##########################################
So it's hardly keep offer today .
Is how to disclose were selling explain without getting in trouble.
%uh I'm jammed in RO I'm an intellectual property attorney base at a Washington DC a focus my work.
Nice to simply on information security technologies are before I went on to to law school I used to spend top far too much time just tweaking around i nom IMAX bug I'm entire PC and figure that know that I wait until take you doing and then to do this in so you re out I decision because I'm attorney and this does have some legal component to it although this isn't a law talk.
I really I had to give the senior disclaimer that this presentation is not legal advice about to your specific situation are your specific questions even if you ask me a question and we're still talking about hypotheticals if we need of an attorney-client relationship on then we're talking about your specific problem and giving specific legal advice so this presentation is not returning my relationship alone maybe do that dr. Mayer I'm so is is as a quick overview of all over you trying to accomplish here in the next 20 minutes and as he quickly to make sure we get it all in they're gonna cover.
The type some risks are they're charging fees are researchers some risk mitigation strategies that researchers can you can take to try to reduce those risks.
I'm so many russians for disclosing the ability that me be less day may have less risk and then some in the risk said are associated with job selling it and an exploit the overall goal in this vicinity yourself a harder target if someone ever asks you well Chinese soon if this if I do this or this happens the answer is always yes okay you can always be soon by anybody for anything anytime the only question is.
Who's gonna win and the goal is to me did.
More likely the you will win which disincentive ice is someone from actually seen you in the first place.
Be so let's start out with just some great examples above the kind of love our research activities that might get somebody in trouble.
For example on so these are my generally real-life cases on you found out how to see other people's utility bills by changing the HTTP querystring I talk to someone at a party the other night who in turn is exactly that.
He was wondering what to do about it I you discover your neighbor's wifi is not protected how did you find that out a you bring Trader Joe.
This protecting some media they had scale a more serious now there's actual money at stake and maybe you will renew your only better remote access to all that sounds like you might make a lot of money i has so many series and supply.
Surprisingly enough by whether you're just dumb.
You looking at changing your HDTV strains are many you're actually.
By do taking part in DVD so in general.
We're talking about techniques have served if I need here on dry stacked rum everything from montana a Service SaaS I think he did maybe use for now serve as an actor.
To some things that some just you know.
Morgan to serve investigatory web browsing.
Okay first when is the arrest to a security researcher there are three general areas where we see the risk dresses are you show up one there could be a threat of legal action.
Before you go to a conference for make this disclosure there are some examples listed here on do you mind he's three civilians are they on have a legal action seeking an injunction barring you from disclosing something before a conference on every year from merely saber-rattling to an actual lawsuit being filed the consumer and then there's a possibility of a legal action being used by.
Initiated against you master you made the disclosure.
And these are all really example sad you can Declan McCullagh go by CNN and his colleagues have prince in very interesting article said go into more detail does in these cases are recommend them to you I most definitely convent you my nose and some these seem to be run by 10 Def Con got a pretty regular basis.
On so that's when he can happen your number one concern specifically going to be the Computer Fraud and Abuse Act you probably heard a lot about that lately.
Perhaps here in other conferences on digital the main issue.
Is anticipated prohibits access without authorization work CD authorize access Rd two times when you're likely due to run into.
Possibly exceeding authorized access a warm.
Acting without authorization on would-be in the investigatory phase.
I'm working on your on II and whatever technique it is as you did she did you got on menendez you when you actually created school dead performs whenever this technique as you might actually com have a problem with a tool dies the act that is that is prohibited.
So in winos you know everyone's talk much about how big I this this notion the Computer Fraud and Abuse Act is a boxer is a sin.
I've created a handy checklist to figure out if if you when you may have a computer running the sex problem.
So 30 for are you connected to the Internet.
Probably are you accessing remote system.
Probably do for mission access to system.
This is the real hard question on it's really hard to know if you have permission if you saw Bannerman go by then said you don't have access you probably don't have access are borderline cases where it is not so clear and now this is really where where where you have this is somebody any age or in her situation where he's query economically Singh Negi on a repeated basis.
No one in mass continued and by stew resn old man are there is no zero emission doing it was a public the Cadi after all are so it is really humid there is a real risk and figuring out if you can.
Whether or not you have permission but that's really all it it's really all it takes I unfortunately it's not just that I would you do.
The computer trying to be sacked is about what your friends do I lead to rissg I love be not in conspiracy to violate a computer from Muzak.
Is most certainly enhanced by the prevalence of social media today.
I so if you're on Twitter or some other easy very easy to use social media platform you're talking to your friends I'm out how you might do something you're majoring questions about how you might do I certain danger are with the thing he did you developed are major starting to head down the road if conspiracy not conspiracy typically does require an old jordan max aren't in order to I really feel the conspiracy and.
And typically just discussing something with someone is not bob but see if you start providing technical support offer for something and someone else is doing Hondurans really definitely increasing the rescue on loves being caught up in a conspiracy to violate the computer from the sex if not actually my lining yourself um so we've got some examples here hardware on the computer from music has been applied.
I think is helpful to look at some examples because dats how we see how is being applied and we can compare when we're doing.
To some other things that have happened in the past other people and see how close how how close those comparisons are and since we're Las Vegas we absolutely have to talk about the case if necessary %ah Nestor wise really into on video poker and you like to play my and planned plants and he had really good at it and he really is so much.
The he discovered a body in the video poker software.
That enabled him to play on one type of game.
And bit of a bunch in very much money into a game.
And then switch to a different game and multiplier would be applied to his bed.
Are so when he won he got dizzy Norma's payout and he did you don't have to reproduce this bug very efficiently so he was doing it in his friends are doing and they're getting a lot of money and I'm easy eventually how these stories always any gets caught.
And I'm she was charged with amongst other frauds.
Violating the Computer Fraud and Abuse Act and as reduce look into computer fun music few moments ago we saw its really mostly about.
Unauthorized access receding in authorizing authorization and you had.
It is hard to imagine how sitting here in access a firm where he didn't take the game a party to send their.
Putting money in pushing the buttons on the surfaces machine how you can exceed authorize access to a video poker machine is absolutely mind-boggling I but nonetheless those charges were levied against him alternately the partner justice did not pursue those charges the charges were dropped day we went ahead with other fraud charges but nonetheless r for some period time he was facing computing for a music charts for doing exactly that.
I'm is also worth looking Anton the the tragic a serve parents towards who up speed is mac Address.
2.0 journal articles I was our computer fun Abuse Act crime I N G morn heimer who allegedly conspired to run in automated script to up plugin identifiers for iPad send email addresses.
On the new himself nom is suing several years in federal prison for that.
I also worth noting is that it's Department justice has said Ian their manual about computers run Abuse Act the conspiracy to hack a honeypot.
Can violate the Computer Fraud and Abuse Act and there's really no way into.
That this sorts of things that could possibly mileage Computer Fraud and Abuse Act.
I'm so you're looking at a situation where computer fraud abuse eg.
Almost accident ex post facto law where.
The Department justices able to look at and what you did after the fact and issued a dome like it or they don't like you for whatever reason.
Farm you may be a troll ish for some reason on you are more likely to be on the wrong end Obama public computer from abuse at prosecution.
There's also sold cause of action provided by the computer trying to use axo.
The company data I who prefer the target is.
On this site exploit can also pursue who's ever access the system without authorization so my question is what you leave is there anything we can do come to try to reduce their chances are being on the wrong and a second lawsuit.
Arms well the sequence we don't go too far in the statute bars now continuing legal education conference but let's disagree much this as you see her son she worries we can meet you know the side n if I I'm he rehashed whoever having knowingly.
Access a computer without authorization.
Another part is an issue whoever intentionally accesses a computer without authorization so.
One of the things you can do is to try to avoid.
Unintentionally creating knowledge many shades on it's a little bit hard to do this free for yourself if you intend to do something on billy seeds you can you avoid doing it.
On the schedule other people on for example I was suggested you do not correct information about how to use in kind of take need.
Are just so many uses axe or have reason to know.
Is likely to use illegally on be careful in providing technical support.
Offer some clever news AP did you don't awesome i've a size are your lawyer I would advise you not to use for that sweet our way when if you share some insight we need to you asking you about how to.
On had to make something more effective perhaps.
His slide a little more details some more on samora.
Approaches that you may take mom don't provide information possibly to directly to individuals.
On especially if you're not sure who they are what they might be up to consider just.
Posting things on on a Web site on Lincoln on do not post information to forms on where uses.
Back style where you are were forms that are known to generally promote illegal activity.
Mom if you publish it on your own website or you have control the post.
Consider disabling comments cause he don't have a situation people discussing potentially illegal ads.
Illegal use is not fun and your technique and Leslie.
To maintain logs front so one of the things we seen happens that's enough for the Computer Fraud and Abuse Act renowned.
On there's not a whole lot you can really do about it XD beyond just being being careful I those who want to the temporary restraining order on this is particularly timely actually his you may have read it on the story about %uh.
VW Group by and then the mega mo sa.
A encryption that was used on the vehicle immobilizer so some European security researchers have to figure out.
How to mine has see her friend discovered a flaw in the encryption that was used on the vehicle immobilizer their use in BW three cars like portion Audi and family and %uh they're going to present this is the USENIX conference in Washington DC in a few weeks.
And these are the odds are themselves slapped with a temporary restraining order preventing them from making this disclosure at the conference on how did this happen in half and how to prevent this from happening again.
We see this year's end of content and block at the talks have been.
By sought by temporary restraining order so he could look at that.
And the factors that the courts look at when deciding whether or not to grant a temporary restraining order to prevent it the researcher.
From disclosing this information about it on our ability number one more the requester soon as that case it would be the VW Group.
Suffered irreparable harm in 20 is not issue.
For.
Grants.
Fees.
It's really hard to get accepted as big a desk on radio show me thinking about how your unit crazzzzzy talks I've been drinking all night.
Odd socks to our eventually have yourselves up the a rave the round was for gems its one more order business we need a new person is for sign at desk on first and upgrade their pressure drop on stage you gonna last till 2014.
Howie I we ought to be fired for singapore is a reality well.
Well past.
Gonna ride share stories be here realist theory pick up where we left off the way to work on new material for next for tomorrow thank you.
The.
Exact I'm.
So thou's great thank you gone herself are you.
Disagree we consider factors said the course going to look at when deciding not to grant a temporary restraining order some someone like that the VW Group twice the size of a presentation for happening in USENIX on will the requester the VW Group suffered irreparable harm 0 is not issue.
Pretty easy to imagine you've got an embedded system in Somers figure out how to braid each is gonna be almost impossible for them to update any reason a man it I'm.
The usually expensive on probably some around.
Irreparable harm to basically means that money isn't going to fix it very easily.
Ourselves doctors in the MU to savor.
Will be even greater harm to the researcher 0 is not an issue what your paper got delayed are you couldn't.
Put in some hard to be over soon maybe with Gary dash on hard to see that as a huge harm to the research firm I feel really bad about that Bob interns and the you some the money VW Group gonna have to pay to Texas.
I mean it's not really gonna but too good and you know I for further research in there the public interest this is kinda fun one.
Because we might think that while the public interest clearly there is disclosing the vulnerabilities of me sex on this course probably gonna go the other way on an.
I N NC then some really they did too risky to Molly's.
BMWs are around there are you know forces and in bed linens and things being stolen is much greater.
I is much more in the public interest and then.
Then have a few hours you know your your she believes you're going to talk go forward on the last the lassie tired the last %uh factor is the likelihood the requester alternately prevail.
And this is really the one we need to focus on are because the VW has to have a cause of on the scene to see we don't like it they have to say here's my.
Why you need to stop and is because you did something dat ass on kennen the in the east to the VW Group started when the most cases also enei Energy Services the Cisco the Cisco disclosure.
On what we had was the use a copyrighted material.
And that's really why did I was on on the gadget zero-g_ issue arm so the obvious advice an easy to move would use a so if you include source code or object code from whatever is said you're you're working on on dan G is leverage to whoever it is they want to stop you from from disclosing it founder is a a fair use exception diffuse little bits and pieces of code started as if he's like a senior now assessing you can disable this is going to be fair use it depends on how much you use in and end in 10 and under and other factors and that are very specific to.
He was actually going on in in your case so.
Mom just try to avoid if you can name in every possible abide 30s and you can do that I'm also avoid darkness forces for where you're getting this stuff I in the made in most cases the court actually talked about the fact that two researchers umpteen.
Are some information about how the mega Moo system works through.
Sums debt each house an unknown I don't be callin saying exactly where the United but it was some sort of bit torrent.
PG type thing where they got it it wasn't it wasn't from mom VW Group her make the most I'm so another thing you want to do is be aware of pre-existing contractual relationships they use a security researcher might have with the target on whatever it is you're working on on these contractual agreements could come in the form of a term of service.
High end user license agreements non-disclosure agreements for employment agreements sup.
Was at sure im so hood any User License Agreement.
Might very well have dropped provisions in a denver had reverse engineering software for example.
And that's something that you my bro be doing his part of your exploration into your technique and I would dad could give leverage.
Hard to someone to try to stop using your YouTube regis I'm you know nothing's for certain businesses in argument did a happy dance.
Something so much you can do about it I mean you're pretty much every piece is offer you get this can have some kinda license agreement that's good it is to me you seem to a legitimately Rakesh.
You agree to this this I license that mean for heavy usually to me certain things with the software and is not a whole lot you can do about.
Dad on but you need to be aware the risk I if nothing else on this so.
How far you need to go in training many tourists someone hands on it takes need stage did you use in your research.
If used done things that are you'll need was extremely look like so many examples on fire you know what people none its kind them are prison time that's something you need to be need to be careful and maybe take more aggressive.
%ah mitigation techniques in order to.
Perhaps hide summary information about what you're doing so for example if in the arm to make in most cases.
No one had identified does the VW Group.
Dad was I deblum where there is criticism in compromise the W you would not have been able to issue guide to go after down a temporary restraining order by again sixty cancer researchers.
So perhaps there's an opportunity here.
For the conference going community.
To create heat %ah attract where she bought.
Could present scenes data are sis served a little ass order something Xeon.
And we all recognize that this is something that had to be kept quiet.
Is really confidential disclosure trust a review board this is gonna be really cool but we just can't really tell you now when it is because then you'll get the hearings are so maybe maybe that's one approach so like to talk about some other ways that you might make a disclosure.
That are relatively less likely to.
Nom did you in trouble arm you can obviously disclosed the responsible party that's what we like to do that sorry but the responsible disclosure our paradigm is all about you down a problem in the system utilities running the system on this is actually.
Unfortunately relatively high risk.
I and the risk scales with the questionable this somewhere in the region wise I dead did you use to find out about this vulnerability.
So if you're connected to the Internet users are most this and you never mission.
Does he need and may not be a great idea to go tell me about it because.
It in a white Jeep did I national yes you.
If you're inconvenient that's a problem for you on you might think you're doing it for them a favor.
Do you mind day may not agree we're doing them a favor on if you're able to submitted anonymously.
To wear then the many reserves the responsible party that's great.
Arm the pentagon you're a sec is I suppose.
On the lot and you think you're maybe an honest but your not as anonymous as you thought you were hope you were.
Are so that's viruses in itself is you need to consider com if you submit a bug bounty presumably they've invited maybe may be reassuring less risk and you can disclose to government authority perhaps high maybe you don't really believe it'll ever get to the vendor I.
But again if you sure techniques were perhaps questionable you might not necessarily wanna be so many to a government I government authority harm you may want to be separately may have an interest in keeping your identity and i misss.
Something and you can try to Smith enormously to the government but I don't know how much we can really.
Trusts that anymore on unfortunately for.
You know this is a legal talkin some illegal talkin you almost never get to our legal talk for someone like she tell you something for sure.
Like absolutely 100 percent you will not get in trouble if you do this.
Bombardier fortunately our initiates here.
Where there is one group of people who's really don't have to worry.
About getting usually Computer Fraud and Abuse Act when the disclose vulnerability and Jr go okay to disclose if you're one of these people mom although she really should not have been hacking at house computer.
When I can but the answer I'm the to the murmurs thinking about and we see dead we might be able to mom leverage opportunities for me security researchers to army disclosures while she may need to risk.
As low as possible.
Sold been working on creating a pilot program.
Where the attorney-client privilege.
Can be leveraged to hi the identity.
And intake he's used by security researcher.
In making the disclosure so the concept work side s.
The researcher would disclose a vulnerability to a trusted third party.
I which would be an attorney only to the attorney.
Calm his critical and this see a completely confidential disclosure.
To maintain that attorney the confidentiality of.
On dad Tom disclosures and other entities on the outside can't get to it.
On the was injured party does not publish the vulnerability on after the researcher.
However the trusted third-party does disclose a vulnerability to where the affected party is whoever.
Has this vulnerability researchers the researchers remains anonymous during the entire process.
This is his possibly abuse the end.
There is no better option it's a lovely cover some.
And there are some side effects are chiefly that.
Researcher your remains anonymous doesn't get public credit.
After with them for whatever the research wise arm but it is one possible way for the researcher by be able to disclose on and remain about as anonymous as one can possibly get.
Are so this is a pilot program are currently working on its word sir.
Chicken and bounce right now so if anyone's interested in talking to us further about about this he definitely welcome your input and the seamy this me afterwards.
But we should now turn to my selling very quickly.
Right now there is no law in the US day for him is the selling a min exploits hi and dash the situation and it's probably likely to change in the not too distant future but for now there is really not not too much to worry Mountain West is.
Needs of course going back to she sliced issue techniques in developing your ex-wife tom has some problems dan do you still have a problem.
But the fact in the cell itself is not something that's going to get you in trouble.
Time however is still alive a focus on.
This on this market now in here's some reason articles from May 02 2013 boonies your own day traders Washington experts worried.
And machinery the US Senate wants to control now are likely to miss.
Now stuff is dangerous from is sold every year the congress has Congress to pass a National Defense Authorization Act it says the budget for DOD and includes much other stuff decade stuck in there and this year walford for 2014 the senate version has been passionate still in.
You know I in congress' the Senate version on has provisions dad c2 begin the process in regulating the sale.
Art from the Ceylon exploits dolan.
Ok with the house version is now Asus is still just miss any by yeah I think this is this is where it's headed the the donors as the President shall establish process for developing policy to control the proliferation of cyber weapons through whole series a possible actions right next door controls law enforcement financial diplomatic engagement.
And so on think Senate Armed Services Committee.
Other hand the bill before was pass to the I'm.
Today to the SSN succeeded to as a senator.
Said John they had a commentary on this.
And the referred to dangerous software.
A global black market a grey market I is are so it really bad I added a new den dearies we need to have a car out for dual use software.
Engine testing tools on in Europe.
%ah the European Parliament recently has a directive other woman had a bus.
This is prohibits you know on the sale love.
I've jules is a car basically exploits on his.
Will be required to be enacted by all are the the member states I in short order and this search provisioning for him it's a production sale for cheering for you soon import distribution I love the East on the school's center did you use a committee the Z numerator defenses which is pretty much all there all the bad things even think I'm doing with the computer.
However there's an exception it's very important exception I offered rules dead are treated for legitimate purposes this is a test the reliability of systems.
I any further notice said journeys to be no reason violate dislodge.
You need to have a you need to show a direct and she said it will be used to commit summary offenses ice solely in most cases both US and in Europe for seniors SYSTRAN wall this is really going to definitional from how do we define.
One index point isn't and how do we make sure that.
Yuma gym in tools are Argentine still be months old.
So this is kinda perspective we don't know what the laws are showing a look like.
But I was searching like this think about to use tools I mean if you write something dole putting together as the next greatest the only this is a you're creating and testing tools.
By a you just see this is going on for a long time if you look at his.
Our software I'm sure you all used in ya copy to bust the Altoona many car locksmith I your backup software.
And the did the manuals for the softer said Israel after disclaimers have this is really being used to back up your floppy.
This is not being used Dodge immediate legal copies and a dad is view you can judge me think that's where access for software updates were exploits will go.
INEC see some Sun XYZ will never be able to be.
I looked at as a dual use tool for sure mean if if I if you know it.
No answer I can give you have a nuclear missile grill and oven exploiting is hard to justify the pen testing because value Natasha wanna tools.
On duty will fall into into this area Nexus One.
Perhaps they should go farms many things you might do if you if you are selling.
Arm know your buyer digs and you can't.
On my BB deregulation is just one bad I'll come away what's gonna happen is so many US.
This game is on explain can go to some channel.
Is gonna come back into use against US interests we may not hear about him.
Maybe immediate Matera you may be secretly.
Bob I just so happen and then there will be a huge drive to stop this from happening very quickly.
By missus same reason you know as soon as know if someone is so murdered minister and have a weapon and one has to be manned that's going to happen here is the laws hurry to enlarge your penis countries reactionary and I expect that trend to continue here I is so maybe you can prevent that from happening I South.
Know your buyer I decisively known.
Sell it to a channel was likely go do some countries under an embargo with you.
Where the united states may be your best bet is to sell to the I yes for sure is this from your buyer.
RC don't have knowledge that is going to you are some ways worse I suppose to go.
I V on new to be lied to me by you can control.
You know everything right but at least you can get insurance and your you know it's it's not going to use in some.
Illegitimate where.
Com and also you can always use is clear language so has teams in a season was is going willingly share.
Tom this dis new show detection atop.
Is actually from an suffer product in many views probably use many times.
Is good stuff have highlighted probably the best to the operative language in it but if you're selling something be sure to use a disclaimer language about.
They did kinda flows along these lines I would help you from Palm Beach Argentine complicity he in a niece or nephew who use to which this offer mind eventually be point.
I ended lesson just like to highlight this.
Bottom little paragraph which is actually from the Apple I i tunes towards the end user license agreement that comes with dad.
And in requires said you dream the you will not use these products for any purpose is prohibited by Nancy's law including without limitation the development design manufacture production a new juror missiles.
For chemical and biological weapons for words with friends dangerous stuff I so thank you for reading for coming this is to clients.
Some community yes it's BS in time here for questions have you while my internet via synergen is this weekend sir sir.
The radar definitely freeze these issues saddam especially in the temporary restraining order context.
Most section is ours.
Section many challenges soon.
Come see me after a day russian mature.
Question.
Special what a man I wanna use your corporations you limit your liability for disclosure for or selling his ashes that many last fuck.
Corporations can be held liable in many cases the two you can even do you try to resend it hasn't happened yet duration: the to live with.
Number.
There.
I and a question regarding the full disclosure.
Verses responsible disclosure sold.
Let me do it you doing by responsible disclosure we contact the vendor beginning 30 days.
And little R&R intend to publish then we must do everything so the actual money louisiana do is allow you to replicating do whatever they want.
In most cases the vendors the Little League.
And then.
Greater than three days the chairman of the median resident age.
You know to fix it is still having whenever sometimes lenders will say.
We need more time I.
Maybe even though she's up today's sometimes they'll say were nominally civilian composition.
So I'm only three more you tonight but.
Um google recently published the butter.
Some.
They use and disclose my abilities in seven days right data some day turnaround go 100.
Company like Google and and already the with a friend intends to publish among the ability within the seven-day turnaround variant.
And the company says the Google Dhoni B tools to you.
When I do the new lover so that vendor company welly.
Coolest and risk google has some guy knows obligation not to you mania from easy to do you have any specific circumstances are they.
I but in this case any idea no law has been broken Dame green can be published without seeing the Menasha.
And the piece for me for example where I contact Amanda and I say I got the following.
Ten villages which I plan to publish and they come back to me and say.
If you publish those will sue you right fam and the same thing happens when Google say well with many holidays.
Gonna be seven days and the company comes back and says school readiness to you if you if you publish it doesn't carry the same way where the thomases Google is it received me for the January houses wellman oh yes the unfortunate part mean ass says the man is the only reason we don't have had the legal team is.
How how extensive legal team is actually how much do you charge good for UN Human.
Owns gun owners gathered workers on.
You wanna meet a man to carry on his about positive because none of.
##########################################
No comments:
Post a Comment