Slide 1

Slide 1 text

Dishonest Software Fighting Back Against Industry Norms RubyConf 2021 Jason Meller CEO & Founder of Kolide SOFTWARE ETHICS TRACK

Slide 2

Slide 2 text

Security app for devices. Instead of locking them down, it messages employees on Slack when their device has security/policy issues. INTRO Jason Meller • Building Rails apps for the cyber security industry since 2010. • Reformed Script Kiddie • CEO, Founder of Kolide

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text


Slide 5

Slide 5 text

GE and the “Advanced Persistent Threat” (APT) The APT is a term that refers organized group of threat actors, sponsored speci fi cally by the Chinese Government that wage long-running and extensive cyber espionage campaigns against western corporations. THEIR GOAL: Ex fi ltrate valuable information that will advance Chinese military and economic interests (mostly proprietary IP)

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text


Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

The GE / Rolls-Royce F136 Advanced Turbo Fan Engine proposed for the Joint Strike Fighter (JSF) Program

Slide 10

Slide 10 text

@echo off cd /d c:\windows\tasks rar.log a XXXXXXXX.rar -v200m “C:\Documents and Settings\Place\My Documents\XXXXXXXX” -hpsmy123!@# del *.vbs del %0 FTP

Slide 11

Slide 11 text

GE’s Computer Incident Response Team (CIRT) DETECTION APPARATUS • Network taps Installed on all known o ff i ce / datacenter network egress ports 
 and VPN concentrators • All Layer 3/4 Tra ff i c automatically analyzed using signatures matching known worrying behavior • Full packet captures (PCAP) recorded for all analyzed tra ffi c, and saved for at least 30 days. CIRCA 2010 Remember: in 2010, nearly all sites did not use HTTPs. All tra ff i c was in the clear.

Slide 12

Slide 12 text

End Result: The GE-CIRT can essentially see everything each employee is doing.

Slide 13

Slide 13 text

In the United States, Yes. 
 The Electronic Communications Privacy Act of 1986 (ECPA) allows employers to… “Wait, is this legal?” CONCERNS: • Open up physical mail addressed to you at the o ff i ce. • Track your location via GPS on company devices and vehicles. • Record keystrokes, take screenshots, & save network tra ffi c on company devices. Potentially Illegal: Remote activating the webcam or microphone without prior consent. (Robbins v. Lower Merion School District)

Slide 14

Slide 14 text

• Our mission is pure: we’re Americans fi ghting a foreign enemy. • We are looking for sophisticated heists, not petty crime. We have bigger fi sh to fry. • Each member of the security team is a good person and has been extensively vetted. • We audit each other’s activities. • The psychic costs (which cannot even be measured) of using dishonest software are worth it if they prevent true-harm (which is easily measured) Good Guys Can Do Good With Dishonest Software RATIONALE:

Slide 15

Slide 15 text

Then on one dark and stormy night… 
 It happened.

Slide 16

Slide 16 text

• Contractor lost their job. • We destroyed the contractor’s personal photos forever. • Word spread fast throughout the company to other employees and contractor about the GE’s surveillance capabilities. • No tangible consequences for GE’s CIRT team members or analysis of our mission. • The lost credibility negatively impacted the security of the company. “Are We The Baddies?” OUTCOMES:

Slide 17

Slide 17 text

“Trust us. We are the good guys” DISHONEST: HONEST: “Trust us, because you can independently verify we are telling the truth.”

Slide 18

Slide 18 text

“You have the right to know what we can see” HONEST:

Slide 19

Slide 19 text

But do this right and it leads to so much more…

Slide 20

Slide 20 text

A Bad Test For Dishonest Software Does this software break the law?

Slide 21

Slide 21 text

A Good Test For Dishonest Software Would requiring informed consent break the software’s value proposition?

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

According to the complaint, the wiretaps embedded in the website’s code “are used by Defendants to secretly observe and record website visitors’ keystrokes, mouse clicks, and other electronic communications, including the entry of Personally Identi fi able Information (‘PII’), in real time.”

Slide 25

Slide 25 text

You should make sure the thing we made isn’t illegal. DISHONEST:

Slide 26

Slide 26 text

“Privacy means people know what they’re signing up for, in plain English, and repeatedly. That’s what it means. I’m an optimist, I believe people are smart. And some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.” Steve Jobs @ D8 Tech Conference (2010)

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

A world full of Bug Bounty Programs Ask in plain language & require a response! The Anatomy of Informed Consent.

Slide 29

Slide 29 text

A world full of Bug Bounty Programs Let them see the data collected by default The Anatomy of Informed Consent.

Slide 30

Slide 30 text

A world full of Bug Bounty Programs Allow them to revoke consent at anytime, without talking to a person The Anatomy of Informed Consent.

Slide 31

Slide 31 text

A Good Test For Dishonest Software Would requiring informed consent break the software’s value proposition?

Slide 32

Slide 32 text

YOUR ROLE You are a developer, you have more power than you think, and you have the ability and responsibility to identify dishonest software and advocate for the privacy rights of your friends, family, and fellow co-workers. DO NOT ADVOCATE JUST FOR YOURSELF

Slide 33

Slide 33 text

ARGUMENTS • Building honest software is now a competitive advantage over incumbents. • Dishonest software is incompatible with ever-increasing privacy laws (ex: GDPR / California Consumer Privacy Act) • Device vendors (like Apple) will force you to be honest eventually, but then it will be on their terms. • People who make dishonest software fi nd it easier to be dishonest to the employees. Advocating for honesty will bene fi t everyone you work with.

Slide 34

Slide 34 text

Thank you! jason @ / terracatta 
 Jason Meller @ Rails Link Slack / jmeller