 Hey, everybody. Thanks for coming to what is exact, definitely not the Penn and Teller Theater, but I appreciate you guys squeezing in. My name is Alex Demos. I'm here to talk about the ethics of the White Hat industry. Yeah, so if you're here for something more exciting, then now's the time to go. So a couple ‑‑ this was supposed to be subtitled, a couple different things. We kicked around different ideas. You know, this could be Uncle Alex's storytime, kids gather around. It could be me dousing my career in gasoline and setting on gas. So we'll see. There's a lot of outcomes that could happen here. So one disclaimer I'm here, personally, you don't see any corporate logos up here. If you're a reporter or you're going to tweet who I am or something, quote me or something, then just say Alex Demos or Alex Demos, dashingly handsome citizen or something like that. I'm trying to keep the corporate PR people and not knowing that I'm even here. So today, this is a discussion. It's going to be an interactive discussion. Interactive means not screaming at me as if I'm general, Alexander. We have specific interactive points. And I'm looking to hear from you guys, and I think I'm just hoping to kick off a discussion that we can all participate in over the next couple of years. So I'm going to do a quick recap of why we live in interesting times and the interesting ethical dilemma this poses to us these days. We're going to talk about some moral frameworks we can use to think about us as an industry and how we each act individually within the industry. And then I think the most interactive part, the fun part is I'm going to pose some interesting situations and we're all going to vote on how we would each individually act. So this is an open discussion space. We all come here with very different backgrounds and very different feelings about what's going on in the world right now. I just hope everybody is responsive, open, and very respectful to each other because I think that's what DEF CON should be, right? And then at the end, we're going to talk about something you can do. You don't have to applaud yet. I'm like Dan Kaminsky. I'll stop and then see your applause point, okay? I'll go, ta-da! And you can... Okay, so where am I coming from? I'm not here to give, to put any kind of moral framework on people. I'm not here to tell you what to do, but it's good for you to understand where I come from so you understand my biases. So I, like many people, my first DEF CON many years ago, pre-Alexis Park, my dad had to rent the hotel room because I wasn't allowed to. So like many people in here, I was self-taught. As a teenager, I think everybody understands the text of what I mean by self-taught. I've worked after college in defensive rules for big companies. I started a White Hat consulting company that worked out pretty well and we have a number of... One of the best parts of my career is that I've been able to work with some fantastic people and give some fantastic people an opportunity to get into the industry. That's one of the things I'm most proud of. As part of that job, I've worked for big corporations and I've seen what it's like to be on the other side of a nation state who wants to do something bad to you. I have been asked to do stuff for the U.S. government and I've helped in the past. So, you know, I have been to places like Liberty Crossing and Fanix One. Those of you who have ironed your shirts and tucked them into your pants will understand where those locations are. And my work has put at least five people in jail. So I'm just trying to be honest with you guys about where I'm coming from. To a certain portion of the DEF CON crowd, I am an infosex sellout. I'm just going to stipulate that right now. I'm a sellout. I'm a corporate white hat sellout. This talk is about the ethics of if you decide to be a corporate white hat sellout, how you can do so as ethically as possible. If you're here from an anarchist or infosex sucks or anti-sec background, then you're welcome to be here but just realize that, you know, you're not going to argue me out of this background. And so I've been doing this, you know, for a while now. And in the last couple of years, I've had to really ask myself why, right? Like, it used to be easy to understand why you wanted to get into security. It was something fun. It was something you could get paid to do fun things, things that you would usually do for free. And that's how a lot of us slipped into it. And I think it's a lot harder now. These days, you really need to sit down and think to yourself, what is my personal goal? And this talk is really coming out of me doing that for myself. So we live in arresting times. In the good old days, there was really one big ethical decision you had to make. Do you want to be on the white hat or the black hat side? And I roughly define this as both of these sides, people like to break things, right? Everybody in this room likes to look at complicated systems, figure out how it works, and then tear it apart. If you're on the black hat side, then you either use that knowledge for personal gain. You use it to embarrass people or to get your shout-outs to your friends. Or you use it for some kind of political goal. If you're a white hat, you use that knowledge to try to make that system better and more secure. And you might disagree with those definitions, but that's what I'm going to use today. And it used to not be that hard. You could pick one or the other, or both, as a number of people did. But the definition was pretty simple. There's a lot of ways to be a white hat back then and today. You can work for a big corporate in the internal security team. You can be an independent researcher as by yourself or in a small group of folks who are doing research. Maybe they're selling bugs. Maybe they're getting consulting contracts to pay the bills. Maybe they're living with their parents. There's a number of different ways you can fund yourself and stay independent. You could be a consultant in a more structured environment, which is kind of the environment of the company I started. Or you could be an academic. I mean, there's a lot of different other ways, but these are kind of the big categories. But back in like the late 90s, early 2000s, when I was getting into this world, the moral dilemmas were a lot simpler. The big thing we all fought about, and now it seems like we were children, right? Fighting about this thing was responsible versus full disclosure. The goal of both the responsible and full disclosure side was exactly the same. I've got a bug. I want to protect the world as quickly as possible from this bug. What is the best way to affect that outcome? And it's still an open discussion, but it's one that seemed kind of quaint in 2013, right? Because it presupposes that everybody has the same outline of why they go and they find bugs. It assumes that everybody just wants to get stuff fixed as fast as possible. Also, back in the day, you know, choosing what company you worked for wasn't that difficult. I mean, some people didn't want to work for a bank or something like that. But now we're in a world where a lot of security companies are dipping toes on both sides of the fence. They sponsor booths at Black Hats. They sponsor booths at Defcon. They send their employees here, and at the same time, they're selling tools that can be used to oppress people, not just in developing countries, but it turns out in our country and other western countries. Back in that day, we had little interactions with governments. So if you were obviously an answer response, you would interact with Secret Service or FBI, but just you could go your entire career in corporate security from 1995 to 2003 and never have to talk to somebody from the NSA or FBI about just what you're doing to protect your own systems. That's obviously not true anymore. And there's a lot of gray hat activity. Like I said, a lot of people chose to be both a white hat and a black hat. But a lot of it was harmless, right? Like a lot of the people I know holding on to the vestiges of their past to make them feel like they're still young and cool and, you know, riding some malware here or doing something over here, but a lot of that activity didn't seem really intentionally malicious, so it didn't compete too much with their white hat ethics. So what changed? Well, a lot of people always ask, when's the future coming? When am I getting my fucking robot car, right? And, you know, it turns out the future did happen in a lot of different ways. We live in the cyberpunk future that William Gibson and Sterling and all those guys were thinking about in the 80s. And that's pretty amazing because the guys who are the sci-fi authors of the 50s and 60s, all of their stuff hasn't happened yet, but the guys in the 80s were there already, right? We live in a world where there's corporate to corporate and state to corporate info warfare on a daily basis. That is a normal part of our lives is that there are companies that pay hackers who are somewhat paid for by their nation-state to then break into my company and steal secrets, which is like straight up out of two or three William Gibson novels, kind of the base, what the base antagonists do, right? We live in a world where our country, especially, likes to kill people with semi-autonomous robots. Now, I'm not making a moral judgment here. I'm just saying, wow, James Cameron, way to go, bud. You really called that one much quicker than I expected to be true. Obviously, we don't make him look like this because it turns out building like a bipedal titanium robot is the dumbest thing you could do to build like a killer and look like lawnmowers with wanes and they're way cheaper and they're way more deadly. And we live in a world where our government is literally trying to sell us on the idea of massive data surveillance being all put together as pre-crime, as preventing criminal activity via predicting people's actions by looking at their internet traffic. And I wish any of these things was an overstatement, but I don't think anybody here thinks I'm stupid. So what are some of the fun things that have happened? So we have Stuxnet and Flame. I'm sure most people here have heard of those. Those are pieces of malware that both were used against the Islamic Republic of Iran. I'm not going to be doing any pointing any fingers at any governments that were related, but I think we all have a feeling of who might have been involved in these. And I feel this is kind of the final conclusion of the no more free bugs movement, right? Is that we now have an open marketplace that didn't exist four or five years ago for I find an interesting explitable bug. I weaponize it and anybody can, whoever the highest bidder is, is finally buying it. We live in a world where cyber war is real. Almost any corporation that competes on an international stage is now facing a level of threat that you only played at if you were like a defense contractor in 2003, right? So back then Northrop Grumman and general dynamics and people being planes and bombs and nuclear weapons had to really care about their security. Last year I did a project at a company that makes tractors, right? And you're like, it's a company that makes tractors. They've got what, a dozen IT guys. They've got one security person whose job it is to make sure things are patched. And you're like, well, who cares about that? Well, they employ tens of thousands of people and they export billions of dollars of heavy industry and they have lots of competitors in places that just happen to be an exporter in this world, then you're going to end up at a level of adversary that was completely unimaginable a couple of years ago. And what's really scary from that is it's almost impossible for a company that size to spend any amount of money to protect themselves. Like the people who are doing the best and holding their own against the Chinese right now is Google. Google's got like 150 security people. They've got Windows kernel experts. They've got OS 10 kernel engineering. They have an intelligence team, right? And they're not winning. They're holding their own, right? So like tractor companies fucked, right? That's basically what that means. And this is the world we live in now. Is it competition capitalism all about? I'd love to talk about that a little bit later. I'm going to get through this and then I'll tell you when the interactive part is. But I'm not trying to shut down. I just want to get through this so we have enough time. So Microsoft for companies are directly attacked to create electronic munitions. So those of you who are paying attention looking at Flame, the Flame virus had an intermediate certificate authority signed by the Microsoft certificate authority. Microsoft turns out they don't sell those. You can't call them up and say, hey, can I have something to sign any of your patches? You have to steal that from them. And to steal that from them, it turns out what you do is you invent an entirely new way of doing an MD5 preimage attack using math that has never been seen before. So you have to have additional power within a couple hundred millisecond window and you trick the Microsoft terminal service license certificate authority into signing a CSR that has an identical MD5 sum as one that you just generated. This is the equivalent of killing your political opponents with $10 million of polonium when five cents of cyanide would have done it. This tells you something about the authors of Flame. This is basically the U.S. country. I did it. What are you going to do about it? It's like killing that guy with radioactive material. You could just shoot the guy and you would have saved $9,999,985 or something. And that's to buy the entire pack of 9mm to shoot the guy. Instead they thought we were going to scare him and spread radioactive material over London. This is the cyber war equivalent. This means that whoever wrote Flame was willing to attack a server at Microsoft live, do an actual attack against Microsoft. What does that make you feel like if you work at Microsoft? You have all of this relationship with the governments of the world where you're trying to do pre-bug disclosure and you're trying to work with them to make them feel good about your products. By the way, while you're doing that on the defense side, somebody on the other side feels like it's open season on your certificate authority. Basically, somebody else, another blogger, and I forget exactly who, made a good analogy. When you shoot a gun at somebody, they can't pull the bullet out and throw it back at you. But if you throw a rock at somebody's head and you don't kill them, they're going to throw the rock back. And that's what the cyber weapons, and I mean, using the word cyber without ironies, like finding your first gray hair from a infosecond community, so I apologize. But that just seems to be the terminology people are using these days. Cyber weapons are like those rocks, right? For a short period of time, the only people who knew about several supercritical bugs in windows and the Siemens PLC controller was probably the United States, Israel, and anybody in Iran who paid attention to look at running services in the background, in the nuclear power plant. Which, thank God this guy is Finnish, right? Because if Miko Hyponen and the other folks who have been finding these cyber weapons in the wild had any kind of other, didn't come from a society where they're totally neutral and all about social justice, we very well could have seen these weapons turned against all the companies we work for into our own personal data and uses. So it brings up a question about how do you interact with cyber war? If you're discovering bugs, you know, who's buying them? Is it offensive or defensive teams? I've never heard of anybody selling their exploits in the way that they knew. All they know is that there's a customer, but the customer has many, many different things going with them. Are they using it for foreign use or are they using it domestically? And what goals are being accomplished? And something I really think about when you sell bugs to a government, is it the nation's goals or the government in charge's goals at that moment that are being discussed? And if you want to know what the difference is between nation's goals and the government goals, I see several people with white ponytails, you can ask them about a man named Richard Nixon So we also have a world like not on the defense side and the justice department on the justice side, where we have this real problem in our world of the difference between prosecution and persecution getting really smeared. For example there's a lot of people who are stealing their secrets from their bosses, which is as old as time itself, sales people have left jobs and taken their customer lists with them, right? And this is why we have NDAs, this is why we have civil lawsuits between companies that believe people have stolen their trade secrets. But instead we are now prosecuting these people as criminals using the economic espionage act of 1996 because it happens to be on computer, right? So 20 years ago if you walked out with a sheath of paper, you would have gone sued in a nasty letter and maybe you would have had to give it back or you could have lost some money. These days if you have the exact same spy and you're sued like these guys, Sergei Alindikov who beat his rap of leaving Goldman Sachs and is now fighting it again, Vanity Fair just had a really good profile on him, and Agra Wall, Ben Pooh, Sahil Apple, all people who also left the financial industry taking some secrets with them. I don't think they should walk out with the secret codes that allows those hedge funds to make money, but I also don't think it's a national security issue. This is a private business issue between these folks who are now becoming nationalized and the soul crushing power of the United States Department of Justice is being turned against these people. And then of course we all know about the Computer Front Abuse Act, people like David Nozzle who again took some customer data out. Weave who I don't exactly consider him an ethical researcher, but I also don't think he deserves to be in jail longer than say a rapist. Laurie Drew who again, not, Laurie Drew, not a nice person. I don't think violating the MySpace terms of service is a federal offense. And Aaron Schwartz, the kind of elephant in the room. So where I come to this is from my personal relationship here. Like I said my work output has been used several times in the prosecution of people who have done bad things. And these were like legitimately bad things, not like they stole a book or something like that. And as part of my finance, I've been doing a bunch of pro bono work over the last couple years. So our company provided pro bono work to George Hots, to Geohot during the Sony case, which is not a criminal case, but had the same kind of effect of Sony doing everything possible to cost him money. I once had a meeting where I was with George's lawyer who's like a real estate lawyer. And he's like, I'm going to try my hand at internet law, right? Like, okay, that's great. Maybe if my life's at stake, that's probably not what I want to try. But I had, who doesn't know anything about the case, but came just to have somebody else on that side of the table, and me, the geek, and saying the cross for us was four big law partners who almost certainly were collectively billing $2,400 an hour to sit there across from us, right? And that was like, this is because a guy was able to hack the PS3 and put on his blog, Sony's willing to just bury us in paper. And obviously it happens to the civil and there's not a lot we can do about that. I've worked on Aaron Schwartz's case as an expert witness for his defense. And made me really think about it because part of my job for the defense was to read the expert report that the prosecution's expert created, and I'm not going to say who this is or what company he worked for. I don't think he did anything wrong. This is a guy who works at a reasonably well known consulting company who's approached with, we'd like you to do some forensics on these machines and tell us what happened. And he wrote a book on scripts and they download these things and I found this in the logs and it looks like he changed his MAC address and changed his IP address. We had a couple of things we're going to hit him with on the stand, but honestly he didn't lie. He didn't make things up. But his report was then taken by the U.S. Attorney's Office and twisted and turned and pulled out of context to turn into Aaron Schwartz as the super hacker that was destroying MIT's network in JSTOR. And if I was him, I'd be really pissed, really pissed in the way to persecute and hound the man to death. And it made me really think like how are we supposed to do that? What is our role here? Is our role as technical experts just to tell the truth? And then it's other people's job to make sure justice is done or do we have a more active requirement to participate in justice being served in the technical world? And then obviously we have the NSA scandals where all the crazy people, basically everything they've been saying for years and I apologized to every crazy person that I dismissed with like at a DEF CON party you know with oh that's nice, oh that's really interesting, I gotta go I gotta talk you know all those people were right which is not great and I keep on hearing from people well I always knew and the answer is no you didn't, you always suspected this stuff was going on but now, yeah this isn't a secret slide sir, this is from the Washington Post so you don't have to read it too closely I'm not leaking anything more here the you know we suspect it's different than knowing and I think the reason that's important is this thing called the Overton window. Who here has ever heard of the Overton window? Okay a couple of policy majors so there's this guy Joseph Overton who's a political science professor who came with the idea that ideas the most important thing about the public accepting an idea is whether it's considered within the window of acceptable discourse right so he talks a lot about the need for movements for change to have radicals so for example you know in the civil rights struggle Malcolm X was a radical whose ideas were not accepted at any time by more than a couple of percentage points of the population but he had the effect of being the crazy person outside of the window and therefore expanding the Overton window of what was acceptable political discourse for civil rights in which Martin Luther King and others were able to step right in and be considered once again within the political center I think what's interesting about this the NSA stuff is it from a conspiracy perspective it changes what our Overton window is right so this was like a year ago my Overton window I knew that the US government was making malware and using against adversaries I have no moral problem with that I'm just going to say it I have no moral problem with Stuxnet if you're the president of the United States and they come to you and they say sir you can either choose to drop a bunch of bombs and our damage assessment says that we'll probably kill 10 people and half of them are going to be children or we can use a virus and sneak it in on the iPod like obviously the moral choice there is the virus on the iPod where it gets difficult is then what do you do after that to make sure that other people are protected from those bugs and then also how far do you go it's one thing to do like a nuclear facility at the Iranian government now it's like the agricultural department the Iranian government now it's the agricultural department of France and now it's American citizens so obviously there's a continuum there we have to be careful of but I always knew they were doing that I didn't think that was a big deal clearly well knew there was widespread sniffing of overseas traffic the fact that every fiber optic cable like either the you know the Greek and Filipino captains of those ships moving through there have really been drinking too much uzo and whatever the Filipino drink of choices or maybe that's a great way to cover for some Marines tapping fiber optic cables that somewhere you drag it you cut it there and while that thing's cut that you're doing the tap over there and they repair it and we're all good and now we're able to get all the traffic moving in and out of Saudi Arabia or Iran right so you know I always knew that kind of stuff was happening maybe there's some malware going on against citizens you know maybe every once in a while mobile devices are used and turned against it people there's a slight possibility of there being crazy crypto breakthroughs and then I think all of us living through this that Overton window expands because we know for a fact the stuff in the center is happening and then we know for a fact things like widespread US sniffing happens so it expands our entire window of what we think is a possible something that we'll even discuss in open like I am now willing to discuss the possibility that the NSA has knows how to break Diffie Hellman because they have a polynomial time solution for the discrete log problem across the general integer field that's something that a couple years ago I'd be like that's crazy and now you know what I gave a talk about it at Black Hat so obviously it's within my Overton window you know still there's some things I'm not there yet right but if it turns out we go another 10 years and Bono still does not age then we're gonna have to redo this slide so what do you make of all these changes well it is an exciting time to be in our industry but those exciting times means I think we have to make much more intelligent and thoughtful decisions about how we act okay so some ethical frameworks for this how do we make sense of the things that happen so we are born with only very basic moral and ethical frameworks and I'm not gonna get a discussion of morality versus ethics I was an electrical engineering major any philosophers here are willing to take up the discussion outside without me participating I'm kind of using them incorrectly together but you know we're born with only the most basic understanding of what right and wrong is and obviously even that basic understanding can be overridden by things we learn later as every atrocity in the 21st century attests to right is that you can make humans do anything if they think in the big picture they're doing something right I was only following orders being the phrase that you'll hear over and over again we make decisions based upon frameworks that are given to us by our parents by our society by our family by our friends and if you want to make informed decisions then it's really important for you to think about where these come from why do I feel this way and do I choose to continue to use this framework or am I just going to leave it behind and try to find something else so some frameworks that are pretty common patriotism and nationalism again two words that don't exactly mean the same thing but you can find 40,000 word treaties debating on which means which so I'm not going to apologize I'm an American I'm proud to be an American I'm the grandson of immigrants who worked very hard to get to this country from really shitty conditions like kind of ridiculous I'm raising sheep on the side of a mountain and there's no running water kind of conditions right and you know my great-grandfather came here and he was a throthial stomatopolis and then he went through Ellis Island and they're like uh you're now Charles Stamos and he's like I love America right and you know and that when you come from an immigrant family the rest of you who understand that because you know he busted his ass and starved on the ship for six months so he could come here and do something great and that's why I had like a grandfather who dropped out of school in fifth grade came here the U.S. Army took him because there's World War II and they're taking anybody they're like oh you don't speak English great we'll work on that right and you know learns English in the army and then the G.I. Bill pays for him to do election engineering classes and he dies as the manager of a huge engineering team and that's like something that's pretty special for our country so I want to be proud of my country but what does that mean right which of these is the United States is it the dirt we live on well obviously the dirt that comprises the United States has changed all the time since 1776 and the ideas have not and you know I don't think the United States is going to be massively different if Puerto Rico finally gets statehood in the next couple of years well these people work for us I have no loyalty to them their loyalty is to me as a citizen I don't think we have any loyalty to the people who are in power I think it's really stupid to put the president's face up on the wall at the post office like he should have our faces on his wall that's how that works is it the citizenry well I think I am proud of fellow Americans but our pride is a little funny because if you live in Europe you live in Japan that means you're proud of a continuous people that have existed for thousands of years and America when you're proud of Americans you're talking about like how many people here became Americans in the last year right you guys are just as American as I am and I'm proud of you guys too right so obviously you know saying that you're proud of the citizenry is a difficult one and I kind of figured it out I'm actually proud of the idea the idea of limited government the idea that if you read the Federalist Papers you realize the founders weren't actually crazy anti-government people what they realize is that good people when put into systems that give them power and perhaps warped incentives that they started to act against the interests of the people and that's why we created a government with three parts fighting each other because they understand that human beings even the best human beings are fallible I think the guys who are doing all this crap in the US government right now are bad people so I got dinner with General Alexander a couple nights ago or the night before his big talk at Black Hat I didn't know I was going to go but I got invited to this thing which is a lot of fun because one of the memories I'll take to my death bed will be Jennifer Granik grilling him for three hours like over a very nice blackened cod and then watching Jennifer take it to him was really enjoyable right but you know so General Alexander right he said this a little bit in public but in private a big part of his thing was I really want to defend the Constitution but where he's coming from is he's been to Sarajevo during the Yugoslavian war and stuff and he says don't overestimate how much cohesion there is in any society any society can fall apart very quickly and then he also says our country went crazy after 9-11 what do we if that happens again if an equivalent attack happens again then you just kiss the whole bill of rights goodbye which may or may not be historically accurate but it's the kind of thinking that he feels he's the good guy he feels he's doing the right thing and that he has the same goals as all of us he just has a framing that allows him to do almost anything up to right like if you're framing if you're framing is a next terrorist attack is going to destroy the Constitution in the United States then you will do almost anything to get there and so that's why I think it's really important you he said over and over again my oath is to the Constitution of the United States and I think this is not an illegitimate framing to make your moral decisions in that the scope of patriotism or nationalism but it should be in the scope of the idea that you like not in the scope of the people or the government which are made up of fallible people who make mistakes another way you kind of think about this is the nation state is not the only group you own responsibility to right we have this whole hierarchy of people who rely upon us for stuff so in the core of that for me personally is family so I've got three kids I chose with my wife to bring them into this world they didn't choose that I have a responsibility for them until they die I mean that responsibility drops off a little bit when they turn 18 and get to kick them out but I still have like a long term responsibility for the teachers that I brought into the world and who here is a parent, let's see and I think everybody understands that it's the kind of thing that you hear about when you're 23 and you're like oh fuck you you fucking old person right but then you live through it and you understand that's like your core responsibility and that's something that you have to underlie a lot of your decisions and so in the short term that means there are certain decisions you can't make Ed Snowden would not have done what he had done if he had kids I guarantee it that's why I can't do what Ed Snowden did ever because I have a responsibility to my family that overrides any other thing that would happen and unfortunately this responsibility to your family is how a lot of totalitarian societies have turned people into soulless monsters but that's biology, that's what we have to live with then you have a responsibility to your friends your colleagues colleagues I haven't blended up here but the colleagues that you just happen to work with versus the employees you hire when you hire somebody you're making implicit and explicit promises to them about like hey I'm going to pay you every month or twice a month and also I'm not going to ask you to do crazy things I offered you a job that obviously was in your moral framework and I'm not going to massively renegotiate that later that's something we have to really think about those of you who hear who either currently own or who want to be small business owners you know when you're at the point where you're telling people yeah this is your job and then you go through a rough time and you're like holy shit we might not make payroll and you realize there might be 20, 30, 40, 50 people who might not make their rent checks it really changes your opinion of what you need to do for those folks you might feel some obligation to your employer that's obviously the kind of thing that was different for our grandfather's time I'm not going to say grandmothers because most of them didn't have corporate jobs you know you go and you work you spend 50 years you get the gold watch has changed a little bit you have the idea of tribes that people have responsibility to tribes that have existed much longer than the nation states that the British just happened to draw around them our society or our civilization there's a sci-fi author who likes to say I'm proud to be part of a civilization that he's proud to be part of western civilization which is an interesting little argument our nation and then our species there's all kinds of ways that this is not a standard this is not a hierarchy that always exists clearly you know and you think this is a dangerous person and you turn them in your responsibility to your society overrode your responsibility to your friend although I don't know a lot of people who turn in their kids no matter what happened like how many parents here would turn their kid and if they did anything bad almost nobody you did? are you Robert Moore? more senior has passed away so I thought he wouldn't be here but that would be a good example I haven't really talked about this as an industry but there might be the idea that we have universal moral obligations medicine has this there's traditionally Hippocrates and the Hippocratic oath doctors don't take that anymore they take this thing called the oath of lasagna which I know it's funny but literally a guy named Louis Lasagna wrote this new oath like in the 60s and I recommend you read it if you're interested in this area and the reason medicine has this is the medicine was the original kind of scientific priests these are the people that made it up and there's a scientific priest who used observation and knowledge to make people better and that put them in a super powerful pot of society and so doctors decided 4,000 years ago that that gave them some kind of responsibility we are the technological priesthood of the 21st century perhaps of the 3rd millennium if you everybody here has fixed their families computers every time you do that it reminds you of the incredible complexity of the world that underlies activities that the vast majority of people do not understand and we do and so maybe that gives us moral obligations just like doctors have always had so some options for that would be the idea that all people deserve for their technology to be trustworthy and this means all people this would be the equivalent of doctors saying that they're not in the Geneva Conventions if you go into a military hospital and you're a combatant you are supposed to be treated just as well as somebody on the friendly side and that's something that's drilled into military doctors they will risk their lives to save the lives of people who their co-workers just shot and so that's like how deep it is into the military world obviously we don't have that kind of thing in technology but maybe we do need to have that the idea that the internet needs a tool of liberation versus oppression now this one's dangerous because there's a lot of people that think I want to be liberated from the oppression of pornography so therefore we should filter the entire internet and we save all of the children from the porn so you can define the word liberation in ways that could be very oppressive itself or just the idea of first do no harm that if you're making any specific decision even if you can't make things better that at least you're not going to make things worse so if you start to go down the idea of universal ethics you always end up in this weird slippery slope argument which was best argued by a guy named Peter Singer in 1971 in this famous paper neither are distanced from a preventable evil nor the number of other people who in respect to that evil are in the same situation as we so lessons are obligation to mitigate or prevent that evil so basically saying the two biggest excuses you have for not doing something right which are somebody else's job or that's far away, I don't know that person or it's physically far away, are bullshit excuses and he was making this argument specifically for world hunger he was basically saying who here likes it that there are children who are dying who are hungry nobody right everybody wants every child to have food therefore if you don't take every dollar above what is required to feed your own children and send it to those children then you are morally repungent you know you have fallen short of what you could possibly do now that's a pretty crazy argument if everybody did this society would fall apart as we all send money to each other and nobody had any kind of there would be no idea of a consumer but it's the kind of thing you guys think about when you think about other kinds of ethics that people have gone to is this idea that you can aim for but it's something to think about and then another reason people do things is for personal legacy some people say I'm reducing human suffering I'm creating general economic benefits so you know a lot of people laughed when the Goldman Sachs guy said we're doing God's work which I thought was funny too but I think he honestly believes it one of the great things of the last 30 years has been billions of people rising out of poverty in Asia and that's not because of us shipping them bags of rice with an American flag on it we self-organize mostly into corporations to then sell goods and services that the rest of the world wanted to buy and so you can make an argument that the guy who started Tata Motors is one of the great humanitarians in the world I'm sure he treats his people horribly and there's all kinds of bad things about Tata but he also took millions of people who worked out in the fields and were on service wages and gave them reasonably good jobs so that's an argument some people have making your own family wealthy civil engineers they love the idea of building something that will last for hundreds of years so even when they're gone that their work lives on and then not being forgotten so that's building a bridge and then putting your name on it right? so something to always think about though if you have the ability to sit down and think about these things when you pick a job then that means you are rich and lucky because the vast majority of the world just has to do whatever they can do to feed everybody who they're trying to feed in their family and their friends but while we talk about these ethics it's only because we have the ability to pick and choose our jobs and our careers that we can do so so here we're going to get to the interactive fun part of it so the way I'm going to do this is I'm going to pop up some ethical conundrums and then there's going to be a multiple choice so I'm going to read the conundrum and the multiple choice answers please don't say anything or hoot or holler or whatever you can laugh if it's funny I'm going to pull the audience to vote and raise your hand on the one that you would honestly do and this is supposed to be a safe space so let's not judge each other I think we really want to see what this group would do in each of these situations because it would be really easy for us to group think this and go like the hardest core crypto anarchist side but in reality that's obviously not true because a lot of people in here if everybody in here reacted that way then the infosec community wouldn't be in the problem okay who here played Ultima 4? yeah old people whoa yeah 1985 first video game that basically had a morality system and the way you generated your character was it would ask you these questions and then you'd make a decision and then your character would come out of it the first time you did it you actually answered them and then you got your computer gaming world and you figured out the cheat sheet of how to build the best character by answering it so that's kind of what we're doing here okay so the first question kind of this is the easy this is the warm up question you find a critical remote exploit in a very widespread product what do you do? do you publicly announce the flaw immediately? this is the full disclosure answer you wait and build a black hat talk around it see you perform responsible disclosure and you give deadlines to what you consider reasonable deadlines to the manufacturer to fix it do you use it to basically blackmail sender to sell them consulting you're laughing this happens all the time e you weaponize it and you sell it either directly to your government or to somebody who you know is going to give it to your government f you weaponize it and you sell it to somebody and god knows where it's going to go after that but that makes you more money than say e or g you use it yourself for fun or profit so who here would do a publicly announce who's a full disclosure person wow only two full disclosure people b build a black hat talk okay excellent c perform responsible disclosure deadlines wow awesome d okay excellent I know who you are e you weaponize it and sell it to your government okay f weaponize it and just sell it yeah okay and g use it yourself oh decent number of people okay that's fine so it seems that we're still responsible disclosure cloud that's interesting that's my answer too I must see guy okay next question your job is to perform instant response you successfully uncover a legitimate breach like an actual break-in not something stupid little violation and then figure out who the attacker is you either work for this company full-time or a contractor doesn't really matter you write a report you give that report to the bosses the bosses give it to the us attorney and all of a sudden you find out later that they're pushing for extreme penalties I'm not going to find what that is to you whatever they're pushing for for this person do you a say well you know what I'm just going to do my job I'm going to assist the prosecution whatever they ask it's not my there is a adversarial process here that's supposed to save this person b you do nothing you try to stay out of it as much as possible you've done your part c you gently work on the inside to try to get it reduced but you don't do anything past that d you outright say I'm not going to participate you cannot put me on the stand do not call me again e you called up the defense and you volunteered to testify this may or may not be legal within your jurisdiction you can ask Kurt f you publicly take a stand you violate your NDA and possibly a court order what are those called? protection order that protects the data whenever you do extra witness stuff a federal judge gives you an order that you agree to so you end up saying fuck you federal judge I'm going to take a public scan so a who would yeah that's going to be a hard one good bravery one person b do nothing you did your job okay that's a reasonable one c gently work from the inside but don't go past that okay I think that's the largest so far d outright refuse to participate e volunteer to the defense and then f go nuclear on twitter okay so I think I think it was c or d in a lot of in both situations that's actually where I am personally somewhere between c and d in my what I've just my little bit of legal experience pissing off a federal judge is a world of hurt that you don't want to enter and again I'm not going to put my kids through that volunteer and testify to the defense again is probably illegal in a lot of situations so I probably do what you guys said just good you were approached by a member of your status in a friendly manner so they're just like hey how are you doing they say they want to chat about some kind of technical issue you don't think you've done anything wrong this is an investigation to you this is just a friendly chat that they want to have do you a say yeah sure let's go grab a beer b say oh I'm really busy this week I'll totally call you back and then do the girl thing and slip them the wrong number c say oh feel free to send me those questions and I'll answer them my email or we can set up a time in my office with my attorneys present b so so a who would do a take the meeting oh decent number of people probably about a quarter of the room b politely try to get out of it more than a few women I understand that okay um c d and e let's hear your weaving sir let's hear it no so here's one I have to admit I did a last year these people from the NSA said hey can we grab a beer we'd love to talk to you about your stuff you're doing and your standards and this and all this and I sat and I bought them beers and we sat by the pool at Caesars for two hours and talked and nothing bad happened but this year no this year I'd be a c I think like a lot of you now I don't think we should isolate ourselves I don't think we need to be we'll never talk to feds I'll never talk to anybody from the government because that kind of isolation takes away our power to influence them again they work for us that we don't work for them so we should not isolate ourselves but I think especially as like Martha Stewart learned um you know sitting with somebody who works for the federal government means that the tiniest little mistake could be considered a federal felony um and so I don't think we're at the point where any of us can interact with at least the United States government um in any way without attorneys present it's just not safe okay um we'll do this a little more quickly you work for a respected cloud company in the course of your duties you find a software hard-mitted data collection mechanism basically backdoor you bring up to your boss the boss tells you drop it I'm not giving you any more information do you drop it escalate within the company quietly look for a new job publicly quit or pull out the guy fox mask so A who would just drop it okay B C who would quietly quit D publicly quit and E okay yeah I mean this one I'm probably between C and D depending on what I think the enforceability of the NDA is whether there's any criminal penalties uh feel the same way um you work for a well-restricted pk company your boss hands you an order to turn over cryptographic keys from your uh from the government under the current legal frameworks of that government the order is considered legal and you have no recourse do you comply and just forget drinking yourself into oblivion B refuse to comply and stay silent say you know I'm not gonna do it you have to find somebody else to do it but then do nothing else C quietly look for a new job perhaps after B um D publicly quit and then protest talk publicly and risk prosecution or E I would be happy to do that sir uh but due to the combination of us using the hardware security module separation of duties between me and somebody within a different legal jurisdiction uh in our implementation of certificate transparency me doing this will have ramifications that I don't think you'll like please decide whether or not you would like me to proceed now that I have informed you that it will almost certainly demonstrate to the world that you asked me for this so obviously I'm telling you he's the right way to do it it requires forethought right and so that's why I brought this one up is you can't do E at the last second right if like there's a backup key on a USB disk and sitting in front of you you can't pull this um this is what I'm personally doing for E I'm building a service that has to be trusted by people around the world um and so we will be I am backing myself into a corner that I cannot get out of um and I will leave it up to any law enforcement that wants to come to me to force me to do anything um to decide which poison they want either violate transparency by not having in there or putting a certain certificate of transparency and the whole world knows it was coming out um don't clap for that it's just you work for a security hardware company you work on a product that has legitimate uses like like an IDS but you find out that countries are using to spy on their citizens do you do nothing B start internal campaign to try to change the company selling it to these folks C work to make future versions of the product less dual use D quietly look for a new job publicly quit and protest perhaps finally in the NDA so A who do nothing that's a reasonable thing that's like if you're a gun manufacturer you think the same way I build a gun the gun is not a moral object people use it in a good or bad way that's not under my control um B who would try to change the corporate culture yeah that's a reasonable thing good luck it won't happen um C uh work to make it from a technical perspective yeah uh D quietly quit and then E once again to go nuclear yeah so this is a tough one um and this is something that people who work for we'll just call them green jacket um face every day apparently um so we don't have time for every other good one so what I'm gonna do uh just to talk about so what what I'd like you guys to do you don't have to do anything I have no moral authority here but this is what I think would be a good thing for you to do try to live an examined life in the infosec community um think about what you want to do now don't get caught uh being asked to do a really easy to say yes when you're in the room and you're under a lot of pressure teach others from your own experience again the people with great ponytails here have lots of good stories about this teach the younger people who you know are just getting started in their careers about how to make these decisions ethically be honest and open with yourself um and think about your moral mystery reach them and so something you can do right now uh is there is a letter um for uh supporting reform of the computer uh uh god um who else I'm blanking Ari Swartz I'm sorry Corrie Doctor O, Ari, Ed Felton, Avi Rubin, yeah lots and lots of people security researchers and academia and publicly uh in the public world the private world have signed this you don't have to sign it on behalf of your employer this is just for you um if you'd like to get on this open letter um before it goes public in anybody any of the Hoy-Polloy can sign it um there are folks up here from the EFF and sign so we're out of time so if you guys want to chat at all I'll be in the hallway thank you very much for listening thank you