Dishonest Software Fighting Back Against Industry Norms RubyConf 2021 Jason Meller CEO & Founder of Kolide SOFTWARE ETHICS TRACK

Security app for devices. Instead of locking them down, it messages employees on Slack when their device has security/policy issues. INTRO Jason Meller • Building Rails apps for the cyber security industry since 2010. • Reformed Script Kiddie • CEO, Founder of Kolide

No content

MOST PEOPLE DO NOT INTEND TO BUILD OR BENEFIT FROM DISHONEST SOFTWARE YET MANY OF US WILL.

GE and the “Advanced Persistent Threat” (APT) The APT is a term that refers organized group of threat actors, sponsored speci fi cally by the Chinese Government that wage long-running and extensive cyber espionage campaigns against western corporations. THEIR GOAL: Ex fi ltrate valuable information that will advance Chinese military and economic interests (mostly proprietary IP)

No content

PLA UNIT 61398 CENTER BUILDING (MAIN GATE. SOLDIERS VISIBLE)

No content

The GE / Rolls-Royce F136 Advanced Turbo Fan Engine proposed for the Joint Strike Fighter (JSF) Program

@echo off cd /d c:\windows\tasks rar.log a XXXXXXXX.rar -v200m “C:\Documents and Settings\Place\My Documents\XXXXXXXX” -hpsmy123!@# del *.vbs del %0 FTP

GE’s Computer Incident Response Team (CIRT) DETECTION APPARATUS • Network taps Installed on all known o ff i ce / datacenter network egress ports 
 and VPN concentrators • All Layer 3/4 Tra ff i c automatically analyzed using signatures matching known worrying behavior • Full packet captures (PCAP) recorded for all analyzed tra ffi c, and saved for at least 30 days. CIRCA 2010 Remember: in 2010, nearly all sites did not use HTTPs. All tra ff i c was in the clear.

End Result: The GE-CIRT can essentially see everything each employee is doing.

In the United States, Yes. 
 The Electronic Communications Privacy Act of 1986 (ECPA) allows employers to… “Wait, is this legal?” CONCERNS: • Open up physical mail addressed to you at the o ff i ce. • Track your location via GPS on company devices and vehicles. • Record keystrokes, take screenshots, & save network tra ffi c on company devices. Potentially Illegal: Remote activating the webcam or microphone without prior consent. (Robbins v. Lower Merion School District)

• Our mission is pure: we’re Americans fi ghting a foreign enemy. • We are looking for sophisticated heists, not petty crime. We have bigger fi sh to fry. • Each member of the security team is a good person and has been extensively vetted. • We audit each other’s activities. • The psychic costs (which cannot even be measured) of using dishonest software are worth it if they prevent true-harm (which is easily measured) Good Guys Can Do Good With Dishonest Software RATIONALE:

Then on one dark and stormy night… 
 
 It happened.

• Contractor lost their job. • We destroyed the contractor’s personal photos forever. • Word spread fast throughout the company to other employees and contractor about the GE’s surveillance capabilities. • No tangible consequences for GE’s CIRT team members or analysis of our mission. • The lost credibility negatively impacted the security of the company. “Are We The Baddies?” OUTCOMES:

“Trust us. We are the good guys” DISHONEST: HONEST: “Trust us, because you can independently verify we are telling the truth.”

“You have the right to know what we can see” HONEST:

But do this right and it leads to so much more…

A Bad Test For Dishonest Software Does this software break the law?

A Good Test For Dishonest Software Would requiring informed consent break the software’s value proposition?

No content

No content

According to the complaint, the wiretaps embedded in the website’s code “are used by Defendants to secretly observe and record website visitors’ keystrokes, mouse clicks, and other electronic communications, including the entry of Personally Identi fi able Information (‘PII’), in real time.”

You should make sure the thing we made isn’t illegal. DISHONEST:

“Privacy means people know what they’re signing up for, in plain English, and repeatedly. That’s what it means. I’m an optimist, I believe people are smart. And some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.” Steve Jobs @ D8 Tech Conference (2010)

No content

A world full of Bug Bounty Programs Ask in plain language & require a response! The Anatomy of Informed Consent.

A world full of Bug Bounty Programs Let them see the data collected by default The Anatomy of Informed Consent.

A world full of Bug Bounty Programs Allow them to revoke consent at anytime, without talking to a person The Anatomy of Informed Consent.

A Good Test For Dishonest Software Would requiring informed consent break the software’s value proposition?

YOUR ROLE You are a developer, you have more power than you think, and you have the ability and responsibility to identify dishonest software and advocate for the privacy rights of your friends, family, and fellow co-workers. DO NOT ADVOCATE JUST FOR YOURSELF

ARGUMENTS • Building honest software is now a competitive advantage over incumbents. • Dishonest software is incompatible with ever-increasing privacy laws (ex: GDPR / California Consumer Privacy Act) • Device vendors (like Apple) will force you to be honest eventually, but then it will be on their terms. • People who make dishonest software fi nd it easier to be dishonest to the employees. Advocating for honesty will bene fi t everyone you work with.

Thank you! jason @ kolide.com 
 github.com / terracatta 
 Jason Meller @ Rails Link Slack 
 twitter.com / jmeller