 Hi, all. I'm going to move over here because I'm short as hell. Hi, everyone. Welcome everyone to Hacker Court. This is the last thing before closing. I swear we'll make it as entertaining as possible. But a little bit about me. A little bit about me. My name is Winona. You can call me Win. I used to be a threat intel analyst, malware analyst, and now I'm in law school because I love suffering. Thank you. Thank you. But what I really care about is protecting hackers from liability. And so our goal here is basically to do two scenarios that are really close to something that like almost happened in real life a couple of times. And we're going to go through the legal arguments and we're going to try and make this as technically and legally accurate as possible so that way we can play this scenario out. So here's how this is going to go. I have three actually amazing lawyers who are going to give opening remarks, call witnesses who are going to swear on our Bible, POC, or get the fuck out. And basically they're going to argue like a real court case. And you know, in like 20 minutes, this is more like Judge Judy than like anything like real, so don't worry about it. So I'm going to call the court to order and we're going to do this twice. Two like little mini trials. I want to thank a whole shit ton of people. I know there's so many people on stage. But first off, I want to thank my two organizing partners, Emma Planky and Mari Dugas. They are amazing badass women in cyber law. And then I also want to thank all of our participants. Many of them are lawyers. All of them are hackers. And all of them also care about making sure that y'all stay the hell out of trouble. So the last people that I want to thank though are also the original founders of Hacker Court. So this actually was a thing at Black Hat from 2001 to 2010. Tech has changed. The law has changed. Def Con and Black Hat have all changed. So we've decided to revive it, give a little fun twist to it. But thank you, Dan, Carol, Jonathan, for giving us your full support. Okay. So I'm going to call this court to order, y'all. Our first case is United States versus John Doe researcher. And we're going to say John Doe for a reason. So this individual, basically what they did was find a kill switch in a wormable ransomware variant and then try, yeah. And then try to deploy that kill switch at scale, which bricked a couple of victim machines. Oh my God. Y'all, get out of here. I'm going to cry on main stage, y'all. But I say John Doe for a reason and I want a volunteer. Does anyone want to get up here on the stage? We can do shot the noob. You don't have to do shit. You just have to sit here and play our defendant. Oh, let's do, all right, you, you're the one standing. Yeah, come on, come on, sit. Here's a participatory gift. Look at this. This is an actual speaker ops badge. Thank you. I mean, great. All right. So what's your name? Uh, Jamba Juice. Jamba Juice. Great. Uh, uh, counters. All right. Shot, man. In the case where the government is accusing you of committing a egregious hacker, uh, computer crime, how do you plead guilty or not guilty? Oh, not guilty. Thank you, Jamba Juice. All right. Um, I want to introduce our two lawyers today. We have first off our prosecution. Harley Geiger. Hey, don't boo. This is all just a simulation. Hey, woo! There is actually a cyber and data protection lawyer at Venable and formerly an in-house attorney and senior director at fucking rapid seven, y'all. So please give them a hand. Our defense lawyer, just as impressive. Uh, we have Kurt Obsell, associate general counsel for cyber security and civil, civil liberties policies for the file coin foundation and he volunteers as a special counsel for EFF and the Coters rights project. And he's been working to counsel and defend security hackers since DEF CON 13. So please give him a hand. Yeah. Okay. Two final things. Very, very serious. Before we get started. Um, the first is we're not your lawyers. We are just lawyers. So please, this is not legal advice. Uh, and then the second is we are working off scripts for hackers, not actors. And you know, so I see some hungover faces in the audience too. So can not confirm or deny, uh, but can relate. Great. All right. Prosecution. Please begin with your opening statements. Good afternoon, DEF CON jury. You're here today because in August of 2023, Mr. Jamba Juice, Mr. Juice intentionally transmitted a program over the internet that damaged a large number of businesses, including a hospital, right? Because of Mr. Juice's actions, the Nevada branch of the St. Grace of the unbothered hospital was knocked offline for three days. Anybody that works in healthcare knows that a hospital without systems for three days is an absolutely catastrophic event. Uh, and in fact, St. Grace had to reroute patients to hospitals on the other side of town. So the fact that no one was killed in this incident is a stroke of luck and a testament to the great skill of our medical professionals. But nonetheless, the patient care of people who are sick and injured and suffering, that patient care was delayed as a direct result of Mr. Juice's actions. So here is what Mr. Juice did. As we all know earlier this year, an international criminal organization released the ego worm across the world and this created a global security incident. Wherever the ego worm went, it exploited a vulnerability to insert ransomware into the host system. And as a worm, it spread from network to network at breakneck speed. And so thousands of organizations were in the midst of responding to this incident. They were working with law enforcement. They'd activated their IR plans. They were scrambling. The last thing that anyone needed was another loose cannon. And yet Mr. Juice independently created a program in his home lab and released it upon the world. Mr. Juice's program was intended to be a patch and this patch exploited the same vulnerability that the criminal organization used to propagate the ego worm. And the patch itself acted like a worm. And so Mr. Juice designed this patch to forcibly apply itself to every computer with an internet connection within reach. And so Mr. Juice's patch spread indiscriminately as it was designed to do. Impacting everything from manufacturing plants to hospitals like St. Grace. Yet the patch was also seriously flawed. It got out of control and caused some systems to crash including St. Grace's hospital systems. So we will hear from the defense that Mr. Juice did not intend for this to happen. That Mr. Juice was trying to help. And indeed there is no evidence that Mr. Juice wanted to harm businesses or to disrupt hospital systems. However Mr. Juice did intend for that program to go everywhere and to forcibly apply itself to every system that it came into contact with. What else did Mr. Juice want? Fame. Notoriety in hacker circles. How do we know this? Well we will hear evidence that a mere two weeks after the incident Mr. Juice was bragging about it on stage in Las Vegas. Could this have been avoided? Was there a way that Mr. Juice could have acted differently and avoided disrupting systems like St. Grace's hospital systems? Probably. But the evidence also shows that Mr. Juice made no effort to coordinate with the vendor, the manufacturer of the operating system, made no effort to coordinate with law enforcement or with anybody who was actively trying to defend against this attack. Why not? Because Mr. Juice was chasing clout and wanted glory for themselves. And that kind of selfish recklessness puts everybody at risk. Puts the entire InfoSec community at risk not to mention the people who are on the other end of those hospital systems. And that is why we have a responsibility to bring this case against Mr. Juice. Not for trying to help. But by forcibly applying that patch to every computer within reach, Mr. Juice's program impaired the integrity and the availability of systems without authorization causing harm. So accordingly we charge Mr. Juice with one count under the Computer Fraud and Abuse Act 1030A5A of knowingly causing the transmission of a program and as a result intentionally causing damage without authorization as well as 1030A5B, intentionally accessing a computer without authorization and recklessly causing damage. Thank you very much. Thank you. Thank you for execution. Yeah, all right. Defense counsel. Thank you, Your Honor. And thank you members of the journey. Good afternoon. I would like to start by reminding you that it is not a crime to be a Good Samaritan. In fact, Mr. Juice is a hero. The eager worm was a threat to our national security and was holding countless businesses hostage. Who knows how many days they would have gone by before this hospital was next. My client does not deny that they didn't coordinate with law enforcement. But law enforcement was too slow to react in the face of the destruction unfolding across the world from this worm, from this worm, not from a client. Coordination would have lost invaluable time essential to addressing this crisis. Yes, there was some damage. However, was it intentional? No. Mr. Juice was trying to fix this vulnerability, not brick computers. Was it reckless? No. To be reckless is to be consciously disregard a substantial and unjustified risk. How could that? How could that have happened? How could a reasonable person have foreseen the patch would spread to this one hospital which happened to be running Windows XP? And then that patch would cause a blue screen of death on the particular operating scene. Even if this were a substantial risk, Mr. Juice wasn't aware of this. And that can't possibly be characterized as intentionally disregarding it. Finally, was there any access to begin with? Mr. Juice didn't know which computers the patch would propagate. How could Mr. Juice have knowingly and intentionally accessed any of them? Moreover, Mr. Juice did not access any of the computers. The worm did. The ego worm. They lost control of it after it was deployed. That's how worms operate. The affected computers did not do so much as ping back to the client. At no point was any of the information on these machines available to Mr. Juice. No access. Also, it's important to remember that nobody died. Were hospital systems down? Yes. Is my client worried about the general welfare of all patients and how they had to be rerouted? Of course. However, was the hospital able to get back up and running? Also, yes. But remember, intentional reckless access. These are the three things the prosecution has to prove. And today you will find, members of the jury, that they will not be able to prove this beyond a reasonable doubt. Thank you. Thank you, Defense Council. Prosecution, please call up your first witness. I call in our expert researcher to the stand, please. All right, Ian, please take a seat. The man in the Adidas tracksuit and bucket hat, expert. Please. Do you swear on this POC or GTFO to tell the truth, nothing but the whole truth? Yeah. Please have a seat, Mr. R. Okay. Can you state your name and occupation, please, Mr. R. Sure. My name is Ian. I am a security researcher and organizer of the Pony Awards. Okay. And can you tell me what this slide is, Mr. R? That is a screen cap of the CVE page for the Spen Ego vulnerability. Okay. And can you tell me when was the first time that you know that this Spen Ego vulnerability was used in the wild? It was used by a criminal group in August of 2023 to spread more mobile ransomware. So the vulnerability was used by cyber criminals to spread ransomware. Was this the famous ego worm that threatened multiple industries and extorted hundreds of U.S. businesses? Yes, the ransomware in question was the ego worm. Okay. And so the vulnerability that you see here, would you characterize this as very dangerous to exploit Mr. R? Objection leading. Overruled, it's relevant. Ian, please answer. It's bad. Yeah. So the vulnerability is very bad. When was the second time that this very bad, very dangerous Spen Ego vulnerability was used in the wild? It was used by a researcher a bit afterwards to install a kill switch in vulnerable systems so that ego worm would no longer work. Thank you. But just to be clear, does that mean that the researcher exploited the same vulnerability that you just described as very dangerous, very bad as the criminal group so that the researcher could then install their own software into machines that the criminal group was already extorting? Is that what you're saying, sir? Yes, but the researcher software was to stop the criminals ransomware worm. That's what a kill switch is. And this kill switch software from the researcher, is it designed to spread on its own? Yes, it's a wormable patch. What does that mean, sir? That it can spread from system to system without the control of the software developer. Okay. So it spreads from system to system without the control of the developer. And so for this to work, the researcher had to exploit that Spen Ego vulnerability. So the exploit that the research used, is it stable on every kind of machine, Mr. R? No. The particular exploit was stable for every version of Windows back to Windows 7, but not for anything older than that. So the researcher was using this very dangerous vulnerability, and it's not stable on every type of machine. When we say that an exploit is not stable on this older type of machine, what happens? If the exploit is unstable for older versions of Windows and tries to run on a Windows XP machine, the exploit can effectively malfunction and cause a blue screen of death. A blue screen of death? And is this an example of a blue screen of death? Unfortunately, yeah. And when your machine encounters... Objection, that's not Windows XP. That's a mess up on the judges part. Whoops. But yes, we will be excluding this from evidence. Apologies, prosecution. Mr. R, when a computer encounters this dread and eldritch screen, what happens? What happens to the computer? It breaks. Okay, so the machine can't run. People can't use it when this happens. Excellent. I want to just make sure that we have this correctly. There is a vulnerability in the operating system that a ransomware group was using to spread the ego worm, and that same vulnerability can be used to install a kill switch that stops the ego worm. However, if it's an older version of the operating system, the kill switch will shut down the machine, make it inoperable. Is all that factually correct? Yes. Okay, thank you, your honor. I have no further questions. Wonderful. Defense counsel. Mr. R, can you describe how the ego worm ransomware worked? Yes. The ego worm has three parts. The exploit the loader and the post exploitation payload. The exploit code exploits the spend ego RCE vulnerability, allowing the attacker to run arbitrary code on a vulnerable machine. The loader then runs certain checks against the environment, making sure that the machine is an okay target. In this case, that included seeing if a certain registry key is set, which would let it know that it had already hit that box before. If the registry key isn't already set, then the loader would then execute the payload, and that would encrypt all of the files on the box and then go hunting throughout the network in order to find other vulnerable machines to propagate to. All these stages are packaged together so that the worm could spread without having to rely on connecting back to a C2. Thank you. And how did Mr. Juice's patch work? The patch work by just setting the registry key that the ego worm looks for prior to exploitation. The worm would think that it had already infected the patch machine, and it wouldn't exploit or spread from there. So you refer to both the ego worm and Mr. Juice's patch as being worms. What does it mean to be a worm? It means the program is self-propagating. It spreads on its own without the operator needing to do anything to keep it going. And these worms, is it correct to say they are spreading themselves using the same vulnerability? Yeah. So in order for the systems at St. Grace to be patched by my client's program, they would also have to be vulnerable to the ego worm, correct? Yes. Why did my client's patch reach the systems at St. Grace before the ego worm did? There's nothing in either program that looked for particular targets beyond just being exploitable by spend ego. It was just luck. That's interesting. And what would have happened if the ego worm hit St. Grace before Mr. Juice's patch? Objection, Your Honor. That's irrelevant. Overruled. Please, Ian, please respond. If the ego worm hit first, the hospital's data would have been stolen. The machines would have been locked and ransomed. Many more would have been bericked for longer and they would have had to pay the ransomware group in order to get the decryptor. And what happened to other companies stolen data? After being hit by the ego worm? Those that didn't pay the ransom have their data leaked online, available for anyone who knows how to look for it. So it sounds like how it played. Sustained, you're right. That was literally my next line. Sustained, let's move this along Defense Council and thank you, Prosecution and whoever that was. All right, all right. One final question, Mr. R. How you analyzed my client's patching program, would you say that Mr. Juice, in a technical sense, had access to any of the computer that it said Mr. Juice had access? Not really for most of them. They had access to the first box. They pointed at that when they kicked it off, but that was one of their own computers. After that, it didn't build any kind of telemetry into the program. So there wasn't any way that they could have known that it was spreading while it was spreading. That will be all. Thank you. Thank you, Mr. R. You may leave the witness box. Defense Council, please call up your witness. Thank you. I call Ian R. Pony Award organizer. Oh, Ian, that's actually you, though. Great. Oh, yeah, you're right. Do you swear to tell the truth? Nothing about the truth. Once again, yes. Mr. R., thank you for joining us today. Are you telling me what a Pony Award is? It's an old statue of a horse that you get for being a good hacker. Sorry? Can you say that again, please? It's a statue of a horse that you get for being a really good hacker. Okay. Is it true that on August 10th at approximately 6 p.m., my client received a Pony Award? Yes. What was the category? Epic achievement. It's a catch-all category for work that pulls off something so truly epic that we couldn't have predicted it by creating an award category that would do it justice. And why did Mr. Juice receive this award? I don't know. He prevented a bunch of bad shit from going down. The initial patch blew up on Twitter and we needed to fit it somewhere. The hospital thing hadn't come out yet, so we didn't know that they had fucked up. No further questions. Prosecution? Mr. R. You had just said that you gave that award and you didn't know that the hospital thing hadn't come out yet, and so we didn't know that they had fucked up. What did you mean by that? They fucked up a hospital. It was very bad. So the same person that got the award had fucked up a hospital prior to you knowing about it, and you didn't know about this at the time that you gave them the award, if you had known about this incident ahead of awarding the ponies, would Mr. Juice still have gotten the Epic Achievement Award? No. Oh, don't boo! What would Mr. Juice have received instead of that award for fucking up a hospital? Probably an Epic Fail Award. And an Epic Fail Award is for what? For failing, epically. So Mr. R, going back to the day of the award ceremony, did Mr. Juice accept that award in person? Yes. And did Mr. Juice make any remarks at the time accepting the award? He said he did it for the Lulls. Sorry, can you repeat that please for the record? The Lulls, your honor. And sir, what is your interpretation of the Lulls? Objection, that's speculative. Sustained prosecution, please rephrase. How would you characterize Mr. Juice's demeanor when he was accepting the award? Very smug. Like the whole thing was for laughs. Like the whole thing was for laughs. Thank you, no further questions. Your honor, I would like to put the defendant on the stand. Oh, Mr. Juice. Well, please take the seat in the witness box. All right, do you swear on the POC or DTFO to say the whole truth, nothing but the truth? As he said, yes. Great. Thank you. You said in prior testimony, Mr. Juice, that you tested your patch on all the machines you had available. If you look at the slide here, if you look at the slide here, you'll see your homelab's extensive list. Would you say that this was an extensive number of machines even for a homelab? I mean, it looks a lot better than a homelab, let's be honest. Let me just start there, okay? But yes, very extensive, very well done. Thank you, by the way. And yeah, I think that answers your question. Thank you, thank you. And do you also note that on there, there is a Windows XP machine still on here, the same operating machine as the hospital, Mr. Juice? Would you also say that it's impossible to test a piece over an every different variant of every different machine? You know, let me ask chat GPT really quick, and I'll get back to you on that one. All right, before the defendant purges himself, I'm going to say that was a yes. Wait, wait, no further questions. Great, thank you, Mr. Juice. Defendant, you may sit back down. If you're closing final arguments, please cancel starting with prosecution. Hackers of the DEF CON jury, let's review the evidence that we've heard today. So to carry a verdict against the defendant, there are certain elements that we have to prove. First, that Mr. Juice knowingly caused transmission of a program. We heard evidence that Mr. Juice knowingly transmitted the program, right? It was intentional, it's not an accident, I think that this is well accepted and uncontested. But second, that Mr. Juice intentionally or recklessly impaired the integrity and availability of systems without permission, without authorization. We know that Mr. Juice created a program that was intentionally designed to spread to different computers rather indiscriminately and automatically and to access those computers and install itself on those computers without the permission of the computer owners. And when it comes to disruption, we know that by forcibly accessing and running code on these computers, Mr. Juice's program impaired the integrity and the availability of those systems. So those are the elements that we have to prove. I understand very much that there may be an impulse to exonerate the defendant because of the defendant's good intentions in attempting to halt the ego worm. However, whether the defendant had good intentions is actually irrelevant for the elements that we just discussed. You can have good intentions and still break this law. The question is, did you intentionally transmit the program? Was it intentionally going to disrupt the systems by forcibly applying itself? That was what the patch was designed to do. And were the defendant's intentions really good? The evidence suggests that the defendant was actually chasing glory for its own personal gain. And that type of behavior puts the entire security community at risk. We lose trust if that is our reputation. Whether the defendant intended to take down the St. Grace Hospital computers is also irrelevant. The question is, did the defendant intend to impair the integrity and availability of the systems by forcibly installing unauthorized and untested software into the computers that don't belong to him? And if you believe that the answer to that is yes, then I humbly submit that that should lead to a verdict of guilty. Thank you. Thank you, Prosecutor Houston. Defense Counsel? Your Honor, members of the jury, who here does not aspire to use their infosec expertise to make the world suck a little bit less? The only thing the only thing my client may be guilty of is an overzealous application of their elite hacks for talents in service of the world. The only thing Mr. Juice ever intended was to mitigate harm. Sure, that St. Grace systems were affected is an unfortunate and unforeseeable consequence of this attempt to save the world. But I remind you that no one has died as a result of this incident and in fact, further harm by the ego world was mitigated. Is it fair to say that Mr. Juice was reckless? No. They made every attempt to test this pratch given the resources he had available. Sure, given what we know now Mr. Juice's choices may seem less favorable in retrospect but with the information available at the time can it really be said that he did this with a conscious disregard of the risks? When tested the patch worked and the long time that Mr. Juice spent testing the further he knew the ego world would spread. My client did not act recklessly he made a calculated risk informed choice during a time when there were no other good options. Mr. Juice does not deny that his code ran on St. Grace's computers however, is it fair to say he accessed these computers? No. The prosecution would have you think that authoring code that runs on a computer is enough to say that you have access to it. I disagree. At what point would that argument end? Surely the contributors to open source projects that use code gets indirectly bundled into products cannot be said that they have access to every machine on which that project runs. I ask each of you to look into your hearts ask when you look at Mr. Juice do you see a clout chasing criminal or do you see a reasonable person doing their best under enormous pressure and helping save everybody from this horrible ransomware attack? Here's how this is going to go and it's going to go fast. Y'all are actually our jury so please I promise this is a safe QR code like putting a QR code on DEF CON whatever but I'm going to give you all 60 seconds and give me a verdict and I have a timer here and we're going to figure this out is he guilty or innocent? Remember this has to be beyond a reasonable doubt so if there is even a little bit of a doubt that he is not guilty you got to choose not guilty thank you I mean not usually but there is a yes option and a no option what do you think we're here for? we're just here to have fun, okay? I'd say for the record I would appeal those jury instructions look we have the motions for the jury instructions that you lost you got to accept that and take your appeal later I will but I specifically said that intent to harm was not one of the elements it is not you do not have to have intent to harm in order to commit CFA violation that's true this is a little bit of a kangaroo court let's be real this is exactly how it works the well actually opportunities in the law are very very easy the minute is up now that over 500 of y'all have voted which is insane how many of y'all are voting twice hey stop it 70 to 30 percent not guilty defendant you are free to go congratulations mr. juice thank you mr. juice alright we have one more scenario for y'all today and I do want to point out unfortunately the legal part of my brain has turned out this way from a legal perspective this is probably access and it is probably intentional if we wanted to argue that but scenario two our telecom company versus an off-sec start up so we are going to get a little bit spicy in here today guys this is a state civil lawsuit which means that the telecom company is suing the offensive start up yeah okay so here's what went down an offensive security start up produced and created an exploitation and pentesting tool for legitimate purposes this was then cracked and sold on a criminal forum and used its initial access to get into and exploit extort the telecom company telecom company can't sue the ransomware group but they can definitely sue or try to sue the US offset company so our plaintiff's council is the wonderful Mari Dugas thank you representing sorry excuse me, who is a cyber data and privacy lawyer at Cooley and formerly worked at Harvard Belfer and the office of the staff judge advocate at US cybercom and we welcome back our defense attorney because defense attorneys are overworked and underpaid please give them a hand folks and I love y'all but remember all of us lawyers up here do firmly believe even the prosecution in all of these cases believe that we want to be here to protect hackers so just we're all people alright last but not least our defendant as much as we'd love another volunteer our defendant now is Silas he is playing come on up Silas fellow goon and just wonderful general human he is playing the part of the CFO of the off sex start up company but oh my god yeah here first great so Silas in this case where the telecom company is suing you for millions of dollars of damage do you choose to defend your start up in court yep great alright yep are you sure alright great so plaintiffs council please begin your opening remarks ladies and gentlemen of the DEF CON jury thank you for joining us here we are here today because Mr. Silas aided and abetted a criminal ransomware gang group who caused my client millions of dollars of damage the defendant is a youth is no experience he decided to create an offensive security tool and just pursued profit a criminal ransomware gang group cracked his tool and used it to perpetrate a ruthless ransomware attack on my client on july 13th 2023 our clients systems were inaccessible for six hours the attackers encrypted my clients networks and systems they exfiltrated data including our q4 financial predictions which tanked our stock and ultimately our forensic investigation determined that the cracked entry level tool was the initial point of access so today we're here to talk to you about what aiding and abetting really means defendants aided and abetted account of 18 USC 1030 a5a which we've already talked about today computer fraud and abuse act caused property damage to my client under the common law of our state today we'll talk to you about proving that with the preponderance of the evidence only 51 percent you can have some doubt in your mind the party whom the defendant aided performed a wrongful act our ransomware gang I'll agree on that that the defendant was generally aware of his role in an overall unlawful scheme and he knowingly substantially assisted in that scheme there was property damage there was an injury to my client from a ransomware attack we can all understand that that is an unlawful act and the defendant was generally aware our expert witnesses today will show that the defendant knew that his tool was not only being purchased by ransomware gangs in general but this specific group and he didn't decide to take action until the FBI came knocking at his door had he conducted more diligence we wouldn't have been in this situation finally he substantially assisted in the wrongful act because without this offensive security tool it wouldn't have happened it was the only initial point of access we understand here the offensive security tools do have legitimate uses but they have the capacity to be weaponized by these bad actors and defendant played in to their bad actions thank you thank you Martin defense counsel members of the jury there are two sides to every story plaintiff's counsels painted a picture of reckless kids creating offensive security tools just to make money selling it to everyone from companies we all know goes to sometimes gets in the hands of criminal enterprises the reality significantly less cinematic defendants are five security professionals with almost ten years of cumulative experience between them defendants all graduated from top universities with computer science degrees were hired by top security companies and my client right here Silas is a seasoned security expert a consummate professional defendants all move through the ranks of these companies before seeing a gap in the product my work that they could fill a better cobalt strike a sleeker metasploit plaintiff's counsel will try to convince you that my clients are embedded in alleged criminal activity when is the criminal organization that repurposed this tool for bad uses we don't extend liability to a store owner who sells with the robber a hammer he uses to break the window why would we do that here indeed my clients are also victims a bad actor hoodwinked them purchased the entry level by pretending to be someone who weren't and repurposed it for nefarious uses committing a crime against my client off sex start-up was not generally aware of their role in this specific criminal activity at the time they sold the tool to the alleged ransomware gang and they did not knowingly or substantially assist in any violations just because my clients were aware generally of potential malicious uses of their legitimate product does not make them liable for everything that happens downstream by victims of people who are misusing that tool my clients were not even aware that the ransom gang was a buyer my clients have also fully cooperated with US law in due diligence and all of the ransomware investigations but the telecom company still wants to sue they seek to create new liability for everyone in infosec with no basis in law if plaintiffs succeed with their claim the entire infosec industry will be open to enormous liability think of all the dual-purpose tools that you use every day menacefully cobalt strike even showdan or other scanners may not be safe from this legal theory this court has an imperative to dismiss the case or else we will all pay the consequences thank you thank you councils alright chill out man alright plaintiffs council please call up your first witness I'd like to call Silas to the stand please Silas please do you swear to tell the whole truth and nothing about the truth yes great that's it I'll sit there could you please state your name and your occupation please for the record hi my name is Silas Cutler I'm a co-founder and co-founder of offensive startup we're offering a 15% discount hey hey hey hey stop it I'm sorry it's my first time on the stand Silas we talked about this Mr. Silas could you please tell me what's on the slide this is a screenshot of a chat that I received from a security researcher and yeah we were able to obtain that from you in discovery but can you walk us through what the messages are about please well you can all read the guy basically told us that he found a dark web post about some ransomware gangs using cracked version of entry level for initial access how'd you react to that I didn't think too much about it we get hit up by security researchers every few weeks about this kind of stuff I told the CEO and we just kind of moved on there's not much we could do so did you take the researchers information as a message here seriously do you believe that ransomware gangs were actually using your tool for initial access I guess so yeah it happens with other security tools so I didn't think he was lying or anything it just didn't end up being a priority issue for us alright next exhibit same question can you walk us through what this chat is who's who I'm trying to remember this is our internal offset check from 9 July yeah and I'm the great chat and the CEO is the blue so why did you send that initial chat message so I had gotten a weird looking purchase order request a PO just written in bad English and it came at a weird time of the night not that we don't check orders from out of the US or anything but something looked off to me my due diligence checks came up with nothing I googled the guy's company and couldn't really find anything that was weird too so I told the CEO and when you told the CEO did he seem concerned about this he said except the PO we get weird requests all the time it also could have just been a small company well in the next line it looks to me like you expressed some concern about the researcher's message you mentioned that one and you just told us that you weren't worried you get these messages all the time but yet you told the CEO and I quote what did you use for an actual attack so did you or did you not take the threat seriously I mean sure again I don't want anyone to get hurt so of course I raised it with the CEO but stuff like this happens all the time sometimes due diligence comes up with nothing and we have to make a call so what did you do to investigate further you had suspicious order activity what did you do beyond your minimum requirements nope just that all right let's move on to the next exhibit then so what's on this slide looks like a dark web a post from a dark web forum I think it's XSS that's right describing the ransomware gang's use of entry levels specifically were you aware of this post one foot yes sir that's a yes yes for the record please so after multiple researchers had told you that your tool was being spread online objective, rejection, speculative sustained counsel please ask a real question or proceed with exhibits did you do anything with this information I don't remember but probably just converted to the CEO this stuff happens all the time the bad guys take our product crack them and do bad shit it happens to everyone we can't control them we won't be able to run a business by spending all day caring about what the bad guys do so I'm going to sum this up you were aware that ransomware groups have previously found and cracked your tool you get a weird purchase order that you approve and then the exact ransomware gang that attacked my client starts using a cracked version of entry level did I get that all yes thank you no further questions your honor thank you plaintiffs counsel defense you may approach thank you your honor sales can you tell me what this is this is our internal company export control policy it just says we're supposed to do due diligence on potential buyers great thank you what is the OFAC sanctioned list does your policy require you to run OFAC checks it's a list of entities that it's illegal for the US companies to sell stuff to I mean the policy doesn't explicitly say that we have to check OFAC but we try to do it anyway of course great are there other lists that describe entities you couldn't sell to yes the commerce department has an entities list of people we can't sell to either thank you do you know if shadow crypt is on either of those lists they're on the OFAC list and how do you check these lists when you have a new buyer so we check the information the buyer provides against two lists to make sure they're not on there and usually I just run some quick Google searches I work in this field I know the names of the big players I'm not going to sell but I'm not able to clop obviously so is there anything else you are legally obligated to do in your due diligence process aside from what I just said no it's not our job to research every company super in depth to make sure they're legit so would you say you're abiding by your due diligence requirements even when you sold to someone who ended up misusing your tool yeah thank you no further questions thank you so you may sit back in the defense Please call up your next witness defense counsel. Yes, my witness is an expert witness, Special Agent Smith from the FBI. I swear, I'm tired of saying it. I do, yes. Great. Thank you. Do you state your name and occupation, please? I am Special Agent Smith with the FBI Cyber Division supporting their ransomware task force. And can you tell me when you first came across the entry level toolkit? I came across entry level when Shadow Crypt started using it for operations over six months ago. We got a tip that their newest initial access tool was made by a U.S. company, which happened to be entry level. And how does the FBI and DOJ investigate these tips? Well, FBI tries to determine whether the U.S. company is actually perpetrating a crime, and then the DOJ decides whether they want or not to prosecute. FBI will figure out what the company's role was in the overall ransomware incident, whether the tool was stolen or if they were willing supplier of the tool. It can be a little difficult because good faith security research tools and malware can sometimes have similar features and overlap. And what is DOJ's policy for proceeding good faith security accuracy? DOJ does not prosecute. They have a policy where good faith security researchers won't be charged. And can you define good faith security research? Yes, good faith security research means accessing a computer solely for the purposes of good faith testing investigation or correction of a security flaw or vulnerability. All right. Great. Thank you, Adrian Smith. Now, if you look at exhibit two, which showcases a description of the entry level toolkit, it states entry level is a cutting edge security penetration testing tool designed to help business identify and address potential weaknesses in their IT infrastructure. This state-of-the-art software is your first line of defense against malicious attacks and data breaches. Does that sound like good faith security research? I mean, it's a little more complicated. Yes or no? Yes, based on the product description. Sure, great. Thank you. Thank you, Adrian Smith. Did you ever approach my client off-sec startup when you were investigating ShadowCrypt? Yes. When you did approach my client for assistance with the investigation, when did you? It would have been a few months ago after the telecom company breach. And what were you trying to ascertain? We were trying to determine whether or not off-sec startup willingly sold a criminal group the toolkit. And did they fully cooperate with the investigation? Yes, but we did have to... Yes or no? Yes. Thank you. So two final questions. Can you explain to me what cracked software is? Cracked software is where you bypass a software license key check to use that software without paying for it. Oh, it's interesting. Isn't that illegal? It is, yes. And so when ShadowCrypt was using the entry-level toolkit, were they effectively committing a crime against my client? Sustained. That's fine. No further questions. Uh-huh. Thank you. Point of counsel? Thank you. Special Agent Smith, thanks so much for your time today. You're subject matter expert in ransomware attacks, correct? Sure. Great. So can you walk us through how ShadowCrypt ransomware would have worked if they had not had entry-level to gain initial access? Yeah, so that's a tough counterfactual, right? They would have needed another point of entry. There's plenty of other tools that they could have purchased on the dark web, but of course the success of those tools depends on the target systems and security. There's no one-size-fits-all for these types of attacks. So I'm hearing then the entry-level gave them unique access. It did give them access, yes. And you've worked in this space for a while. As the CFO, our defendant, said before, there are a lot of companies who create similar tools. Their tools have been cracked and repurposed by attackers. This is pretty common. Do you agree from your experience? Yeah, this is not a new phenomenon. It is pretty well known in the security community. Have you worked with those other companies? Any times, yes. How does that work? So usually those companies come to us. There's a few big players in the field, and we have rather productive working relationships with them. They have often sophisticated threat intelligence teams and capabilities, so they'll hear about these tools that are being cracked by particular groups, or talked about on forums like we saw earlier, well before we do. When they see that, they'll call me up, and then my team has some good leads to investigate. In a best-case scenario, we're able to shut down some of those forums or trace the money to find who purchased the tools for those groups or even get a heads-up on the potential victims, but none of that would happen without the companies reaching out to us and working with us proactively. Is that industry standard, would you say? That proactive outreach? If you're making an offensive security tool, then you'd be expected as the company to have a relationship with the FBI? Yes, yeah, it is pretty common. So then it's reasonable to say that others in the same industry as offset startup regularly contact law enforcement to help limit this bad use of their cracked tools? Yes, yeah, it is pretty common, and we're open about wanting companies to contact us. I go to all the security conferences, particularly in Vegas, and hand out my cards, and we do call up companies proactively to build relationships. Thank you. And did Offset reach out to you proactively? Were they one of the companies who took your card at DEF CON? No, no. We had to reach out to them after the CISA FBI alert was published. Isn't it relevant? Overruled. It's definitely relevant. Thank you. Let's switch gears. Are you familiar with the specific grants when we're getting ShadowCrypt? Yes, I've been tracking them for a while now, and was familiar with their predecessor. Any particular nuances that you've observed? Yeah, one trend that we see is they're a little bolder in their non-Dark Web activity. They have some people who go out and make legitimate purchases of tools from companies directly, and I've seen a few cases where they've made purchases using the last name Gray. Gray, can you take a look at this slide, please? Can you confirm that these messages in the chat that we talked about with the CFO and the CEO reviewing a purchase order have the last name Gray listed in it? Yes, they do. Thank you. Would you have been able to tell OFFSEC any more about ShadowCrypt's TTPs if they had come to you for assistance? Yeah, we share TTPs all the time with companies. That is my job. Glad you do your job. In your expert opinion, does sanctioned entities like ShadowCrypt frequently use real information when they're purchasing tools? Definitely not. No, they often use fake names or show companies things like the Gray name to hide their tracks. Thank you. No further questions. Thank you, Witnesses and Councils. We are running a little bit close to time. So if the deaf kind closing ceremonies are soon. So plaintiffs, please proceed with closing arguments and make them quick. We'll keep this brief. In a civil lawsuit, we only need 51% of the evidence to convict this client to find him, find the defendant liable. There was an unlawful act, the ransomware attack. The defendant was generally aware of his role and his company's role in this attack at the time that they sold that tool. And they knowingly and substantially assisted that violation because this was the unique initial point of access. The case is clear. He must be found liable and will make telecom company whole. Defense, your closing remarks? Thank you, Your Honor. Members of the journey, this is an unprecedented case. The plaintiff is asking you to extend a theory of liability that could fundamentally destroy a critical opponent of the infosec industry. My clients cannot foresee every action their customers take. My client had no clear or direct awareness that entry level will be used by this particular ransomware gang in this particular attack. That is not enough under aiding and abetting. We reject these arguments by the plaintiffs. Offensive security is an important, legitimate business and the outcome of this trial is important for everybody in this community. By subjecting it to a broad liability, whenever a bad actor uses pen testing tools to enter into a system instead of protecting it, we can't have liability for that or we won't have offensive tools. We cannot ask these companies to predict the future. So thank you. I ask you to find no liability. Thank you, guys. And thank you, everybody here who's participated today. All right, y'all. One last time. Let's give it a shot. So basically, in order to find the wonderful silos color here, liable to the telecom company. Remember, millions of dollars. You all need to figure out if it is 51% chance, likely, that he aided and abetted. So make sure that you factor that in. It doesn't have to be beyond a reasonable doubt, like a criminal case. It's 51%. All right. How do you feel, Zellis? Feel good about your chances? I don't know. No? Looking great. I don't want to bias the jury now. All right. Let's take a look. 100 of y'all have voted. And with a majority 65 to 35, Zellis is not guilty. Thank you, members of the jury. Thank you, guys, so much for participating in Hacker Court today. Really appreciate it. Thank you all to the participants who have played and our wonderful defendants. And have fun at closing, y'all.