 Hello everyone. I hope you had a great lunch. So this is room two and we're going to have a talk on What is our ethical obligation to ship secure code? So if this not what you were expecting now is a good time to add to room one We will be Hosted by Alyssa Chawinsky. She's CEO of faster than light and she's building developer tools She previously launched everyday health and shows an IPO geek corpse, which was acquired and brave Which was a 35 million ICO her focus is on bringing security best practices earlier in the development cycle and building tools to make it Easier to ship secure code. She's also the author of lean out published by our books So just a few notes before we start is going to be a short ish presentation of 15 minutes and afterwards We'll open the floor I'd just like you guys to be mindful of the code of conduct which was exposed this morning If you have any questions about that you can reach out to any of the volunteers in the room and with that Thank you, Alyssa. You have the floor now. Thank you I'm really pleased to be here at North Sec which is as Most of you probably have seen such a special event like a real Community event an event that brings together different points of view and I'm really pleased to be giving this talk in particular This is my first time giving this talk, which I made just for this event I think it's a little bit unique to North Sec to be willing to host this conversation and ask these questions I think we can agree. It's pretty important right now And I know this is a privacy conscious Audience, so I want to invite you to please tweet this talk Niceness is appreciated, but it's certainly not owed to me My handle is Elizabeth on Twitter, and I'm seeing folks tweeting under NSAC Oh, I got that wrong. So that'll be wrong throughout the deck 2019 not been said 1919 And to open this up and to quote the good place What are our obligations to each other? Many reasons why ethical conversations are in the air these days not the least of which is its infusion in pop culture Bit of a headset there to utilitarianism. What is good? What is bad? What is Aristotle have to say on all of this? or better yet What are the obligations of companies towards users? It's a better question, right? I think We should ask what we're obligated towards each other and that's an important conversation code of conduct Nods towards that, but really what are the obligations of companies towards users? We really need to understand and examine this I think about this a lot as someone who is CEO of a company, but I think Whether you're an employee or an individual developer There's a lot to think about there and certainly if you're on Twitter or Facebook you've thought about perhaps what they owe to you I've certainly given that thought There is a 100 million dollar class action lawsuit filed in Calgary over a massive data breach from Marriott hotels and I thought their claim was interesting The defendants knew or ought to have known that their databases were vulnerable to loss or theft How about that? Maybe they are obligated because they knew and They failed to protect appropriately or if they didn't know Perhaps they were obligated to know Perhaps they should have known Perhaps you should know better and if you don't and I post this question to some people who I think of as ethical and moral Authorities I said what what do companies owe us? What are they owe us? terms of service What an answer right terms of service is like the minimum possible obligation that a company has to the the users and Clearly there's some legal obligations there But I mean agree view terms view terms is like do you even view the terms? Raise your hand if like you really read terms of service I'll read them sometimes as a curiosity Like maybe I think I'm gonna go back to the company and and complain Spotify Had some privacy issues that bothered me and I I wrote to them And had a conversation and I think I read the terms of service at some point in the middle of being a customer But it's widely understood. We're not reading terms of service much less widely understood Is that the companies can change the terms of service and it's retroactive? right, so like terms of service can Hardly be the barometer for what companies owe us and what's more Terms of service isn't an ethical thing right like it's just a legal obligation It's the minimum legal obligation and we're trying to have a conversation I'm hoping to have a conversation today about something beyond the minimum letter of the law And my hope is someone who runs a company is that I'm going to do better than just the minimum And I had promised in the talk proposal to talk about different schools of thought right? You've got cons and roles and utilitarianism and if anyone here really wants to do a deep dive into frameworks You know ethical frameworks and foundations. I am professionally professionally I am academically trained in that and I am here to have those conversations But I just kept coming back down to the golden rule You know it was really simple to me. I don't want to get hacked I don't want to get hacked and security people privacy people tend to feel that about their own Data you don't want to get hacked and because you care about this because it's a value for you You want to take care of this for other people? So, you know, we're gonna open the floor in a little bit and I am very open to the idea that you know, maybe I've made too many assumptions about where everyone's coming from ethically, but It's my guess that this is the moral framework guiding a lot of us that you know, we don't want to get hacked So, you know, we feel obligated towards that protection And also, I don't want to get hacked and I Imagine that the executives that these companies don't want to get hacked and so they should be doing this for me Right like Jack Dorsey doesn't want to be hacked and Jack Dorsey doesn't want to be harassed And so he should be able to you know make that leap and say that he should do the same for the users That's probably why there was a lot of talk when Mark Zuckerberg had some features that not all the users had It's like well, he has these features. He has the ability to unsend a message So clearly he understands that's valuable. Why doesn't he extend that to everyone and then they did? To Facebook's credit. They actually do have some responsiveness So I'm just saying that a lot of these companies could do better and that laws can be changed and laws aren't ethics So what should companies be obligated to do in terms of shipping secure code? Protecting user data and responsibility for their platforms And I thought that this is an interesting opportunity. We're all here together We care about these things to open it up a little bit I have a story that I want to share after this so this isn't the end of the part where I stand up and talk But I'm gonna step away from the laptop for a minute and let's open this up Really, what do you think? What do you think the obligations are? What are companies obligations to be shipping secure code purely clearly companies are not? Shipping the most secure code that they could be But they're following their terms of service I don't think this is okay. And if you have opinions on this, I'd really let's hear it Thank you. If you'll say your name I'm widely known as Jay Bash from the FBI. No less. Okay. I'm not from the FBI I am not impersonating US federal officer, which is probably illegal in Canada. Yes. Yes I'm glad we clarified that for the record. I'm interested in why you choose to cast this in terms of companies If I were a real engineer doing real engineering and I designed this room and it fell on people because I screwed up I would be personally held responsible Yes, so that's the next question actually Thank you to to our next point There's there's a responsibility is that corporations have but corporations are just made up of people anyway And so I think it can be kind of easy to look at companies and say well Companies have these legal obligations, but the decisions aren't made by companies They're made by individuals inside the companies even though those decisions are made by you know people sitting around a table It's the board of directors. It's three or five or seven or you know some number of people And a lot of us in this room are either individual developers or pen testers we fall somewhere along that Spectrum so I think that's perhaps An even better question and one that is more appropriate to those of us in the room As for individual liability, I don't know right like that probably depends on the contracts that you sign Which again is a legal question But ethically if I design this room and it fell on people I would feel bad I So let's keep it going, please Hello, I'm Jeffrey Goldberg And I think that you know just following up on that I would feel bad I've noticed that a fair number of people actually do say Well, it isn't illegal or what I exactly lawful and they somehow in their view of what's ethical to What they can legally do that's right? I have a legal right to be an asshole, but I Hope that's right. That's right. And I think If there's one point that I really have to share and it's one that I Believe is widely shared in the security community But that we could discuss more and talk more and bring more out into mainstream awareness It's that tremendous difference between what's legal and what should be and it's legal Right now for companies to ship code knowing that it's insecure or rather like Knowing that they haven't done everything that they could to secure data to secure their processes All of that could be legal, you know, and then the marketplace, you know A lot with companies is fiduciary responsibility and that's legal and that's Very real Company executives have what's known as fiduciary duty. They have to make some money for the companies. They have to put making money first but You can ship secure code and still be successful still make money and Saying it was legal is obviously Not good enough And if it is good enough, we're able to change the laws This is in a moment right now Certainly in America, maybe also in Canada other places around the world where people are making really big changes in laws I think the abortion law that people are talking about in the southern states in the United States is a really good example A very big legal change that's happened without even a lot of support necessarily And so just because something's legal doesn't even mean it's permanent. It's legal today What if we all decide we don't want it to be legal anymore, you know things things can certainly change Yes, as a counterpoint to what you were saying particularly from a small business point of view CEOs in The sense that they are CEOs when the business is still that small are looking to get a not exactly a CEO Are looking to get a product to market and beat their competitors and see that if we can cut some of this security The engineers provided a proof of concept. It works Let's get it out there see if anybody wants to pay for this right and then once we have money we can fix it and I think often to you know that the fix comes a little late, but They're looking to get something out there. They're looking to actually have the money stop I don't know using the personal savings or whatever. They're using to fund the company early on and It's seen as a fairly dramatic overhead to Right, it's considered a high-cost thing to be secure as a startup with all of my startups Since at least 2013 we just deleted all the user data. We said, okay We're a really small company we're not a great position to protect everything and one of the talks that I gave a lot over the last Years was doing security for startups and if you just don't hold on to user data That can be a really good way to manage like just don't hold it If if you don't have the capability to protect it like just don't hold on to it That's been my take that said I definitely understand there are a lot of startups and they just don't have that protection I had a friend who wrote to me and he said please try my product By the way, don't use an important passcode because there's like no SSL on it Like there's nothing good that you need on any of this and I actually wasn't mad about that like okay He has been transparent with me and I know what I'm signing up for and so I think that's also a model that From my point of view is reasonably ethical like we are shipping a beta product to our users this week get faster than light rather next week this week next week and We're just going to be really clear about The status of the product like we actually have pretty good security because we're security people But it's a beta and we're just being really clear like here's the things that are edge cases Here's the stuff we haven't Tested really well and so I think some measure of transparency the problem is people ship stuff We have no idea what the security is with tools that you use and people just a lot of founders There's an attitude that it's just okay, and that it doesn't matter But then there are consequences for people down the line And so it's mostly an attitude of not thinking through or caring enough about those consequences, which I'd argue is a problem This is probably a good moment. I have um a Story that I want to share Story time I've been working in the blockchain space, and I saw something just wild I saw something that I've never seen as a security person anywhere else These are all screenshots from what's known as an audit report Everyone in blockchain security knows the word audit is the wrong word to use but we've been using it So we just call it auto report the way you do and everyone just agrees to use the wrong word And it's it's wild before companies in the blockchain space Especially ethereum, but also eos also other parts of the blockchain ecosystem They get a penthouse report before they ship code live It doesn't matter how big or small the company is and companies will come to me. They're like we don't have any money We'll give you tokens will give you equity like we need an audit report Like we don't have any money and we're not going to go live without a report We're gonna find someone who will do it for us And oftentimes I was like well, I have to pay people so you know We only do work for money because I have to I pay people with money If I can find people who'd like we'll work for not money then I like okay great, but But but it's to show this the seriousness of this In this one area like why why is it that even these tiny? Blockchain startups are insisting on like really good security. What happens at the auto report like really? great Developers like the folks from consensus who are doing a workshop tomorrow folks from Trail of Bits We're building on top of a tool from Trail of Bits. They're wonderful They go in and they actually review the code Like line-by-line And using static analysis tools and then they send in fixes and the companies have to make the fixes Or else it goes in the audit report that the code has vulnerabilities and they ship the code like that Nobody wants that they all want the audit report to say that they did a good job And so we all come together all aligned around like we're gonna do static analysis We're gonna read the code and then you're gonna fix the code. It's amazing It's like a security person's dream, right? It's it blows my mind Why did this happen? It happened because investors Mostly investors and there were a lot of regular people who were able to be investors in the blockchain space because of the way The token sales work because of the way all the crowdfunding happened You just insisted on security It just insisted on it And so I think there's a bit of a lesson there for those of us who want Companies and individuals inside those companies to take security more seriously. It's like well If enough of us come together as investors and his customers and say like hey, this is really important. This matters It can make a really big difference pose for the photo All right, let's Go back I'm gonna talk for a few minutes and then open it back up around developers In general we're in a really special moment, you know, I remember when I first started like 20 years ago You would show up to work and you didn't get to choose what tools you used at work Just like you showed up and like this was your work Station and you logged in and you used whatever tools they gave you and then you went home and you like didn't get work calls very different and These days, you know, it's like two in the morning and I'm slacking with my team So there's a price we pay for where we are But on the other side, we're really empowered, you know, you show up to work. You just decide Whatever tools you want to use and you can also decide that you want to pay a lot more attention To the security of your code. So I think we get to ask right now. Who do we want to be? What do we want to create? Is it our job to ship code without vulnerabilities? I think this is a real question. It's a question. I don't have an answer to Can we rely on QA and pen testers? I don't know. Maybe Maybe not. Maybe it depends on your organization. Maybe this is a really personal decision But I think it's worth asking and I also just really like this slide So I wanted to include it to be the best version of you. I Came across this image as I was looking for the other ones So unless someone has something very strong to say About developers and developer ethics, do we have a hand because we can keep going on this? Otherwise, we'll switch gears Yes Maybe they should be saved for later discussion, but I want to bring it up after your story Well, and I'll be around after Norman's talk. I'm gonna stay and I encourage everyone to stay But just so I can make the points but not get into the discussion With that story, I was wondering whether people were aware of the conflict of interest that offering tokens In what they're auditing would do and the second thing is that the is that what you were kind of suggesting there was At least in this case the market works So the market actually does work If customers and investors are empowered about it. So let me go back to where I Put the wrong handle there. I'm very human We have to forgive each other these things, but then fix them and correct them when we can so that's my handle on Twitter So feel free tweet me over that and then we could have that conversation a little more publicly because those are interesting questions And I also want to give a shout out to Norman who came over and we spoke before And I think the talk that follows in this room and feasting this room the conversational continue I think are really useful way. What are the responsibilities to protect users from harm on social media? This came up recently with the viral video That wasn't shut down quite so quickly on social media And there seems to be a lot of consensus around the idea that it should have been But I think a lot of these questions are not obvious. They certainly haven't been discussed at length And how does this fit into traditional security and threat modeling? Right, like is this something a red team should be doing like who should be thinking about these things and when? And since this was also part of the proposal even though it's a bit of shifting gears I think it's important when we ask what are the ethical obligations from these companies We're it's like very heated right now, you know, President Trump Recently in the United States released a form. He called it a tool though. I just called it a tool. It's not a tool It's a form to fill out if you were silenced on social media Like this is an issue that is really heating up the White House has taken it on as something that Really matters, but I think the answers are really non obvious. We need to be discussing it as a community So with that, let's open up the floor