide

  13. Criminal law

    View Slide

  14. Mischief
    in relation to data

    View Slide

  15. View Slide

  16. 4 acts
    Destroy/alter
    Render meaningless
    Obstruct use
    Obstruct use

    View Slide

  17. 10 years

    View Slide

  18. Theft of data

    View Slide

  19. Theft of data

    View Slide

  20. Unauthorized
    use of computer

    View Slide

  21. 4 acts
    Obtain service
    Intercept
    Computer crime
    Have a password

    View Slide

  22. Fraudulently
    and
    without colour of right

    View Slide

  23. View Slide

  24. What is unauthorized?

    View Slide

  25. Terms of service

    View Slide

  26. “You may not do any of the following
    while accessing or using [Twitter]: ...
    probe, scan, or test the vulnerability of
    any system”

    View Slide

  27. View Slide

  28. The core problem

    View Slide

  29. View Slide

  30. Things
    changed

    View Slide

  31. Times
    changed
    Ubiquity
    Public-by-default
    Service-oriented
    Always-on

    View Slide

  32. The bottom line

    View Slide

  33. Copyright law

    View Slide

  34. Fair
    dealing
    Research
    Education
    Criticism
    News reporting

    View Slide

  35. Security & encryption
    research
    (with strings attached)

    View Slide

  36. The
    strings
    Requires copying
    Lawful original
    Notification/consent
    No criminal acts
    “Responsible” disclosure

    View Slide

  37. Legal uncertainty

    View Slide

  38. The bottom line

    View Slide

  39. How

    View Slide

  40. White hat hackers are hired by businesses...
    Black hat hackers,
    who work independently,
    are intent upon destruction

    View Slide

  41. Risk mitigation

    View Slide

  42. Behave responsibly

    View Slide

  43. Plan disclosure
    early

    View Slide

  44. Get lawyers involved
    early

    View Slide

  45. Be wary of software vendors
    who don't know
    they're software vendors

    View Slide

  46. Co-ordinated
    disclosure

    View Slide

  47. View Slide

  48. Recieved disclosure
    13
    48

    View Slide

  49. Recieved disclosure Acknowledgement
    13 28
    48

    View Slide

  50. Recieved disclosure Acknowledgement Fixed the vuln
    13 28 14
    48

    View Slide

  51. Recieved disclosure Acknowledgement Fixed the vuln Public security advisory
    13 28 14 2
    48
    4

    View Slide

  52. Appearances matter

    View Slide

  53. Disclose via an
    intermediary

    View Slide

  54. We deserve better

    View Slide

  55. Advocate for change

    View Slide

  56. Questions
    Mike Doherty
    hashbang.ca / @mikedoherty_ca

    View Slide

  57. Thanks
    Images:
    Emma Poliquin
    Statham Cook collection
    tracktwentynine @ flickr
    blackeycove @ flickr
    rama @ wikimedia

    View Slide