 Thank you so much, and hi everyone. Good morning. Good afternoon. Good evening wherever you are. I hope I got one of them right. So we're going to talk about how to get rights for hackers. And let's dive into it. Shall we? First things first. I want to just let you guys know that this talk is completely dedicated to all the hackers who've been scared to disclose to all the hackers who've been prosecute for trying to do something good. And to all the people who are in the fight to bring rights for hackers. For those that don't know who I am, my name is Chloe, I am the VP strategy over a point for your security. And I'm not that I'm an ethical hacker advocate. I'm basically fighting for your rights and then also trying to do whatever I can to improve our hacker community. I'm the president and co-founder of most like missions, women of security and the founder. We are hackers formally known as woman hackers. I'm also the podcaster for ITSP magazine, the uncommon journey. And when I'm not doing that, I'm also a hacker book club organizer. Basically, we read a book about the hacker community or run by someone in the hacker community. And basically, we read a new book every month and it's every Tuesday at 5pm Pacific time when we meet. And yes, the author and people mentioned the books to attend our upcoming one is going to be tribe of hackers for a team edition. So you should come and join. That is my website. So feel free. If you want to know anything about me, it's most likely on there. And yes, my Twitter and Instagram, the DMs are always open. So if you do have other questions or anything like that, you feel free to DM me at any time. So we're first going to dive into the current landscape. I know this is scary, but let's dive in it together. So first things first, Equifax. I would say, usually raise your hand if the Equifax breach impacted you, but let's be real. Let's just pretend. Okay. But did you know a secure researcher warn Equifax that it was vulnerable to the kind of attack that later compromised the personal data more than 147 billion Americans. And this was reported by Motherboard. Six months after the researcher first notified the company about the vulnerability, Equifax patched it, but only after the massive breach that made headlines had already taken place, according to Equifax on timeline. But the real question is, but what if no one reported the breach? And it happens often because hackers don't report a breach due to the fear of prosecution. This statistic was discovered by the hard worker meet Elzari, who knows our laws prevent good hackers from doing what they do best, protecting you and me and everyone we love. She has been spearheading this movement towards safe harbor, and that is her at the corner. So why are hackers scared? Well, besides prosecution looking for contact information and reading the policies have been a burden to reporting vulnerabilities. Think about it. Sometimes when we find something we want to report, it can take hours, days, weeks, and then we get to a point like, what is, should I even keep trying at this point to try to find the right contact information to disclose is a burden on you. This is why it's important to have like these vulnerability disclosure programs or bug bounty programs because at least you feel like you have some sort of protection and you know who to contact, you know the policies, you know what's in scope, what's out of scope, way ahead of the time. But I want to first dive into this case. So, after DJI, the drone manufacturer recently launched a bug bounty program to researchers, Sean and Kevin, basically, we're looking at their scope. For the scope the bug bounty program covers all the security issues and firmware application and servers, including source code leak, security work around privacy issues. Now, Kevin, he emailed them to confirm the scope to be safe. It took them two weeks to finally confirm the scope. He then reported the vulnerability and he was provided with $30,000 for the finding. However, the agreement of receiving it offered no legal protection for him. So he did what most people should be doing, which is he walked away. The revelations resulted in the company challenging the researchers findings and seemingly threatening one with a lawsuit tied to the Computer Fraud Abuse Act, also known as CFA. They claim that basically he went out of scope, regardless of the fact that he made sure to confirm the scope. In return, he posted the entire situation with all conversations with the DJI publicly. And if you see that link, you'll be able to see his blog to see what happened. I think one of the things, the best part that I read on there was there was this moment when DJI did know that when they respond to his email, there was an internal chain going on. Basically saying he's putting them at risk and they should do everything possible to like prevent the risk, including losses and PR for them. But this case, it did get dropped and they did get bad PR for this. But language and what is in scope and or out of scope when disclosing or how to disclose can be so scary and potential and documents, especially it could keep all parties awake at night and I know it has done for me and I know that you probably don't know, but program managers overall they're always asking to be hacked, but not hack valley and how to conduct handle situations and researchers report something is something that they need to work on to as well. But overall organizations and governments all know it's probably needed at this time, as you can see on this slide. So once again, this is a scary subject and we're going to keep getting into the more scary scary parts of the subject. But here are some puppies to lift your spirits. And yes, there is a picture for the cat lovers as well so if you see the cat Bravo. And no sure like a lunatic is not on here. All right. So, why are they scared. Let's dive into this a little bit more. Although ethical hackers are not malicious actors, they're still being seen and treated as such by the public. And because of this, it reduces the chance to report a vulnerability and can cause hackers to go to the dark side because they're seen as the same by the public. To the left is what you see when typing in criminal hackers and to the right is ethical hackers. Once again, there's this dark hoodie darkness sometimes with a ski mask. But I want to also point out that it's not just the imagery. It's also the language using the media, seen as in marketing and press anytime I say media, it's marketing and press and marketing could be even for InfoSec companies you find this often. Using the term hacker as someone who is seen as a criminal is incorrect. They should be using the term attacker cyber criminal malicious actor and so on. Unless they report something good about us then they can definitely do a hacker thing. So, probably wondering how does this imagery and language impact us. It continues to feed the fear and stereotypes the biases that exist through social construction. And of course, if you have attended any of my talks before, I am obsessed with the brain. So we're going to talk about the brain today. So, what is really important is to understand how fear works in your brain. So, first of all, I want you to take a look at this. So, fear is usually based around your Miguel, which is like this almond shaped. And it's a size of an almond believe it or not inside your brain within the temporal lo it is the part where your emotions are attached to memories. If you have a nightmare you're going to recall it a little bit more because a strong emotion was attached to it versus if it's just a regular dream, you might not remember it, but you will always remember a dream where it is extremely happy or extremely scary. So, think of that. Anyway, the thing that you might know about the main goal is usually the fight versus flight mechanism. And what I really want to explain is fight versus flight mechanism is a great way to showcase what the main goal is, but it also is this part of you that subconscious, and it decides what's like you who's not like you. And based on that belief itself, you put people into categories of people to trust people not to trust. So, for example, then make delight because it stored in your memory section of your brain. It's also dictating subconsciously, whatever socially constructed beliefs that you've had. And if you're wondering what is a socially constructed belief. Which is any time when you were growing up or you know you had a teacher tell you that this is unsafe, your parents tell you that's not safe or like anything that you've seen in movies TV indirectly it's letting you know some memory for you to hold on to. Now, I want to give you kind of a better example here. So I always tell people, think about this way. You're growing up and you watched a bunch of movies as a kid, and every time someone had pink hair, they were the criminal, the villain in it. And not just that but also you see on the news people with pink hair are dangerous individuals are committing all the crimes. You read in textbooks, you read from teachers letters, you read everything just showcasing that people pink hair dangerous. So when you see someone with pink hair at this point, you will probably clutch your bag a little bit closer, or you might cross the street, or you might actually lock your car doors when you see someone with pink hair. And I know that sounds like, but the person just has pink hair clay. But you have been led to believe that someone pink hair is someone dangerous. And that's a socially constructed belief. And then make a lot will always act on socially constructed beliefs when it comes to survival. So if it's known that someone pink hair is dangerous. Thus, you will react in the same way. The good news though is that it has to verify so the prefrontal cortex acts kind of like the CEO in the brain. So this is completely conscious now. So what happens is the regular sense of message saying, wanting someone pink hair is right behind you. So the prefrontal cortex thinks, okay, I can either cross the street, or I can go into a building, or I can clutch my bag a little bit closer, or I can look behind me to be on top of everything possibly, or I just ignore the threat. So the prefrontal cortex, then you decide which action to take, and it sends a message back to the Megadela to act on that action. But the one thing to note about is that you are completely conscious about it and you're making that decision. But the good news is that there's still this validation. So people's biases, socially constructed beliefs or whatnot can always be challenged. The best way how to do it that is through stories, hearing people's personal stories. So for example, in the same pink hair situation, if the person with pink hair made a YouTube video, talking about how it's so terrible for them, because every time someone sees them, they see them as a criminal and how that prevents them getting a job, how that prevents them getting where they need to go, how, for example, cops are called on them, just for being outside. And how society as a whole isn't doing enough to understand that it's just because the person has pink hair. There's nothing else than that. So, now if you put in a lens of a hacker, you probably have experienced once or twice, where when you tell someone you're a hacker or you work in the hacker community. The next thing you know is that they take a step back or the mouth drops or their eyes get bigger. They just get afraid, because the thing is, is that our world has been socially constructed to see hackers as criminals as a blanket for all hackers. And instead of thinking them as not just hackers, there's a difference between a hacker and an attacker, because they haven't learned that yet. And because our personal stories are not really out there yet either. And that's the problem. So, what happens is, is for the hacker situation is that because of the mindset set by society by people in the media, that's keeping us unsafe and preventing hackers what they do well in companies are afraid of hackers and don't want to create a vulnerability disclosure policies because of the lack of a bilateral trust amongst hackers and organizations and government. It's one of the reasons why 60% do not report vulnerabilities. Hackers are scared of outdated laws such as CFA and DMCA. Also from interviewing attackers, one of the reasons they decide to move away from ethical hacking is the pay and the constant worrying of being prosecuted something legal. This is stated also similarly by those who switch from being an attacker to a hacker. The reason they switched was the insomnia of being arrested, because there are cases when organizations prosecute ethical hackers regardless if they were in scope. So, which leads us to needing to dive into the current legislation that can found in most countries towards hackers. And this is worldwide legislation. Okay. Every country around the world has anti hacking laws anti circumvention laws, also known as copyright type of laws and acceptable use policy. So let's first dive into the computer fraud abuse act. And every country has their own, but the US is the first one I think you put it first. So let's dive into that one. The computer fraud abuse act in the US cybersecurity bill that was enacted in 1984 as an amendment to existing computer fraud law, which has been included in the comprehensive crime control act of 1984. The law prohibits accessing a computer without authorization or in excess of authorization. Also we use when a researcher tends to go out of scope. This act is used to prosecute hacking. Random fact, who here has heard of war games. Okay, did you know that Ronald Reagan he watched it and freaked out about hackers and he's like, we got to do something so he pushed for CFA to happen. Now let's dive into anti circumvention law so the copyright laws. So in Canada, you have the copyright law, but you're not super easy. But in the US we have the DMCA, the digital millennium copyright act, and it was enacted in 1998. The US copyright law that implements to 1996 treaties of World Intellectual Property Organization, WIPO, basically it's the right to repair reverse engineering is seen as a breach of property. Let's dive into that stuff we'll use policy. Now who here has ever read their terms and conditions say for example, an Apple product. So I got, I tried it, I got really bored and I decided to watch a movie instead. But in general, they could be long and too much verbiage. It can confuse anyone, especially English is not their first language. And you're not an attorney. I'm not an attorney, by the way. But the thing is, is that this can lead to some serious miscommunication issues for ethical hackers that don't really speak English. Clearly these laws overall take away is they're old and out of date. And honestly, they were created out of fear. And you know now about fear. By not having empathy or taking the time to understand what is actually needed and why law should only prosecute malicious actors, aka criminals and not good hackers. Because at the time is still to say a lot of legislators and politicians still don't know that hackers are good people. There's a difference between a malicious actor and attacker, a cyber criminal and a hacker. Overall take away from here is that there are laws that prevent good hacking the same way that they prevent attackers. And we need good hacking, especially during COVID-19 you guys. And I really hate the CFA, and I want to dive a little bit further into it, just for you to know in case you don't know. So the Computer Fraud Abuse Act once again was passed in 1984 is grown widely outdated in that it offers prosecutors discretion to threaten huge potential fines and jail sentences for relatively undisturbing violations of computer policy. First, the CFA was written punishes exceeding authorized access to a protected computer a phrase vacant after inspire some broad interpretations. Another flaw in the CFA is the redundant provisions that enable a person to be punished multiple times for the same crime. These crimes can be stacked one on top of another resulting in a threat of a higher cumulative fines and jail time for the exact same violation. This also allows prosecutors to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a single solitary act. It also plays a significant role in sentencing this ambiguity of provision meant to tough and sentencing for repeat offenders of the CFA may in fact make it possible for defendants to be sentenced based on what should be prior convictions, but we're nothing more than multiple convictions for the same crime. And this is why it's now important for us to talk about Aaron Schwartz case. For those that do not know Aaron Schwartz case. It basically started off in 2011 Carmen or test the US Attorney Office charge sorts with hacking into the MIT computer network to download millions of scholarly articles from J store. An active civil disobedience meant to protest the restricted access to research funded by taxpayers. For this the US Attorney brought charges that carried a maximum penalty of 35 years in prison and $1 million in fine. I want to pause there because think about that 35 years in prison for downloading articles. You know, first degree murder. Life in prison. No, it's, it's actually in 25 years. And yet he was facing 35. Going back to this, they were able to charge such years because of the way CFA is written and the issues that have yet to be sorted since it was made into a law. If you're looking at Aaron situation, you have to understand what he was going through. He was dealing with a 17 month legal battle and one that had no set trial date and wasn't ending anytime soon. And through source perspective, it must have been so overwhelming. It was it was the future of this legal battle that cast into doubt that towards unfortunately he hung himself in his apartment on January 11 2013 and following his death the federal prosecutors went on to drop the charges. His family said that the government's prosecution contributed to his decision to take his own life and memory and for what he went through unfortunately. There was Aaron's law. It didn't pass because of probably lobbyist very heavy corporate lobbyist didn't want it to pass. But what Aaron law removes the phrase exceeds authorized access and replaces it with access with authorization, which is defined as to obtain information is clear that the accessory lacks authorization to obtain by knowingly circumventing technological or physical measures designed to prevent on authorized individuals from obtaining that information. The other thing is that it would ensure people won't face criminal liability for violating the terms of service agreement and contracted agreements, but also limits penalties in other words there was no more duplicated charges so no more stack on stack, what Aaron went through. And with improvements to legislation. So, to see if a DMCA with these changes, then we can have what we need today. And that is, we need to also talk about the other parts. So not only legislation so we call legislation we talked about the media, the press and whatnot. We also talked about organizations named vulnerability disclosure programs. And I want to dive into those three categories a little bit more because in order to have any rights or to get any public change, we have to work with three categories. So in order to have rights for hackers we need to get the public on board and in order to do so, we need to dive into organizations legislation and media. We need media to push for public to become aware. In other words, we need to change the language and imagery of a hacker and start using the term cyber criminals for those who commit unethical hacking over really separate the two groups. In order to help the press organizations need to be on board with bilateral trust with having vulnerability disclosure programs by showing they support hackers the public changes their view in general. And lastly, to have organizations and public opinion to push and motivate Capitol Hill to get on board and update the current legislation that will protect ethical hackers. Overall, we need all three to be supporting hacker rights for to become a reality. So how do we get there you're probably wondering. So these are the five needs. And this is the way how we can push for awareness of ethical hackers needing rights. Now, how we get there, I'm going to need your help. Overall, we need to work with the media, we need society and notice that we're everyday heroes. We need organizations to have a vulnerability disclosure program and we need representatives to update today's legislation. But how we do that we have to change the imagery that the press is doing to. So the first step is this petition is for anyone out there that supports ethical hackers and want to bring about the change is the first step that I'm working on to bring attention to this matter. And we have over 1000 signatures. And honestly, it's really is broken down by organizations, legislators and the media and the hacker community, and anyone can sign this who agrees with it. So you can also share it around and sign it yourself. And it could be friends and family, it doesn't have to be everyone has to be a hacker who signs this, it could be anyone who believes that we deserve rights. The second step, tell the press. How many times you see the press reporting hackers in a bad light. Correct them. Write a comment below in the story, tag them in a tweet letting them know the term is actually cyber criminal and attacker, not hacker hacker or good people. So, you need to do that. The other thing is calling them out when they use the dark hoodie imagery, or the ski mask, which is still to my mind is the worst thing ever. We need to do fact checks, and that's how you do it is unfortunately you kind of have to publicly shame them till they get it right. And also if you're someone who is interviewed by any journalist or anything like that. Please make sure to keep enforcing them and let them know to use the term attacker versus hacker when reporting the breach. I've been doing that since I can do it, but it's going to take all of us and Chris Roberts has been great also doing that kind of stuff so push out there, let them know they got the wrong term and the wrong imagery. So, basically everyone gets a fact check. So the third step is the push for organizations to partner and campaign with us. In other words, we need companies, we need orgs to come out, even government agencies can to basically to come out publicly saying like we stand with the ethical hackers, and it's time to do things or to push for vulnerability disclosure programs to other companies organizations and so on. So they're also aware of that this is a need now at this point. Also to push for organizations to have a disclosure firm like I just said, it's really important that we do that because I am so tired of having to spend hours, days and weeks to find some information of who to contact. What's in scope what's not in scope this is so important every company should have that at this point, because they need us more than ever before. The four step contact your local representatives to update current legislation. So, let them know that they need to change something set up 10 minute appointments virtually, or try whatever you can to work with other groups of people that want to go there to go and approach representatives, and especially the ones that you need to be focusing on is your local and state, because those are the ones that we're having some serious problems with. And also last but not least, follow the Van Buren us case. And there's a reason for that in the fall the CFA is going to be revisiting Supreme Court. So please take a look at it, follow it, and also contact your representatives around it. The fifth step, support wonderful groups like this. So I'm a Calvary disclose that I am cert coordination center cert CC EFF and CTA CTI League. It's really, really important that we work together and support one another and contact them to find out how they can do better, or how you can help. Because overall, we need to push for awareness of ethical hackers and to let people know how we really are in our stories matter, and how we get there. These are the main takeaways, and I might need your advice and assistance if you want some. But most importantly, I want to remind you that the change starts with you and me. It's never too late. And we must not give up because we must continue to fight for rights. And this is a time that we do so. And I want to first say, thank you guys, everyone at IOT village for selecting my talk to be a keynote. I want to also thank you guys for participating. So thank you all for existing. I also want to give a big shout out to Bo Woods and Harley Giger. They helped basically put more ideas in my head for this conversation. Thank you guys so much and thank you IOT village. Once again, thank you guys for existing and please stay safe and enjoy the rest of your nap con weekend.