0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/118 Thanks! 1 00:00:10,210 --> 00:00:11,889 OK. This is Nate. 2 00:00:11,890 --> 00:00:12,890 He will do 3 00:00:14,530 --> 00:00:16,719 talk about like responsible disclosure 4 00:00:16,720 --> 00:00:18,819 and what to do and what not to do if 5 00:00:18,820 --> 00:00:20,319 you find some kind of security, 6 00:00:20,320 --> 00:00:21,879 vulnerability or something. 7 00:00:21,880 --> 00:00:23,230 So give him a one plus. 8 00:00:31,400 --> 00:00:32,419 The thing is on. 9 00:00:32,420 --> 00:00:34,609 Awesome, thank you. 10 00:00:34,610 --> 00:00:35,689 Thank you for having me. 11 00:00:35,690 --> 00:00:37,789 This is my first time at CCC and I'm very 12 00:00:37,790 --> 00:00:38,790 excited to be here. 13 00:00:40,700 --> 00:00:42,649 So we are at the Electronic Frontier 14 00:00:42,650 --> 00:00:44,119 Foundation. 15 00:00:44,120 --> 00:00:46,039 I will start by say a little bit about 16 00:00:46,040 --> 00:00:47,809 who we are and what we do. 17 00:00:47,810 --> 00:00:50,029 We are a nonprofit digital 18 00:00:50,030 --> 00:00:51,949 civil liberties group based in the United 19 00:00:51,950 --> 00:00:53,869 States in San Francisco, California. 20 00:00:53,870 --> 00:00:56,029 There are about 15 lawyers, and we have 21 00:00:56,030 --> 00:00:58,639 a total of about 50 staff. 22 00:00:58,640 --> 00:01:01,519 We do free speech, privacy 23 00:01:01,520 --> 00:01:03,949 users, rights innovators rights. 24 00:01:03,950 --> 00:01:05,809 We fight for a say in copyright system. 25 00:01:05,810 --> 00:01:07,999 We fight for a sane patent 26 00:01:08,000 --> 00:01:09,049 system. 27 00:01:09,050 --> 00:01:11,209 We do legislative activism in 28 00:01:11,210 --> 00:01:13,429 the United States, in Europe, all around 29 00:01:13,430 --> 00:01:14,599 the world. 30 00:01:14,600 --> 00:01:17,449 We write blog posts and 31 00:01:17,450 --> 00:01:18,679 pertinent to this talk. 32 00:01:18,680 --> 00:01:20,480 We represent coders. 33 00:01:21,500 --> 00:01:23,539 I am part of Jeff's Coders Rights 34 00:01:23,540 --> 00:01:24,769 project. 35 00:01:24,770 --> 00:01:26,179 The other major contributor to the 36 00:01:26,180 --> 00:01:28,009 project is sitting right in the middle of 37 00:01:28,010 --> 00:01:29,389 the of the room. 38 00:01:29,390 --> 00:01:31,429 We work to protect the rights of coders, 39 00:01:31,430 --> 00:01:33,769 security engineers, developers, 40 00:01:33,770 --> 00:01:35,959 everyone building a safer internet. 41 00:01:35,960 --> 00:01:38,059 There are a lot of laws and 42 00:01:38,060 --> 00:01:39,829 regulations and 43 00:01:40,850 --> 00:01:43,429 difficult egos involved in the 44 00:01:43,430 --> 00:01:45,199 pieces that that put together. 45 00:01:45,200 --> 00:01:47,449 They comprise the internet, and we work 46 00:01:47,450 --> 00:01:49,519 to help security 47 00:01:49,520 --> 00:01:52,219 researchers, coders, developers 48 00:01:52,220 --> 00:01:54,709 navigate all of all of those pieces. 49 00:01:55,940 --> 00:01:58,039 This is, as I said, if first 50 00:01:58,040 --> 00:01:58,999 time at CCC. 51 00:01:59,000 --> 00:02:01,189 But this isn't our first time doing 52 00:02:01,190 --> 00:02:02,629 this kind of work. 53 00:02:02,630 --> 00:02:04,969 We f have 54 00:02:04,970 --> 00:02:07,219 been helping coders do what they do 55 00:02:07,220 --> 00:02:08,360 for a very long time. 56 00:02:09,590 --> 00:02:11,329 I've been doing it for not quite as long 57 00:02:11,330 --> 00:02:13,429 as most of the many of the people 58 00:02:13,430 --> 00:02:15,229 at F, including some of the people in 59 00:02:15,230 --> 00:02:16,519 this room. 60 00:02:16,520 --> 00:02:18,709 But this this, as I said, this 61 00:02:18,710 --> 00:02:21,439 is not my first security conference and 62 00:02:21,440 --> 00:02:23,539 I know a very small amount, but I do know 63 00:02:23,540 --> 00:02:25,369 something about about what I'm about to 64 00:02:25,370 --> 00:02:27,409 say. Hopefully, fingers crossed 65 00:02:28,670 --> 00:02:30,649 the theme of this talk is one size does 66 00:02:30,650 --> 00:02:32,659 not fit all. I put it in the abstract, 67 00:02:32,660 --> 00:02:34,099 and I'm going to say it a bunch of times. 68 00:02:35,450 --> 00:02:36,650 What do I mean by that? 69 00:02:37,790 --> 00:02:38,790 This 70 00:02:39,950 --> 00:02:42,379 that this talk is titled 71 00:02:42,380 --> 00:02:44,179 Disclosure Dues Disclosure Don'ts. 72 00:02:44,180 --> 00:02:45,739 I did not title it responsible 73 00:02:45,740 --> 00:02:46,789 disclosure. 74 00:02:46,790 --> 00:02:48,709 I didn't title it. 75 00:02:48,710 --> 00:02:50,689 Vulnerability reporting. 76 00:02:50,690 --> 00:02:53,119 I'm not going to make any moral judgments 77 00:02:53,120 --> 00:02:55,519 about whether you disclose 78 00:02:55,520 --> 00:02:57,439 about how you disclose, if you disclose 79 00:02:57,440 --> 00:03:00,019 publicly, if you disclose privately, 80 00:03:00,020 --> 00:03:01,549 if you participate in a bug bounty 81 00:03:01,550 --> 00:03:03,619 program. All of those choices are 82 00:03:03,620 --> 00:03:05,569 yours to make and not mine to judge. 83 00:03:07,970 --> 00:03:10,249 OK. The biggest disclaimer of the night 84 00:03:10,250 --> 00:03:11,479 I am a lawyer. 85 00:03:11,480 --> 00:03:13,669 I am not your lawyer unless 86 00:03:13,670 --> 00:03:15,889 you already have me as your lawyer, 87 00:03:15,890 --> 00:03:17,659 which I don't see any of my clients in 88 00:03:17,660 --> 00:03:19,219 the room. But it's possible. 89 00:03:19,220 --> 00:03:20,869 But I'm not your lawyer. 90 00:03:20,870 --> 00:03:23,059 I'm not going to give you legal advice 91 00:03:23,060 --> 00:03:24,319 in this talk. 92 00:03:24,320 --> 00:03:26,629 The biggest reason for that is 93 00:03:26,630 --> 00:03:28,669 when I give you legal advice, it has to 94 00:03:28,670 --> 00:03:30,979 be in a confidential situation. 95 00:03:30,980 --> 00:03:32,419 This is not confidential. 96 00:03:32,420 --> 00:03:33,319 This is being streamed. 97 00:03:33,320 --> 00:03:35,569 Hello online. 98 00:03:35,570 --> 00:03:37,759 So it is not 99 00:03:37,760 --> 00:03:39,619 possible for me to give you legal advice 100 00:03:39,620 --> 00:03:40,819 in this environment. 101 00:03:40,820 --> 00:03:43,309 However, feel free to contact if 102 00:03:43,310 --> 00:03:45,499 info if dot org and 103 00:03:45,500 --> 00:03:46,939 my email address will be at the end of 104 00:03:46,940 --> 00:03:49,039 the slides. Nate at f f dot 105 00:03:49,040 --> 00:03:51,139 org. It's pretty difficult for 106 00:03:51,140 --> 00:03:53,599 help finding a lawyer if 107 00:03:53,600 --> 00:03:55,699 it is possible that we could be 108 00:03:55,700 --> 00:03:57,919 your lawyer, but we have a very long list 109 00:03:57,920 --> 00:03:59,839 of very good lawyers who do this kind of 110 00:03:59,840 --> 00:04:01,909 work, sometimes even 111 00:04:01,910 --> 00:04:03,199 for free. 112 00:04:03,200 --> 00:04:05,359 If does all of its work for free 113 00:04:05,360 --> 00:04:07,849 and some of our cooperating attorneys 114 00:04:07,850 --> 00:04:09,529 do that work for free as well. 115 00:04:09,530 --> 00:04:11,599 So if you need a lawyer, you're not 116 00:04:11,600 --> 00:04:13,709 going to get one right now, but 117 00:04:13,710 --> 00:04:15,590 I can I can try to help you get one. 118 00:04:18,320 --> 00:04:19,999 As I said, this talk is not going to be 119 00:04:20,000 --> 00:04:21,000 me judging you. 120 00:04:21,890 --> 00:04:24,589 What what you do is your business, 121 00:04:24,590 --> 00:04:26,719 and it's my job to help 122 00:04:26,720 --> 00:04:29,299 you do what you do 123 00:04:29,300 --> 00:04:31,579 better, more efficiently and not get in 124 00:04:31,580 --> 00:04:33,859 trouble for it. Hopefully, 125 00:04:33,860 --> 00:04:36,049 also with this talk isn't I'm 126 00:04:36,050 --> 00:04:37,309 not going to give you a formulaic 127 00:04:37,310 --> 00:04:38,359 approach to disclosure. 128 00:04:38,360 --> 00:04:40,429 As I said, the theme is one size does 129 00:04:40,430 --> 00:04:41,909 not fit all. 130 00:04:41,910 --> 00:04:44,149 They're for each 131 00:04:44,150 --> 00:04:46,249 security vulnerability, and 132 00:04:46,250 --> 00:04:47,689 there's going to be a different approach 133 00:04:47,690 --> 00:04:49,099 to reporting it. And there's all sorts of 134 00:04:49,100 --> 00:04:50,299 reasons why that's true. 135 00:04:51,470 --> 00:04:52,849 And of course, this talk will not be 136 00:04:52,850 --> 00:04:54,529 legal advice. 137 00:04:54,530 --> 00:04:56,629 I am going to try as hard 138 00:04:56,630 --> 00:04:58,969 as I can to not give any legal advice. 139 00:04:58,970 --> 00:05:02,359 I am going to let you ask questions. 140 00:05:02,360 --> 00:05:04,489 My voice, I've been sick for a while 141 00:05:04,490 --> 00:05:05,959 and my voice is not going to hold out for 142 00:05:05,960 --> 00:05:07,789 an hour, so there's no way that I can 143 00:05:07,790 --> 00:05:08,839 talk for a full hour. 144 00:05:08,840 --> 00:05:10,639 So I will let you ask questions. 145 00:05:10,640 --> 00:05:12,019 If you ask a question that calls for 146 00:05:12,020 --> 00:05:14,269 legal advice, I'm very sorry in advance. 147 00:05:14,270 --> 00:05:16,249 I will not be able to answer it, at least 148 00:05:16,250 --> 00:05:17,250 not on stage. 149 00:05:19,650 --> 00:05:20,999 Disclosure, OK. 150 00:05:21,000 --> 00:05:22,379 What is disclosure, you found a 151 00:05:22,380 --> 00:05:25,019 vulnerability in someone else's project? 152 00:05:25,020 --> 00:05:26,020 Now what? 153 00:05:26,550 --> 00:05:28,979 What is the vulnerability you hopefully 154 00:05:28,980 --> 00:05:29,969 all have? 155 00:05:29,970 --> 00:05:31,709 A vague concept of wonderful new ability 156 00:05:31,710 --> 00:05:32,710 is 157 00:05:33,810 --> 00:05:35,279 I'm not going to really get into it, but 158 00:05:35,280 --> 00:05:37,409 they can look like they 159 00:05:37,410 --> 00:05:38,699 can take different forms, 160 00:05:40,020 --> 00:05:42,269 all of all the various types 161 00:05:42,270 --> 00:05:43,679 of vulnerabilities that you might want to 162 00:05:43,680 --> 00:05:45,089 disclose. 163 00:05:45,090 --> 00:05:46,829 It could be a customer data leak. 164 00:05:46,830 --> 00:05:48,809 It could be something as simple as a 165 00:05:48,810 --> 00:05:50,339 buffer overflow. It could be, 166 00:05:51,510 --> 00:05:54,179 you know, DNS poisoning attack. 167 00:05:54,180 --> 00:05:56,039 All of these are vulnerabilities. 168 00:05:56,040 --> 00:05:58,429 You might want to disclose anything 169 00:05:58,430 --> 00:05:59,759 that looks like a vulnerability. 170 00:05:59,760 --> 00:06:02,219 And hopefully these do's and don'ts 171 00:06:02,220 --> 00:06:05,069 will give you some, 172 00:06:05,070 --> 00:06:07,499 some inkling about 173 00:06:07,500 --> 00:06:10,229 how to to to disclose 174 00:06:10,230 --> 00:06:11,249 those. 175 00:06:11,250 --> 00:06:12,250 Anything you find, 176 00:06:14,580 --> 00:06:15,929 however, if you want to sit on the 177 00:06:15,930 --> 00:06:17,909 vulnerability, if you want to keep it 178 00:06:17,910 --> 00:06:19,739 quiet and use it for yourself, if you 179 00:06:19,740 --> 00:06:21,179 want to sell the vulnerability on the 180 00:06:21,180 --> 00:06:23,219 open market, then this talk is not for 181 00:06:23,220 --> 00:06:24,959 you and you don't need my advice. 182 00:06:24,960 --> 00:06:26,519 See the title of this talk, which is 183 00:06:26,520 --> 00:06:28,709 disclosure to use and disclosure does. 184 00:06:28,710 --> 00:06:30,179 This talk will talk. 185 00:06:30,180 --> 00:06:32,219 I will talk about disclosure. 186 00:06:32,220 --> 00:06:34,319 I will not talk about sitting 187 00:06:34,320 --> 00:06:36,029 on a vulnerability or selling a zero day. 188 00:06:38,700 --> 00:06:40,979 The first question to ask yourself, 189 00:06:40,980 --> 00:06:42,989 what's your goal in disclosing the 190 00:06:42,990 --> 00:06:43,990 vulnerability? 191 00:06:45,080 --> 00:06:47,519 The the first goal, which 192 00:06:48,630 --> 00:06:50,579 many people have, is they want to fix all 193 00:06:50,580 --> 00:06:52,979 the things. If you found a vulnerability, 194 00:06:52,980 --> 00:06:55,379 your goal in disclosing it might 195 00:06:55,380 --> 00:06:57,209 be to patch that vulnerability. 196 00:06:57,210 --> 00:07:00,269 This is the probably the biggest, 197 00:07:00,270 --> 00:07:02,399 the biggest reason that people 198 00:07:02,400 --> 00:07:04,859 disclose vulnerabilities. 199 00:07:04,860 --> 00:07:06,449 Probably the second biggest reason is 200 00:07:06,450 --> 00:07:08,189 because you want to publish it or present 201 00:07:08,190 --> 00:07:10,279 it. You want to publish your paper 202 00:07:10,280 --> 00:07:13,199 or give a talk saying, Holy crap, 203 00:07:13,200 --> 00:07:15,479 GSM encryption is broken, and 204 00:07:15,480 --> 00:07:17,999 I proved it. And here's how. 205 00:07:18,000 --> 00:07:20,189 And that leads to number four, and you 206 00:07:20,190 --> 00:07:21,179 might get famous doing it. 207 00:07:21,180 --> 00:07:23,789 People have gotten famous doing it, 208 00:07:23,790 --> 00:07:25,649 and that's great. 209 00:07:25,650 --> 00:07:27,029 You might get paid. 210 00:07:27,030 --> 00:07:28,859 Some people actually have gotten paid, 211 00:07:28,860 --> 00:07:30,629 and I will talk a little bit more about 212 00:07:30,630 --> 00:07:31,630 that. 213 00:07:32,460 --> 00:07:33,809 But there's a question mark at the end of 214 00:07:33,810 --> 00:07:34,810 that one. 215 00:07:36,890 --> 00:07:38,239 All of these schools are great. 216 00:07:38,240 --> 00:07:39,799 I'm not here to tell you which one is 217 00:07:39,800 --> 00:07:42,139 better than any of the rest for the rest 218 00:07:42,140 --> 00:07:44,479 of the talk. However, I will try 219 00:07:44,480 --> 00:07:46,969 and focus my various points of advice 220 00:07:46,970 --> 00:07:49,099 or various do's or don'ts on the 221 00:07:49,100 --> 00:07:50,899 various schools. Some of them obviously 222 00:07:50,900 --> 00:07:52,729 will have broader application than just 223 00:07:52,730 --> 00:07:53,899 one. 224 00:07:53,900 --> 00:07:55,909 But some of them will really be focused 225 00:07:55,910 --> 00:07:57,649 on just one of those goals or another. 226 00:08:00,500 --> 00:08:02,659 OK. Number one, and this is the most 227 00:08:02,660 --> 00:08:05,149 important disclosure to remember 228 00:08:05,150 --> 00:08:07,969 that developers are people to 229 00:08:07,970 --> 00:08:09,769 computers and machines and software runs 230 00:08:09,770 --> 00:08:11,299 on computers, and so you can think of 231 00:08:11,300 --> 00:08:12,559 software as a machine. 232 00:08:12,560 --> 00:08:14,719 But the people who design the computers 233 00:08:14,720 --> 00:08:16,879 and the software that runs on them are 234 00:08:16,880 --> 00:08:19,159 people and they are like you 235 00:08:19,160 --> 00:08:20,509 more or less. 236 00:08:20,510 --> 00:08:22,609 And they have all of the faults 237 00:08:22,610 --> 00:08:25,009 and flaws and egos that 238 00:08:25,010 --> 00:08:27,199 people have specifically that hackers 239 00:08:27,200 --> 00:08:29,299 have. Because if someone developed 240 00:08:29,300 --> 00:08:31,699 a DNS system and you're a DNS hacker, 241 00:08:31,700 --> 00:08:33,379 the person who did all the DNS system is 242 00:08:33,380 --> 00:08:35,538 also a DNS hacker, and she 243 00:08:35,539 --> 00:08:37,399 might be more like you than you think. 244 00:08:39,320 --> 00:08:40,428 What does that mean? 245 00:08:41,480 --> 00:08:43,729 Many of the problems that the security 246 00:08:43,730 --> 00:08:46,249 researchers that we've counseled at ECF 247 00:08:46,250 --> 00:08:48,559 have run into might have 248 00:08:48,560 --> 00:08:51,409 been avoided if they had taken 249 00:08:51,410 --> 00:08:54,109 the title of this slide to developers 250 00:08:54,110 --> 00:08:56,239 or people. To what do I 251 00:08:56,240 --> 00:08:57,240 mean by that? 252 00:08:57,950 --> 00:09:00,709 As I said, developers have egos. 253 00:09:00,710 --> 00:09:03,079 Developers often are corporations 254 00:09:03,080 --> 00:09:04,080 who face 255 00:09:05,210 --> 00:09:06,829 stiff bottom lines. 256 00:09:06,830 --> 00:09:08,929 They have money to win 257 00:09:08,930 --> 00:09:11,089 or to lose based on what 258 00:09:11,090 --> 00:09:13,429 you're going to tell the world, or maybe 259 00:09:13,430 --> 00:09:14,749 what you're going to tell their biggest 260 00:09:14,750 --> 00:09:16,429 customer, or maybe what you're going to 261 00:09:16,430 --> 00:09:19,219 publish at Def Con or at CCC. 262 00:09:19,220 --> 00:09:21,499 How you tell them that 263 00:09:21,500 --> 00:09:23,719 might really pissed 264 00:09:23,720 --> 00:09:24,979 them off. 265 00:09:24,980 --> 00:09:27,199 It might really endear them to you, 266 00:09:27,200 --> 00:09:29,779 and it might do anything in between. 267 00:09:29,780 --> 00:09:32,299 There are ways of telling people 268 00:09:32,300 --> 00:09:34,699 that their product sucks in words 269 00:09:34,700 --> 00:09:36,530 other than your product sucks. 270 00:09:37,820 --> 00:09:40,099 So like, don't see that, at least 271 00:09:40,100 --> 00:09:41,100 not at the beginning. 272 00:09:43,040 --> 00:09:46,219 Disclosure, do do your homework. 273 00:09:46,220 --> 00:09:48,619 One of the things that we've noticed 274 00:09:48,620 --> 00:09:51,230 over the years is that 275 00:09:53,120 --> 00:09:54,439 a lot of people in our business don't 276 00:09:54,440 --> 00:09:56,689 necessarily have a lot of patience if you 277 00:09:56,690 --> 00:09:57,690 discover 278 00:09:59,300 --> 00:10:02,539 an open port on a hospital's 279 00:10:02,540 --> 00:10:03,949 patient database. 280 00:10:03,950 --> 00:10:05,569 You might just email the system 281 00:10:05,570 --> 00:10:07,039 administrator. Let's say you can find 282 00:10:07,040 --> 00:10:09,169 their email address and say, Look, 283 00:10:09,170 --> 00:10:11,689 I was able to get on your database 284 00:10:11,690 --> 00:10:13,099 and download all the Social Security 285 00:10:13,100 --> 00:10:14,780 numbers and all these patient records. 286 00:10:16,910 --> 00:10:19,069 Take a step back before you 287 00:10:19,070 --> 00:10:20,689 send that first email and do your 288 00:10:20,690 --> 00:10:21,690 homework. 289 00:10:22,310 --> 00:10:24,469 OK? Is this an activation or is 290 00:10:24,470 --> 00:10:25,429 this an intel? 291 00:10:25,430 --> 00:10:26,430 What do I mean by that? 292 00:10:27,860 --> 00:10:30,289 Is this a company that has a history 293 00:10:30,290 --> 00:10:32,749 of suing the crap out of people? 294 00:10:32,750 --> 00:10:34,759 Or is this a company who's dealt with 295 00:10:34,760 --> 00:10:36,980 security vulnerability reporting 296 00:10:38,060 --> 00:10:39,769 many times in the past and is well versed 297 00:10:39,770 --> 00:10:40,770 in how to handle it? 298 00:10:42,290 --> 00:10:44,389 Again, is this the first time a 299 00:10:44,390 --> 00:10:46,639 company has received a security 300 00:10:46,640 --> 00:10:47,689 vulnerability report? 301 00:10:47,690 --> 00:10:49,699 You probably won't be able to tell that 302 00:10:49,700 --> 00:10:51,859 offhand, but 303 00:10:51,860 --> 00:10:53,749 you may be able to tell that just from 304 00:10:53,750 --> 00:10:54,679 looking. 305 00:10:54,680 --> 00:10:56,269 Is this Facebook? 306 00:10:56,270 --> 00:10:58,369 Has Facebook received any 307 00:10:58,370 --> 00:11:00,109 security vulnerability reports? 308 00:11:00,110 --> 00:11:02,839 Yes, they've received lots. 309 00:11:02,840 --> 00:11:04,729 They know how to handle this sort of 310 00:11:04,730 --> 00:11:06,829 thing. Is this a very small 311 00:11:06,830 --> 00:11:08,600 medical device manufacturer? 312 00:11:09,920 --> 00:11:11,179 Have they received a security 313 00:11:11,180 --> 00:11:12,589 vulnerability report? 314 00:11:12,590 --> 00:11:13,759 Probably not. 315 00:11:13,760 --> 00:11:15,889 They might not even be thinking along the 316 00:11:15,890 --> 00:11:17,509 lines of security. 317 00:11:17,510 --> 00:11:19,189 They might say, why would anyone other 318 00:11:19,190 --> 00:11:21,049 than a doctor ever try to communicate 319 00:11:21,050 --> 00:11:22,580 with a heart implant? 320 00:11:24,050 --> 00:11:25,639 Google is your friend here. 321 00:11:26,780 --> 00:11:28,999 Before you send that first email 322 00:11:29,000 --> 00:11:30,559 before you click, submit on that first 323 00:11:30,560 --> 00:11:31,560 form. 324 00:11:32,390 --> 00:11:34,519 Google the problem Google to see if this 325 00:11:34,520 --> 00:11:36,649 is a problem that anyone else has 326 00:11:36,650 --> 00:11:39,049 discovered in the past, is 327 00:11:39,050 --> 00:11:41,809 this a known vulnerability 328 00:11:41,810 --> 00:11:44,029 that the company has six 329 00:11:44,030 --> 00:11:45,979 bugs elliptic it's open for? 330 00:11:45,980 --> 00:11:48,229 Is this a company that has a bug 331 00:11:48,230 --> 00:11:49,230 bounty program? 332 00:11:50,270 --> 00:11:52,099 Google is your friend. 333 00:11:52,100 --> 00:11:54,229 OK, now this is related back to the very 334 00:11:54,230 --> 00:11:56,329 first find. 335 00:11:56,330 --> 00:11:58,970 A person to whom to disclose 336 00:12:01,100 --> 00:12:03,529 is the closer you can get 337 00:12:03,530 --> 00:12:05,059 to the very person who developed the 338 00:12:05,060 --> 00:12:06,559 product with the vulnerability, the 339 00:12:06,560 --> 00:12:07,939 better. 340 00:12:07,940 --> 00:12:09,379 Why? 341 00:12:09,380 --> 00:12:11,479 Because you want whoever you're 342 00:12:11,480 --> 00:12:14,479 talking to to be able to understand 343 00:12:14,480 --> 00:12:16,879 what you're talking about. 344 00:12:16,880 --> 00:12:19,399 If you email Verizon Tech support 345 00:12:19,400 --> 00:12:20,570 and say that, 346 00:12:22,010 --> 00:12:24,229 I don't know, they're leaking NC 347 00:12:24,230 --> 00:12:26,389 numbers on their on 348 00:12:26,390 --> 00:12:27,559 some sort of sequel 349 00:12:28,670 --> 00:12:30,169 database that's open and you can get with 350 00:12:30,170 --> 00:12:32,209 a get command. 351 00:12:32,210 --> 00:12:34,039 The tech support person is going to say, 352 00:12:34,040 --> 00:12:35,539 Huh? He talking about. 353 00:12:36,590 --> 00:12:38,689 So you want to find someone as 354 00:12:38,690 --> 00:12:40,849 close as you can 355 00:12:40,850 --> 00:12:42,709 to the engineers on the team that 356 00:12:42,710 --> 00:12:44,809 developed the product that 357 00:12:44,810 --> 00:12:46,849 you're actually looking at? 358 00:12:46,850 --> 00:12:49,369 Why the. 359 00:12:49,370 --> 00:12:51,529 The closer you get to to the product 360 00:12:51,530 --> 00:12:53,659 itself, the more likelihood that a 361 00:12:53,660 --> 00:12:55,820 you'll be taken seriously and b 362 00:12:57,170 --> 00:12:59,629 you'll be taken less seriously 363 00:12:59,630 --> 00:13:01,609 in the way that like, ooh, hackers, 364 00:13:01,610 --> 00:13:03,409 right? You don't want to come across as 365 00:13:03,410 --> 00:13:05,659 an ooh hacker, you want to come across as 366 00:13:05,660 --> 00:13:07,069 a hacker. 367 00:13:07,070 --> 00:13:09,139 Like, as we would understand it here, 368 00:13:09,140 --> 00:13:10,849 the kind of people who put a system of 369 00:13:10,850 --> 00:13:12,589 vacuum tubes to send messages around 370 00:13:12,590 --> 00:13:14,329 conference center and not the kind of 371 00:13:14,330 --> 00:13:16,399 people who break into banks 372 00:13:16,400 --> 00:13:17,749 in the middle of the night to steal 373 00:13:17,750 --> 00:13:18,750 credit card numbers. 374 00:13:20,240 --> 00:13:22,339 Finding a person is more homework. 375 00:13:22,340 --> 00:13:24,409 This is again why you don't just 376 00:13:24,410 --> 00:13:27,169 submit to Verizon Tech support. 377 00:13:27,170 --> 00:13:29,569 If it's an open source project great, 378 00:13:29,570 --> 00:13:31,339 you should be able to find the person's 379 00:13:31,340 --> 00:13:32,869 email address and probably pictures of 380 00:13:32,870 --> 00:13:35,269 their cats online and finding 381 00:13:35,270 --> 00:13:36,739 whoever actually developed the product 382 00:13:36,740 --> 00:13:38,389 should be easy. 383 00:13:38,390 --> 00:13:40,549 If it's a commercial product, this 384 00:13:40,550 --> 00:13:42,679 is weird, but LinkedIn can actually 385 00:13:42,680 --> 00:13:44,869 be helpful in this situation. 386 00:13:44,870 --> 00:13:47,269 You can search on LinkedIn for security 387 00:13:47,270 --> 00:13:49,129 engineer. If it's a big company, maybe 388 00:13:49,130 --> 00:13:50,329 they'll have one. 389 00:13:50,330 --> 00:13:52,579 Maybe someone that you know knows someone 390 00:13:52,580 --> 00:13:54,079 at that company. 391 00:13:54,080 --> 00:13:55,549 That would be awesome. 392 00:13:55,550 --> 00:13:57,829 One of the things that we found is even 393 00:13:57,830 --> 00:13:59,899 if you don't know anyone 394 00:13:59,900 --> 00:14:01,129 at the company, you don't know anyone at 395 00:14:01,130 --> 00:14:03,259 the team. Finding it in 396 00:14:03,260 --> 00:14:05,209 in the company will both get you taken 397 00:14:05,210 --> 00:14:07,909 more seriously and 398 00:14:07,910 --> 00:14:10,159 make it less likely 399 00:14:10,160 --> 00:14:12,649 to scare the crap out of that company. 400 00:14:12,650 --> 00:14:14,119 And scaring the crap out of the company 401 00:14:14,120 --> 00:14:15,979 is never a good thing, even if what you 402 00:14:15,980 --> 00:14:17,869 found is scary. 403 00:14:17,870 --> 00:14:19,819 You don't want to scare them needlessly. 404 00:14:22,340 --> 00:14:24,619 Disclosure Do you make a good first 405 00:14:24,620 --> 00:14:26,329 impression? 406 00:14:26,330 --> 00:14:27,949 The first contact will be the most 407 00:14:27,950 --> 00:14:30,259 important and hopefully will set the tone 408 00:14:30,260 --> 00:14:32,239 for the rest of your interaction with the 409 00:14:32,240 --> 00:14:33,829 developer. This is why you don't send an 410 00:14:33,830 --> 00:14:36,979 email titled Your Project Sucks. 411 00:14:36,980 --> 00:14:39,379 It's leaving all iPhones open 412 00:14:39,380 --> 00:14:42,289 to having their contacts databases 413 00:14:42,290 --> 00:14:44,479 scraped like Snapchat, for 414 00:14:44,480 --> 00:14:45,709 instance. 415 00:14:45,710 --> 00:14:47,869 You want to ease into 416 00:14:47,870 --> 00:14:48,870 it. 417 00:14:49,650 --> 00:14:51,229 Hello, my name is so-and-so. 418 00:14:51,230 --> 00:14:53,359 Or, you know, if you not going 419 00:14:53,360 --> 00:14:55,069 to give your name hello, my contact 420 00:14:55,070 --> 00:14:57,289 information is so-and-so 421 00:14:57,290 --> 00:14:59,839 and I have found a 422 00:14:59,840 --> 00:15:02,029 security vulnerability in your products 423 00:15:02,030 --> 00:15:04,159 that maybe you 424 00:15:04,160 --> 00:15:05,450 would like to help them fix. 425 00:15:08,630 --> 00:15:10,639 How important is the issue that you have 426 00:15:10,640 --> 00:15:12,589 found? How important is the bug? 427 00:15:12,590 --> 00:15:13,759 Is it a mere nuisance or is it a 428 00:15:13,760 --> 00:15:15,859 significant public safety matter? 429 00:15:15,860 --> 00:15:17,959 Your first impression, your first 430 00:15:17,960 --> 00:15:20,209 contact should give whoever's 431 00:15:20,210 --> 00:15:22,099 reading it some hint of 432 00:15:23,300 --> 00:15:24,769 what this is. 433 00:15:24,770 --> 00:15:26,299 You don't necessarily have to include 434 00:15:26,300 --> 00:15:28,549 full proof of contact code or proof 435 00:15:28,550 --> 00:15:30,919 of concept code in your first 436 00:15:30,920 --> 00:15:32,839 interaction with the company. 437 00:15:32,840 --> 00:15:34,709 But you should let them know if this is 438 00:15:34,710 --> 00:15:36,949 like going to bring down 439 00:15:36,950 --> 00:15:39,079 all of IPv4, or 440 00:15:39,080 --> 00:15:41,509 if this is going to let someone copy a 441 00:15:41,510 --> 00:15:42,510 game token, 442 00:15:43,910 --> 00:15:45,649 because both of those are security 443 00:15:45,650 --> 00:15:48,169 vulnerabilities that are worth reporting. 444 00:15:48,170 --> 00:15:49,669 But really, one is more important than 445 00:15:49,670 --> 00:15:51,559 the other. Is this going to kill people? 446 00:15:51,560 --> 00:15:53,119 Is are you going to be able to like, stop 447 00:15:53,120 --> 00:15:54,499 Dick Cheney's heart? 448 00:15:54,500 --> 00:15:56,809 Or are you going to be able to play, 449 00:15:56,810 --> 00:15:59,029 copied games over or 450 00:15:59,030 --> 00:16:01,249 undersell your research if you've found 451 00:16:01,250 --> 00:16:02,269 the game console type? 452 00:16:02,270 --> 00:16:04,339 Don't say that lives are at stake if 453 00:16:04,340 --> 00:16:05,779 lives are at stake. 454 00:16:05,780 --> 00:16:07,279 Don't say you found a minor issue. 455 00:16:10,690 --> 00:16:11,690 And don't threaten. 456 00:16:12,820 --> 00:16:14,859 Don't. It's a terrible idea. 457 00:16:14,860 --> 00:16:16,269 I don't care. 458 00:16:16,270 --> 00:16:18,909 This I'm going to come close to judging 459 00:16:18,910 --> 00:16:20,469 you a couple of times in this talk, and 460 00:16:20,470 --> 00:16:21,789 this is one of them. 461 00:16:21,790 --> 00:16:22,790 It's just bad 462 00:16:24,250 --> 00:16:26,319 if if the first language, if 463 00:16:26,320 --> 00:16:28,419 your first language is not 464 00:16:28,420 --> 00:16:29,739 that of the developer. 465 00:16:29,740 --> 00:16:31,569 Be extra careful. 466 00:16:31,570 --> 00:16:33,129 If your first language is English and the 467 00:16:33,130 --> 00:16:35,409 developers are finished, make sure 468 00:16:35,410 --> 00:16:37,539 that you're not using idioms like I 469 00:16:37,540 --> 00:16:39,069 used in the second slide when I said, 470 00:16:39,070 --> 00:16:40,809 this is not my first time at the rodeo. 471 00:16:42,430 --> 00:16:44,499 If your first language is German and 472 00:16:44,500 --> 00:16:46,539 you're reporting to Microsoft, maybe get 473 00:16:46,540 --> 00:16:48,669 someone to help you with your English. 474 00:16:48,670 --> 00:16:50,829 If your first language is not that of 475 00:16:50,830 --> 00:16:52,569 standard human interaction and you're 476 00:16:52,570 --> 00:16:54,669 mostly a computer person, maybe 477 00:16:54,670 --> 00:16:58,119 get someone who knows 478 00:16:58,120 --> 00:16:59,259 how to do that 479 00:17:03,610 --> 00:17:05,769 there. I mean, you know, if 480 00:17:05,770 --> 00:17:06,969 it's 3:00 in the morning and you're on 481 00:17:06,970 --> 00:17:08,828 your seventh club, mutter, Hey, maybe 482 00:17:08,829 --> 00:17:11,019 wait until 10:00 the next 483 00:17:11,020 --> 00:17:13,209 morning to send the email to make sure 484 00:17:13,210 --> 00:17:14,828 that you're really kind of on the same 485 00:17:14,829 --> 00:17:17,199 page as the suit and tie 486 00:17:17,200 --> 00:17:19,269 or, you know, Polo and 487 00:17:19,270 --> 00:17:21,969 Dockers guy who's there. 488 00:17:21,970 --> 00:17:24,009 Don't make a demand or ultimatum on the 489 00:17:24,010 --> 00:17:25,010 first contact. 490 00:17:26,829 --> 00:17:27,829 That's really bad. 491 00:17:30,300 --> 00:17:32,349 There may be times when you kind of have 492 00:17:32,350 --> 00:17:34,419 an ultimatum, which I'll get 493 00:17:34,420 --> 00:17:35,420 to later, 494 00:17:36,580 --> 00:17:37,479 but don't make it sound like an 495 00:17:37,480 --> 00:17:39,039 ultimatum, at least not on the first 496 00:17:39,040 --> 00:17:40,040 contact. 497 00:17:41,260 --> 00:17:43,389 Do not demand compensation or 498 00:17:43,390 --> 00:17:45,639 a job, at least on the first contact. 499 00:17:45,640 --> 00:17:47,769 If they want to pay you, they will 500 00:17:48,880 --> 00:17:50,619 you demanding it won't make it. 501 00:17:50,620 --> 00:17:52,839 So unless you know 502 00:17:52,840 --> 00:17:55,509 you're a hacker who's stolen 503 00:17:55,510 --> 00:17:56,919 30 million credit card numbers and you 504 00:17:56,920 --> 00:17:58,989 want to blackmail them. And if so, this 505 00:17:58,990 --> 00:18:00,579 is not the talk for you. 506 00:18:00,580 --> 00:18:02,829 Offering your help is fine. 507 00:18:02,830 --> 00:18:04,959 Making your home contingent on 508 00:18:04,960 --> 00:18:07,119 anything could lead to problems. 509 00:18:08,850 --> 00:18:11,019 So do not offer 510 00:18:11,020 --> 00:18:13,419 to keep quiet in exchange for something 511 00:18:13,420 --> 00:18:15,909 or anything, money or otherwise. 512 00:18:15,910 --> 00:18:17,169 Researchers have been accused of 513 00:18:17,170 --> 00:18:18,400 extortion for doing this. 514 00:18:19,600 --> 00:18:21,789 I don't know much about European law, but 515 00:18:21,790 --> 00:18:24,459 in the United States, if you 516 00:18:24,460 --> 00:18:26,799 offer to keep something quiet in exchange 517 00:18:26,800 --> 00:18:29,409 for money, there's at least a cultural 518 00:18:29,410 --> 00:18:30,759 argument that what you just did is a 519 00:18:30,760 --> 00:18:31,719 crime. 520 00:18:31,720 --> 00:18:33,979 And I think that what you just did 521 00:18:33,980 --> 00:18:36,159 maybe may or may not be a crime, 522 00:18:36,160 --> 00:18:37,539 but I'm not going to advise it either 523 00:18:37,540 --> 00:18:40,779 way. It's simply not a good idea. 524 00:18:40,780 --> 00:18:42,969 It's I mean, I do not title this talk 525 00:18:42,970 --> 00:18:44,889 responsible disclosure, but that's really 526 00:18:44,890 --> 00:18:45,819 not responsible at all. 527 00:18:45,820 --> 00:18:46,820 So don't do it. 528 00:18:50,270 --> 00:18:53,359 Don't say too much too soon. 529 00:18:53,360 --> 00:18:56,269 This this don't is contingent, 530 00:18:56,270 --> 00:18:59,029 and there may be times when 531 00:18:59,030 --> 00:19:01,369 the type of vulnerability is such 532 00:19:01,370 --> 00:19:04,099 that you can really just set like, 533 00:19:04,100 --> 00:19:07,189 let's say this is, 534 00:19:07,190 --> 00:19:09,289 I don't know, Tor and you found 535 00:19:09,290 --> 00:19:11,299 an easy bug. And for whatever reason, you 536 00:19:11,300 --> 00:19:13,189 don't want to use a bug submission. 537 00:19:13,190 --> 00:19:15,259 You want to disclose it as a security 538 00:19:15,260 --> 00:19:16,219 vulnerability. 539 00:19:16,220 --> 00:19:18,199 You might want to go ahead and give like 540 00:19:18,200 --> 00:19:20,179 the patch along with the vulnerability 541 00:19:20,180 --> 00:19:21,180 report. 542 00:19:21,560 --> 00:19:24,229 However, if this is, 543 00:19:24,230 --> 00:19:26,539 let's say, a hospital and you found 544 00:19:26,540 --> 00:19:28,699 a way in to look at patient records, you 545 00:19:28,700 --> 00:19:30,679 might want not want to email them the 546 00:19:30,680 --> 00:19:32,599 entire database of patient records that 547 00:19:32,600 --> 00:19:33,980 you downloaded from their site 548 00:19:35,240 --> 00:19:36,349 in your first contact 549 00:19:37,910 --> 00:19:40,909 that could incriminate you later on. 550 00:19:40,910 --> 00:19:43,279 And if you, well, I'll get to it later. 551 00:19:43,280 --> 00:19:45,739 But you know, it's not the best idea to 552 00:19:45,740 --> 00:19:47,989 go about telling people 553 00:19:47,990 --> 00:19:50,089 all of the bad stuff you did 554 00:19:50,090 --> 00:19:51,469 before you know how they're going to 555 00:19:51,470 --> 00:19:52,470 receive it. 556 00:19:55,100 --> 00:19:56,959 OK. And now I'm going to pause for a 557 00:19:56,960 --> 00:19:58,489 second. Bad stuff you did. 558 00:19:58,490 --> 00:20:00,709 You might need a lawyer if 559 00:20:00,710 --> 00:20:02,959 you broke DRM to get to 560 00:20:02,960 --> 00:20:03,960 where you are. 561 00:20:04,730 --> 00:20:06,979 If you violated an NDA and 562 00:20:06,980 --> 00:20:08,989 NDAs can come in all sorts of forms that 563 00:20:08,990 --> 00:20:10,789 you might not even know that you signed. 564 00:20:11,930 --> 00:20:13,909 If you clicked through something that 565 00:20:13,910 --> 00:20:16,339 might have included an NDA and you might 566 00:20:16,340 --> 00:20:17,539 really want to think about getting a 567 00:20:17,540 --> 00:20:19,459 lawyer before you make that vulnerability 568 00:20:19,460 --> 00:20:20,809 report. 569 00:20:20,810 --> 00:20:23,419 If you gained access to a nonpublic 570 00:20:23,420 --> 00:20:25,549 anything, or 571 00:20:25,550 --> 00:20:27,049 if you've got some of your information 572 00:20:27,050 --> 00:20:29,239 from a nonpublic source, 573 00:20:29,240 --> 00:20:31,429 you might want to at least think about 574 00:20:31,430 --> 00:20:33,589 getting a lawyer before you make 575 00:20:33,590 --> 00:20:35,059 your report. 576 00:20:35,060 --> 00:20:37,729 If your employer will be pissed 577 00:20:37,730 --> 00:20:39,889 that you're going to Def Con and 578 00:20:39,890 --> 00:20:42,139 telling people how to get free 579 00:20:42,140 --> 00:20:43,310 subway rides for life, 580 00:20:44,540 --> 00:20:46,639 then maybe you might need a lawyer before 581 00:20:46,640 --> 00:20:48,110 you go to DEFCON and tell people that 582 00:20:50,240 --> 00:20:52,489 no legal issues are not one size 583 00:20:52,490 --> 00:20:54,199 fits all, just like vulnerability 584 00:20:54,200 --> 00:20:56,869 reporting. There are tons 585 00:20:56,870 --> 00:20:59,029 of potential legal issues. 586 00:20:59,030 --> 00:21:01,129 I know some of the legal issues 587 00:21:01,130 --> 00:21:03,319 in American law. I know very few or 588 00:21:03,320 --> 00:21:06,349 maybe no issues in European law. 589 00:21:06,350 --> 00:21:08,599 Some of them might be contracts 590 00:21:08,600 --> 00:21:09,679 that you might be bound to your 591 00:21:09,680 --> 00:21:11,329 employment agreement. 592 00:21:11,330 --> 00:21:12,739 For instance, if you found this 593 00:21:12,740 --> 00:21:14,329 vulnerability as part of your employment 594 00:21:14,330 --> 00:21:16,849 and now you're no longer at the company, 595 00:21:16,850 --> 00:21:19,009 copyright could be a significant problem. 596 00:21:19,010 --> 00:21:20,989 Trade secrets might be a problem. 597 00:21:20,990 --> 00:21:22,849 Patents can be a problem. 598 00:21:22,850 --> 00:21:25,189 Anti circumvention provisions could 599 00:21:25,190 --> 00:21:27,979 be a huge problem, depending. 600 00:21:27,980 --> 00:21:29,390 And then if you did something 601 00:21:31,190 --> 00:21:33,409 that could be construed in one 602 00:21:33,410 --> 00:21:35,210 jurisdiction or another as a crime, 603 00:21:36,320 --> 00:21:38,599 you will want to, as I said 604 00:21:38,600 --> 00:21:40,939 earlier, get a lawyer 605 00:21:40,940 --> 00:21:43,279 if any of that is true. 606 00:21:43,280 --> 00:21:45,379 OK. Disclosure, do this. 607 00:21:45,380 --> 00:21:46,969 One's easy. 608 00:21:46,970 --> 00:21:49,099 If you have discovered 609 00:21:49,100 --> 00:21:51,169 a bug at a company that has a bug 610 00:21:51,170 --> 00:21:53,359 bounty program, go nuts. 611 00:21:53,360 --> 00:21:55,769 Use their bug bounty program and 612 00:21:55,770 --> 00:21:56,900 they're put there for a reason. 613 00:21:58,130 --> 00:22:00,559 Otherwise, if you found the vulnerability 614 00:22:00,560 --> 00:22:02,119 at a company that does not have a bug 615 00:22:02,120 --> 00:22:04,219 bounty problem and chances 616 00:22:04,220 --> 00:22:06,079 are you're not going to get paid for it. 617 00:22:06,080 --> 00:22:07,429 It has happened. 618 00:22:07,430 --> 00:22:08,719 It's very rare. 619 00:22:08,720 --> 00:22:09,890 So don't get your hopes up. 620 00:22:10,910 --> 00:22:13,099 If there is no bug bounty program, 621 00:22:13,100 --> 00:22:15,739 do not demand money for any reason. 622 00:22:15,740 --> 00:22:18,199 Because that could be construed 623 00:22:18,200 --> 00:22:20,449 as extortion or blackmail. 624 00:22:20,450 --> 00:22:21,450 It's not a good idea. 625 00:22:23,300 --> 00:22:25,279 Bug bounty don't who recognizes this? 626 00:22:25,280 --> 00:22:26,280 Raise your hand. 627 00:22:27,200 --> 00:22:29,209 OK, a couple of you recognize this. 628 00:22:29,210 --> 00:22:30,800 Facebook has a bug bounty program. 629 00:22:32,240 --> 00:22:34,639 Carlyle found a bug 630 00:22:34,640 --> 00:22:36,589 in the Facebook API that allowed him to 631 00:22:36,590 --> 00:22:38,719 post to 632 00:22:38,720 --> 00:22:41,029 an arbitrary user IDs 633 00:22:41,030 --> 00:22:43,159 wall, whether or not he had posting 634 00:22:43,160 --> 00:22:44,809 permission to that user ID. 635 00:22:44,810 --> 00:22:47,509 He submitted the bug through Facebook's 636 00:22:47,510 --> 00:22:48,740 bug bounty program. 637 00:22:50,750 --> 00:22:52,789 Not exactly clear on why. 638 00:22:52,790 --> 00:22:54,379 I don't have the wording of his 639 00:22:54,380 --> 00:22:56,299 submission, and this person is not a 640 00:22:56,300 --> 00:22:57,300 client of ours. 641 00:22:58,160 --> 00:23:00,379 Apparently, Edward Snowden is just a user 642 00:23:00,380 --> 00:23:01,700 profile picture, which I kind of like, 643 00:23:03,110 --> 00:23:04,669 but they ignored him. 644 00:23:04,670 --> 00:23:06,919 And so he upped 645 00:23:06,920 --> 00:23:09,289 the game a little bit and posted on 646 00:23:09,290 --> 00:23:10,429 Mark Zuckerberg's wall. 647 00:23:12,590 --> 00:23:13,759 OK, that got attention. 648 00:23:13,760 --> 00:23:15,199 It got the bug fixed. 649 00:23:15,200 --> 00:23:16,939 So he met goal number one. 650 00:23:16,940 --> 00:23:19,249 He did fix the thing 651 00:23:19,250 --> 00:23:20,569 and he did it quite effectively, right? 652 00:23:20,570 --> 00:23:22,249 Because he posted to Mark Zuckerberg's 653 00:23:22,250 --> 00:23:23,299 wall and they were like, Holy shit, you 654 00:23:23,300 --> 00:23:24,919 can post to Mark Zuckerberg's wall. 655 00:23:24,920 --> 00:23:25,939 And so they fixed the bug. 656 00:23:27,320 --> 00:23:29,479 He didn't get paid for the bug bounty 657 00:23:29,480 --> 00:23:30,949 program. Why? Because he didn't follow 658 00:23:30,950 --> 00:23:33,229 the rules. The bug bounty program says 659 00:23:33,230 --> 00:23:35,599 that you can't exploit the bug 660 00:23:35,600 --> 00:23:37,669 as part of the and still claim the 661 00:23:37,670 --> 00:23:38,689 bounty. 662 00:23:38,690 --> 00:23:40,699 Facebook's bug bounty program says that 663 00:23:40,700 --> 00:23:42,799 if you want to claim the bounty, you 664 00:23:42,800 --> 00:23:44,659 have to submit a proof of concept but not 665 00:23:44,660 --> 00:23:45,769 actually exploit it. 666 00:23:45,770 --> 00:23:47,239 Or if you exploit it, you can exploit it 667 00:23:47,240 --> 00:23:48,619 on accounts you own or. 668 00:23:48,620 --> 00:23:49,620 Or something like that. 669 00:23:51,110 --> 00:23:53,239 So if you're going for a bug bounty, 670 00:23:53,240 --> 00:23:54,829 don't do that. 671 00:23:54,830 --> 00:23:56,989 But if you're going for fixing the 672 00:23:56,990 --> 00:23:59,089 thing and 673 00:23:59,090 --> 00:24:00,469 you're reasonably certain that you're not 674 00:24:00,470 --> 00:24:02,389 going to get sued or charged with a 675 00:24:02,390 --> 00:24:05,479 crime, which in this context, 676 00:24:05,480 --> 00:24:06,439 I don't know if you should have been 677 00:24:06,440 --> 00:24:07,939 certain about that. It turned out that he 678 00:24:07,940 --> 00:24:09,479 was not sued and he was not charged with 679 00:24:09,480 --> 00:24:10,480 the crime. 680 00:24:11,270 --> 00:24:13,099 Then go ahead and do this. 681 00:24:13,100 --> 00:24:15,079 But really, it's not the best idea. 682 00:24:15,080 --> 00:24:16,909 If I were him, I would have tried to 683 00:24:16,910 --> 00:24:18,439 resubmit the bug through the bug bounty 684 00:24:18,440 --> 00:24:20,749 program, maybe worded differently. 685 00:24:20,750 --> 00:24:22,279 As you can see, he says, Dear Mark 686 00:24:22,280 --> 00:24:24,499 Zuckerberg, first sorry for breaking 687 00:24:24,500 --> 00:24:25,819 your privacy and post to your wall. 688 00:24:25,820 --> 00:24:27,109 I has no other choice to make. 689 00:24:27,110 --> 00:24:28,789 After all, the reports I sent to Facebook 690 00:24:28,790 --> 00:24:30,649 to him on his first language is probably 691 00:24:30,650 --> 00:24:31,650 not English. 692 00:24:32,270 --> 00:24:34,519 Maybe he could have gotten help 693 00:24:34,520 --> 00:24:36,769 on that part of the 694 00:24:36,770 --> 00:24:37,770 submission. 695 00:24:39,760 --> 00:24:40,760 OK. 696 00:24:41,650 --> 00:24:44,079 What if you've now gone beyond 697 00:24:44,080 --> 00:24:46,959 fixing all the things and 698 00:24:46,960 --> 00:24:49,179 your goal is to publish or present 699 00:24:49,180 --> 00:24:51,609 the vulnerability that you've discovered, 700 00:24:51,610 --> 00:24:53,619 sometimes this goes hand in hand with 701 00:24:53,620 --> 00:24:54,549 fixing all the things. 702 00:24:54,550 --> 00:24:56,169 Often it goes hand in hand with fixing 703 00:24:56,170 --> 00:24:58,269 all the things. If you have found a 704 00:24:58,270 --> 00:24:59,649 vulnerability, for instance, in a 705 00:24:59,650 --> 00:25:01,629 standard rather than a product. 706 00:25:01,630 --> 00:25:03,849 There may be no person 707 00:25:03,850 --> 00:25:04,930 to report it to. 708 00:25:06,850 --> 00:25:08,230 Actually, let me pause for a second. 709 00:25:09,250 --> 00:25:11,139 I was talking with Roger from tour the 710 00:25:11,140 --> 00:25:13,419 other night, and he when I was 711 00:25:13,420 --> 00:25:14,679 outlining a little bit of what I was 712 00:25:14,680 --> 00:25:16,449 going to say in this Typekit, he said, Oh 713 00:25:16,450 --> 00:25:18,249 yeah, people, for when they report 714 00:25:18,250 --> 00:25:20,409 vulnerabilities and horror, they will 715 00:25:20,410 --> 00:25:22,569 often just like post 716 00:25:22,570 --> 00:25:24,429 a vulnerability on their own web page and 717 00:25:24,430 --> 00:25:26,679 say, Holy crap, I wish someone at horror 718 00:25:26,680 --> 00:25:27,879 would pay attention to this. 719 00:25:27,880 --> 00:25:29,829 OK. There are people at tau, right? 720 00:25:29,830 --> 00:25:32,019 You can email somebody at 721 00:25:32,020 --> 00:25:33,369 Tau and they will read your email. 722 00:25:34,990 --> 00:25:36,429 So just because it's a standard doesn't 723 00:25:36,430 --> 00:25:37,809 mean there's not a person. 724 00:25:37,810 --> 00:25:39,249 I mean, tau is also it's not just a 725 00:25:39,250 --> 00:25:40,419 protocol, it's a product. 726 00:25:40,420 --> 00:25:41,499 So there are people. 727 00:25:41,500 --> 00:25:43,209 But even if it's just a standard or a 728 00:25:43,210 --> 00:25:45,609 protocol, there may well be people 729 00:25:45,610 --> 00:25:47,469 that you can email. 730 00:25:47,470 --> 00:25:49,809 OK, so now getting back to 731 00:25:49,810 --> 00:25:52,509 publishing or presenting sometimes 732 00:25:52,510 --> 00:25:53,889 really, the only way of getting this 733 00:25:53,890 --> 00:25:55,959 thing fixed is to make the entire 734 00:25:55,960 --> 00:25:57,490 world know about it. 735 00:25:58,510 --> 00:26:00,669 And in that case, you're going to need 736 00:26:00,670 --> 00:26:02,499 to publish or present. 737 00:26:02,500 --> 00:26:05,199 Sometimes you have for your own 738 00:26:05,200 --> 00:26:07,569 in your own calculus, decided 739 00:26:07,570 --> 00:26:09,909 that publishing or presenting 740 00:26:09,910 --> 00:26:12,099 and disclosing the bug in public 741 00:26:12,100 --> 00:26:14,289 is going to be better for you, 742 00:26:14,290 --> 00:26:16,029 for whatever reason, than disclosing the 743 00:26:16,030 --> 00:26:17,399 bug in private. 744 00:26:17,400 --> 00:26:18,609 But that's a decision that you should 745 00:26:18,610 --> 00:26:20,829 make as early as possible, 746 00:26:20,830 --> 00:26:23,019 whether you're going to disclose this to 747 00:26:23,020 --> 00:26:25,239 the company or to the developer before 748 00:26:25,240 --> 00:26:27,459 you publish your percent, or 749 00:26:27,460 --> 00:26:29,559 if free subway rides for life 750 00:26:29,560 --> 00:26:31,329 is going to be the first thing that they 751 00:26:31,330 --> 00:26:33,429 hear about the vulnerability in 752 00:26:33,430 --> 00:26:34,430 their product. 753 00:26:35,380 --> 00:26:37,329 I'm not going to judge you, and I'm not 754 00:26:37,330 --> 00:26:39,129 going to tell you that you need to do one 755 00:26:39,130 --> 00:26:40,959 or the other, but it's something that you 756 00:26:40,960 --> 00:26:43,029 need to think about and think 757 00:26:43,030 --> 00:26:45,339 about it early. And maybe like before 758 00:26:45,340 --> 00:26:46,869 you submit the talking, it's not like a 759 00:26:46,870 --> 00:26:48,130 week before I've come. 760 00:26:49,840 --> 00:26:52,089 If you disclose first before 761 00:26:52,090 --> 00:26:54,309 your talk or before your paper, 762 00:26:54,310 --> 00:26:56,559 it'll give the developer an opportunity 763 00:26:56,560 --> 00:26:58,779 to fix the bug. 764 00:26:58,780 --> 00:27:00,249 Maybe, maybe not. 765 00:27:00,250 --> 00:27:02,379 Maybe the way it is is, you know, these 766 00:27:02,380 --> 00:27:04,479 are Samsung smart TVs that are in three 767 00:27:04,480 --> 00:27:05,679 million living rooms all across the 768 00:27:05,680 --> 00:27:06,819 world. 769 00:27:06,820 --> 00:27:08,919 And unless people update their 770 00:27:08,920 --> 00:27:10,989 firmware, there's no 771 00:27:10,990 --> 00:27:12,249 way of pushing updates. 772 00:27:12,250 --> 00:27:13,809 So maybe there really is no opportunity 773 00:27:13,810 --> 00:27:16,149 to fix it in deployed devices. 774 00:27:16,150 --> 00:27:17,499 Maybe there is. 775 00:27:17,500 --> 00:27:18,669 So that's something that you need to 776 00:27:18,670 --> 00:27:19,749 think about. 777 00:27:19,750 --> 00:27:22,089 However, if you disclose 778 00:27:22,090 --> 00:27:24,490 the vulnerability prior to publication, 779 00:27:25,630 --> 00:27:27,909 you're going to run into 780 00:27:27,910 --> 00:27:29,439 a possible problem. 781 00:27:29,440 --> 00:27:31,089 You're going to give them an opportunity. 782 00:27:31,090 --> 00:27:32,469 You're going to give Volkswagen an 783 00:27:32,470 --> 00:27:34,689 opportunity to prevent you 784 00:27:34,690 --> 00:27:37,239 from disclosing a serious vulnerability 785 00:27:37,240 --> 00:27:39,459 in the keyless entry system of 786 00:27:39,460 --> 00:27:42,489 Porsche's nowadays right 787 00:27:42,490 --> 00:27:45,079 that happened this year at U-6. 788 00:27:45,080 --> 00:27:47,609 They are, 789 00:27:47,610 --> 00:27:48,909 you know, I don't know if they disclosed 790 00:27:48,910 --> 00:27:50,919 privately, but they published the 791 00:27:50,920 --> 00:27:52,559 abstract and use X because that's what 792 00:27:52,560 --> 00:27:53,979 you use next does. 793 00:27:53,980 --> 00:27:56,199 And Volkswagen was able 794 00:27:56,200 --> 00:27:58,029 to go to a court in the UK and get an 795 00:27:58,030 --> 00:27:59,619 injunction preventing them from giving 796 00:27:59,620 --> 00:28:02,229 their talk. Their talk didn't happen. 797 00:28:02,230 --> 00:28:04,329 Their side issues here and 798 00:28:04,330 --> 00:28:06,639 about timing. How long to give 799 00:28:06,640 --> 00:28:08,709 a developer before publishing 800 00:28:09,790 --> 00:28:11,829 again, there's no one size fits all might 801 00:28:11,830 --> 00:28:13,959 be a week. Maybe six months might 802 00:28:13,960 --> 00:28:14,960 be a year. 803 00:28:15,550 --> 00:28:17,619 I cannot give you 804 00:28:17,620 --> 00:28:19,029 the answer to this question without a 805 00:28:19,030 --> 00:28:20,469 whole lot more information, which we're 806 00:28:20,470 --> 00:28:21,849 not going to or it's going to do here 807 00:28:21,850 --> 00:28:22,839 tonight. 808 00:28:22,840 --> 00:28:24,759 Jurisdiction is another one. 809 00:28:24,760 --> 00:28:26,829 Hypothetically, if the Volkswagen talk 810 00:28:26,830 --> 00:28:28,929 had happened in the United States, 811 00:28:28,930 --> 00:28:31,089 the court would not have been able 812 00:28:31,090 --> 00:28:33,099 to enjoin it the way that it did. 813 00:28:33,100 --> 00:28:35,079 But that's only hypothetically if a judge 814 00:28:35,080 --> 00:28:36,309 wanted to ignore the law. 815 00:28:37,570 --> 00:28:38,859 Maybe that could have happened in the 816 00:28:38,860 --> 00:28:39,860 United States. 817 00:28:41,650 --> 00:28:43,989 OK. I've alluded to this, 818 00:28:43,990 --> 00:28:45,279 but now I'm just going to say it when I 819 00:28:45,280 --> 00:28:46,449 was writing these slides, I couldn't 820 00:28:46,450 --> 00:28:48,519 decide whether the next one was a do or a 821 00:28:48,520 --> 00:28:49,520 don't 822 00:28:51,100 --> 00:28:52,779 who here knows what I'm talking about on 823 00:28:52,780 --> 00:28:54,369 this slide. Cindy does. 824 00:28:54,370 --> 00:28:56,439 Kurt does the first 825 00:28:56,440 --> 00:28:57,579 all raise their hands because they were 826 00:28:57,580 --> 00:28:59,889 there, OK? 827 00:28:59,890 --> 00:29:02,229 There were a group of MIT students 828 00:29:02,230 --> 00:29:04,389 a few years ago who submitted a talk to 829 00:29:04,390 --> 00:29:06,460 Def Con with this title, 830 00:29:07,630 --> 00:29:09,339 but they didn't actually mean free subway 831 00:29:09,340 --> 00:29:10,340 rides for life. 832 00:29:11,320 --> 00:29:13,389 What they meant was they had discovered 833 00:29:13,390 --> 00:29:15,819 a vulnerability in the Boston Smart Card 834 00:29:15,820 --> 00:29:18,129 or the Boston fare 835 00:29:18,130 --> 00:29:20,289 card system that allowed you to add 836 00:29:20,290 --> 00:29:22,389 an arbitrary value to 837 00:29:22,390 --> 00:29:23,390 the cart. 838 00:29:25,440 --> 00:29:27,029 They titled their talk free subway rides 839 00:29:27,030 --> 00:29:28,859 for life, and this got headlines, and 840 00:29:28,860 --> 00:29:30,479 this pissed the hell out of the Boston 841 00:29:30,480 --> 00:29:32,639 and the Boston MTA was not 842 00:29:32,640 --> 00:29:33,780 an organization 843 00:29:34,980 --> 00:29:36,749 familiar with security vulnerability 844 00:29:36,750 --> 00:29:37,919 reporting. 845 00:29:37,920 --> 00:29:39,219 They're not. 846 00:29:39,220 --> 00:29:40,529 You know, this isn't Cisco. 847 00:29:40,530 --> 00:29:41,939 This isn't Intel. 848 00:29:41,940 --> 00:29:43,379 And this isn't Facebook. 849 00:29:43,380 --> 00:29:45,449 This is a transportation agency. 850 00:29:45,450 --> 00:29:47,219 They don't necessarily think about these 851 00:29:47,220 --> 00:29:49,589 things in the way that you security 852 00:29:49,590 --> 00:29:51,029 researchers do. 853 00:29:51,030 --> 00:29:52,529 And when they saw a free subway rides for 854 00:29:52,530 --> 00:29:54,629 life, one of the things which 855 00:29:54,630 --> 00:29:56,579 they might have thought from this title 856 00:29:56,580 --> 00:29:58,739 was, Oh my God, these kids are going 857 00:29:58,740 --> 00:30:00,689 to give people a step by step on how to 858 00:30:00,690 --> 00:30:02,130 get free subway rides for life. 859 00:30:04,140 --> 00:30:05,339 So why did I say that? 860 00:30:05,340 --> 00:30:07,019 I didn't know whether this was a do or a 861 00:30:07,020 --> 00:30:08,020 don't. 862 00:30:11,210 --> 00:30:13,009 How much attention is too much attention? 863 00:30:13,010 --> 00:30:14,479 What type of attention is the right 864 00:30:14,480 --> 00:30:16,459 attention? This is an important decision 865 00:30:16,460 --> 00:30:18,230 for you to make, and you need to make it 866 00:30:19,530 --> 00:30:21,199 the you need to actually make the 867 00:30:21,200 --> 00:30:23,059 decision. You can't let the decision be 868 00:30:23,060 --> 00:30:24,060 made for you. 869 00:30:24,800 --> 00:30:27,229 You need to think about whether 870 00:30:27,230 --> 00:30:29,029 free subway rides for life is going to 871 00:30:29,030 --> 00:30:31,189 piss off the people 872 00:30:31,190 --> 00:30:33,319 who you're disclosing to more 873 00:30:33,320 --> 00:30:35,359 than it will get you people to come to 874 00:30:35,360 --> 00:30:36,360 your talk. 875 00:30:37,460 --> 00:30:39,709 If you're a bee and 876 00:30:39,710 --> 00:30:41,749 you submit a talk that says DGB has 877 00:30:41,750 --> 00:30:43,249 something to say, people are going to 878 00:30:43,250 --> 00:30:44,250 come to it. 879 00:30:45,230 --> 00:30:47,269 If you're a random MIT student and you 880 00:30:47,270 --> 00:30:49,009 submit a talk that says random MIT 881 00:30:49,010 --> 00:30:50,569 student has something to say. 882 00:30:50,570 --> 00:30:51,919 No one's going to come to it. So you need 883 00:30:51,920 --> 00:30:54,049 to hear that 884 00:30:54,050 --> 00:30:55,609 there's a line to walk and it's and 885 00:30:55,610 --> 00:30:58,399 everybody is in between those two things. 886 00:30:58,400 --> 00:31:00,499 So think about what you're going to put 887 00:31:00,500 --> 00:31:01,399 in your abstract. 888 00:31:01,400 --> 00:31:02,629 Think about what you're going to put in 889 00:31:02,630 --> 00:31:04,909 your talk title to get 890 00:31:04,910 --> 00:31:07,339 just enough attention of the right kind 891 00:31:07,340 --> 00:31:09,829 and try maybe not to think, 892 00:31:09,830 --> 00:31:11,869 maybe not to make the company think that 893 00:31:11,870 --> 00:31:13,249 you're going to teach people how to steal 894 00:31:13,250 --> 00:31:14,250 their shit. 895 00:31:16,830 --> 00:31:18,509 Think about how the title will read to 896 00:31:18,510 --> 00:31:21,359 all of your audiences, the press, 897 00:31:21,360 --> 00:31:23,489 law enforcement, the company, 898 00:31:24,630 --> 00:31:27,749 potential employers, current employers, 899 00:31:27,750 --> 00:31:30,149 conference goers, paper readers, 900 00:31:30,150 --> 00:31:31,139 you know, whatever. 901 00:31:31,140 --> 00:31:33,209 Are you really going to give step by 902 00:31:33,210 --> 00:31:34,799 step instructions on how to get free 903 00:31:34,800 --> 00:31:36,359 subway rides for life? 904 00:31:36,360 --> 00:31:38,219 Or are you going to disclose a pretty bad 905 00:31:38,220 --> 00:31:40,259 vulnerability in the fare card? 906 00:31:40,260 --> 00:31:42,329 I mean, those are two 907 00:31:42,330 --> 00:31:43,679 ways of saying the same thing. 908 00:31:43,680 --> 00:31:44,680 So think about it. 909 00:31:47,010 --> 00:31:49,109 Disclosure do. OK, now 910 00:31:49,110 --> 00:31:51,149 this when I when I was talking at the 911 00:31:51,150 --> 00:31:53,639 front about about goals this 912 00:31:53,640 --> 00:31:55,829 comes down to you've 913 00:31:55,830 --> 00:31:57,309 decided to publish your present. 914 00:31:57,310 --> 00:31:59,249 Maybe you've already disclosed the 915 00:31:59,250 --> 00:32:01,200 vulnerability to the company, maybe not 916 00:32:02,460 --> 00:32:04,799 disclosure to release a proof of concept. 917 00:32:04,800 --> 00:32:06,149 If you want to. You know, if you've 918 00:32:06,150 --> 00:32:07,829 decided to release a proof of concept 919 00:32:07,830 --> 00:32:09,959 release, one that is 920 00:32:09,960 --> 00:32:11,909 enough for someone of your level of 921 00:32:11,910 --> 00:32:14,039 technical ability to understand 922 00:32:14,040 --> 00:32:16,229 the vulnerability you 923 00:32:16,230 --> 00:32:18,569 want to release enough so that they know 924 00:32:18,570 --> 00:32:20,909 what the fuck you're talking about 925 00:32:20,910 --> 00:32:22,949 and not so much the script kiddies can 926 00:32:22,950 --> 00:32:24,239 run with it. 927 00:32:24,240 --> 00:32:26,549 If you have discovered a vulnerability 928 00:32:26,550 --> 00:32:28,829 in Pandora that allows you to save 929 00:32:28,830 --> 00:32:30,929 full copies of MP 3s, of all the 930 00:32:30,930 --> 00:32:33,179 songs that they do, maybe your proof 931 00:32:33,180 --> 00:32:34,949 of concept is not going to be a browser 932 00:32:34,950 --> 00:32:35,950 plug in, 933 00:32:38,460 --> 00:32:39,630 you know, maybe 934 00:32:41,010 --> 00:32:42,659 consider dual uses. 935 00:32:42,660 --> 00:32:45,329 Consider whether the proof of concept 936 00:32:45,330 --> 00:32:47,459 is doing something to advance the 937 00:32:47,460 --> 00:32:49,049 state of the art in security, 938 00:32:50,160 --> 00:32:51,779 or whether it's something that's just 939 00:32:51,780 --> 00:32:53,999 going to let people get free shit. 940 00:32:54,000 --> 00:32:55,799 So the free software life for its kids 941 00:32:55,800 --> 00:32:57,119 weren't actually going to tell people how 942 00:32:57,120 --> 00:32:59,009 to get free shit. They were going to 943 00:32:59,010 --> 00:33:01,140 advance the state of fear card security 944 00:33:02,610 --> 00:33:04,169 for proof of concept. 945 00:33:04,170 --> 00:33:06,179 Think more about releasing your proof of 946 00:33:06,180 --> 00:33:08,009 concept for academics and not for the 947 00:33:08,010 --> 00:33:10,259 kiddies. The kids don't 948 00:33:10,260 --> 00:33:12,239 need your help, and I don't. 949 00:33:12,240 --> 00:33:13,259 This is another thing where I'm going to 950 00:33:13,260 --> 00:33:14,639 be judging you a little bit. 951 00:33:14,640 --> 00:33:16,859 Don't help them because 952 00:33:16,860 --> 00:33:17,860 they don't need it. 953 00:33:19,820 --> 00:33:20,819 OK? 954 00:33:20,820 --> 00:33:21,820 That's what I just said. 955 00:33:23,790 --> 00:33:25,229 There are better ways of advancing the 956 00:33:25,230 --> 00:33:26,939 state of the art and security than 957 00:33:26,940 --> 00:33:29,369 releasing a 958 00:33:29,370 --> 00:33:31,299 browser plug in that will let you scrape 959 00:33:31,300 --> 00:33:33,239 a visa card transactions, and because 960 00:33:33,240 --> 00:33:34,349 that doesn't really advance the state of 961 00:33:34,350 --> 00:33:35,609 the art and security, in fact, it does 962 00:33:35,610 --> 00:33:37,679 the exact opposite, even though it is a 963 00:33:37,680 --> 00:33:40,049 perfect working proof of concept. 964 00:33:40,050 --> 00:33:41,310 It doesn't help. 965 00:33:43,380 --> 00:33:44,549 OK. 966 00:33:44,550 --> 00:33:46,739 And that's all I have. 967 00:33:46,740 --> 00:33:48,899 My voice is amazingly held up and 968 00:33:48,900 --> 00:33:51,959 I'm ready to go for questions. 969 00:33:51,960 --> 00:33:54,209 Here are some resources that we have at 970 00:33:54,210 --> 00:33:55,229 the ESF website. 971 00:33:55,230 --> 00:33:57,929 This is our coders rights page. 972 00:33:57,930 --> 00:34:00,419 If Tawargha issues 973 00:34:00,420 --> 00:34:02,729 slash coders and we have that 974 00:34:02,730 --> 00:34:04,049 wonderful picture of a cat 975 00:34:05,070 --> 00:34:07,169 on the page because 976 00:34:07,170 --> 00:34:09,178 that's the kind of people we are. 977 00:34:09,179 --> 00:34:11,339 You can always email info 978 00:34:11,340 --> 00:34:14,249 at Forberg, and I promise 979 00:34:14,250 --> 00:34:16,619 that someone will read the email 980 00:34:16,620 --> 00:34:18,149 that does not go to Dev null. 981 00:34:18,150 --> 00:34:20,428 It goes to 982 00:34:20,429 --> 00:34:22,499 our intake coordinator, who is 983 00:34:22,500 --> 00:34:23,789 awesome and knows 984 00:34:24,840 --> 00:34:27,059 what he's talking about and Will will 985 00:34:27,060 --> 00:34:28,469 flag the issue appropriately. 986 00:34:30,030 --> 00:34:32,099 You can also email me and there's my 987 00:34:32,100 --> 00:34:33,929 email address and there's my Twitter. 988 00:34:35,610 --> 00:34:36,610 OK. 989 00:34:43,159 --> 00:34:45,169 OK, first of all, thank you, Nate. 990 00:34:45,170 --> 00:34:46,880 So now we have time for Q&A. 991 00:34:47,989 --> 00:34:50,149 So if you have any questions, you can 992 00:34:50,150 --> 00:34:51,859 line up at your microphones and we will 993 00:34:51,860 --> 00:34:53,389 start with a question from the internet. 994 00:34:56,650 --> 00:34:58,779 When looking over the past few years, 995 00:34:58,780 --> 00:35:00,939 are researchers getting better or worse 996 00:35:00,940 --> 00:35:03,099 at disclosing effectively and our 997 00:35:03,100 --> 00:35:05,169 company is getting better or worse at 998 00:35:05,170 --> 00:35:06,520 responding to disclosures? 999 00:35:09,130 --> 00:35:10,130 It's a mixed bag. 1000 00:35:13,280 --> 00:35:15,349 You know, security researchers are often, 1001 00:35:16,700 --> 00:35:18,499 you know, I see a lot of young faces in 1002 00:35:18,500 --> 00:35:20,629 this room, so people may not have been 1003 00:35:20,630 --> 00:35:22,039 around for a few years. 1004 00:35:22,040 --> 00:35:23,929 Those of you who have been around for a 1005 00:35:23,930 --> 00:35:25,879 few years have gotten better. 1006 00:35:25,880 --> 00:35:27,379 Companies who have been around for a few 1007 00:35:27,380 --> 00:35:29,179 years have gotten better. 1008 00:35:29,180 --> 00:35:31,249 That said, with 1009 00:35:31,250 --> 00:35:32,569 the Internet of Things, we are 1010 00:35:32,570 --> 00:35:33,889 discovering more and more security 1011 00:35:33,890 --> 00:35:36,949 vulnerabilities and more and more things 1012 00:35:36,950 --> 00:35:39,079 that the designers of 1013 00:35:39,080 --> 00:35:40,789 which may not have ever thought like a 1014 00:35:40,790 --> 00:35:42,889 television a TV 1015 00:35:42,890 --> 00:35:45,049 engineer would never five years ago 1016 00:35:45,050 --> 00:35:47,299 have thought about security ever. 1017 00:35:47,300 --> 00:35:48,469 It's not something they would have 1018 00:35:48,470 --> 00:35:51,319 thought about. And now there are TVs 1019 00:35:51,320 --> 00:35:52,849 that are internet enabled that have a 1020 00:35:52,850 --> 00:35:54,979 camera on them that 1021 00:35:54,980 --> 00:35:56,359 are running a Real-Time Operating System 1022 00:35:56,360 --> 00:35:58,029 in your living room at all times. 1023 00:35:58,030 --> 00:36:00,649 And that's a huge attack vector. 1024 00:36:00,650 --> 00:36:02,779 So they may. 1025 00:36:02,780 --> 00:36:04,939 I mean, Samsung is good 1026 00:36:04,940 --> 00:36:06,379 for Samsung TV people. 1027 00:36:06,380 --> 00:36:07,519 I don't know. 1028 00:36:07,520 --> 00:36:09,619 Like, I'm sorry, I can't answer 1029 00:36:09,620 --> 00:36:11,239 that question, but the Internet of Things 1030 00:36:11,240 --> 00:36:12,799 has really thrown a monkey wrench into 1031 00:36:12,800 --> 00:36:13,800 all of this. 1032 00:36:15,670 --> 00:36:17,979 OK, now from a guy in the back, 1033 00:36:17,980 --> 00:36:20,499 I I 1034 00:36:20,500 --> 00:36:23,199 am not allowed to 1035 00:36:23,200 --> 00:36:24,489 talk about the specific 1036 00:36:26,110 --> 00:36:28,479 vulnerability, so I need to keep it 1037 00:36:28,480 --> 00:36:30,579 as weak as possible 1038 00:36:30,580 --> 00:36:32,769 if hunt and vulnerability 1039 00:36:32,770 --> 00:36:35,169 seems content management system 1040 00:36:35,170 --> 00:36:36,170 and 1041 00:36:37,570 --> 00:36:39,999 the window is not that helpful 1042 00:36:40,000 --> 00:36:42,399 in disabling the in the fixing 1043 00:36:42,400 --> 00:36:43,400 of vulnerability 1044 00:36:45,280 --> 00:36:47,440 that this seems is 1045 00:36:50,050 --> 00:36:52,299 very many firms big firms 1046 00:36:52,300 --> 00:36:53,949 in Germany use it. 1047 00:36:53,950 --> 00:36:56,079 What would be the best way to 1048 00:36:56,080 --> 00:36:57,069 to keep them safe? 1049 00:36:57,070 --> 00:36:59,229 So they all 1050 00:36:59,230 --> 00:37:01,299 got those. This one, it's 1051 00:37:01,300 --> 00:37:03,639 even a backdoor in there and 1052 00:37:03,640 --> 00:37:04,059 stuff. 1053 00:37:04,060 --> 00:37:06,279 So I can't answer your question 1054 00:37:06,280 --> 00:37:07,809 in a specific, but let me answer in a 1055 00:37:07,810 --> 00:37:09,309 more general way. 1056 00:37:09,310 --> 00:37:11,769 This is a that's the most common 1057 00:37:11,770 --> 00:37:13,509 problem that security researchers have. 1058 00:37:13,510 --> 00:37:15,219 They submit the vulnerability. 1059 00:37:15,220 --> 00:37:17,469 The manufacturer understands 1060 00:37:17,470 --> 00:37:19,539 the vulnerability, but they just don't 1061 00:37:19,540 --> 00:37:20,529 patch it. 1062 00:37:20,530 --> 00:37:22,209 The market isn't there. 1063 00:37:22,210 --> 00:37:24,759 There are lots of ways to deal with this. 1064 00:37:24,760 --> 00:37:26,079 One of them is 1065 00:37:27,730 --> 00:37:28,730 publishing 1066 00:37:30,070 --> 00:37:31,809 that will bring market pressure to bear 1067 00:37:31,810 --> 00:37:33,759 to get this thing fixed. 1068 00:37:33,760 --> 00:37:36,009 It might also expose 1069 00:37:36,010 --> 00:37:37,659 the vulnerability in a way that will make 1070 00:37:37,660 --> 00:37:38,829 people unsafe. 1071 00:37:40,120 --> 00:37:43,359 So that's a it's a fine line to walk 1072 00:37:43,360 --> 00:37:45,669 and, you know, maybe come 1073 00:37:45,670 --> 00:37:47,919 up after or email me tomorrow 1074 00:37:47,920 --> 00:37:49,809 and we can talk more about it. 1075 00:37:49,810 --> 00:37:52,269 But that's that 1076 00:37:52,270 --> 00:37:54,070 again, there is no one size fits all 1077 00:37:55,170 --> 00:37:57,309 in that the line between getting them to 1078 00:37:57,310 --> 00:37:59,469 take you seriously and fixing it 1079 00:37:59,470 --> 00:38:01,659 and publishing 1080 00:38:01,660 --> 00:38:04,179 in a way that might give people 1081 00:38:04,180 --> 00:38:06,429 script kiddies or black hats 1082 00:38:08,920 --> 00:38:11,559 ammunition, it's tough. 1083 00:38:11,560 --> 00:38:12,819 But one of the ways you can get them to 1084 00:38:12,820 --> 00:38:14,439 take you seriously is to publish. 1085 00:38:15,700 --> 00:38:16,809 I don't know. That might not be the right 1086 00:38:16,810 --> 00:38:18,249 solution for you. So let's talk. 1087 00:38:18,250 --> 00:38:19,250 OK? 1088 00:38:19,970 --> 00:38:20,869 Thank you. 1089 00:38:20,870 --> 00:38:21,870 OK, number one, please. 1090 00:38:23,510 --> 00:38:26,479 So if you submit a 1091 00:38:26,480 --> 00:38:28,609 report, a vulnerability report and 1092 00:38:28,610 --> 00:38:29,989 the company does not react, 1093 00:38:31,160 --> 00:38:33,979 how soon do you follow up? 1094 00:38:33,980 --> 00:38:35,360 When are you going to start 1095 00:38:37,400 --> 00:38:39,589 like setting deadlines 1096 00:38:39,590 --> 00:38:41,329 somewhere along the lines of if you do 1097 00:38:41,330 --> 00:38:43,099 not answer within, like one month, I'm 1098 00:38:43,100 --> 00:38:45,679 going to make this public and 1099 00:38:45,680 --> 00:38:46,579 stuff like that. 1100 00:38:46,580 --> 00:38:48,649 Again, it depends on how serious this 1101 00:38:48,650 --> 00:38:49,939 thing is. 1102 00:38:49,940 --> 00:38:52,579 If you found like a serious vulnerability 1103 00:38:52,580 --> 00:38:54,679 in a skater product that's in 1104 00:38:54,680 --> 00:38:56,299 traffic lights and power stations all 1105 00:38:56,300 --> 00:38:58,219 around the world, and people might die, 1106 00:38:59,240 --> 00:39:01,609 then maybe don't give them 1107 00:39:01,610 --> 00:39:02,599 very much time. 1108 00:39:02,600 --> 00:39:04,699 But if this isn't skater, it might 1109 00:39:04,700 --> 00:39:06,439 be really hard to patch, then maybe you 1110 00:39:06,440 --> 00:39:08,269 should give them time. So it's extremely 1111 00:39:08,270 --> 00:39:10,369 dependent on the exact circumstances of 1112 00:39:10,370 --> 00:39:12,649 the bug, and I couldn't 1113 00:39:12,650 --> 00:39:13,879 tell you what the answer is. 1114 00:39:13,880 --> 00:39:15,739 Sometimes it's a week, sometimes at six 1115 00:39:15,740 --> 00:39:16,849 months, sometimes it's a year. 1116 00:39:17,980 --> 00:39:18,980 Don't know. 1117 00:39:20,340 --> 00:39:21,659 Do we have more questions from the 1118 00:39:21,660 --> 00:39:22,709 Internet? 1119 00:39:22,710 --> 00:39:23,710 Oh, Internet. 1120 00:39:28,820 --> 00:39:31,339 Yes, there is kind of a one week 1121 00:39:31,340 --> 00:39:32,779 question. 1122 00:39:32,780 --> 00:39:35,089 Do you see any difference 1123 00:39:35,090 --> 00:39:37,159 in the way you're reporting 1124 00:39:37,160 --> 00:39:39,349 responsibly to say 1125 00:39:39,350 --> 00:39:41,659 if it's a buck in a natural product 1126 00:39:41,660 --> 00:39:44,299 or if it's the application 1127 00:39:44,300 --> 00:39:46,609 or the usage of a product, 1128 00:39:46,610 --> 00:39:48,649 if someone's using something wrong, is 1129 00:39:48,650 --> 00:39:50,479 there any difference in the way you 1130 00:39:50,480 --> 00:39:51,480 report bugs? 1131 00:39:52,640 --> 00:39:54,199 I mean, every bug is reported 1132 00:39:54,200 --> 00:39:56,449 differently, but generally speaking, no, 1133 00:39:56,450 --> 00:39:58,159 I don't see a difference in. 1134 00:39:58,160 --> 00:39:59,689 There's no difference in type, at least 1135 00:39:59,690 --> 00:40:01,849 in in my mind, 1136 00:40:01,850 --> 00:40:04,249 a vulnerability is a vulnerability 1137 00:40:04,250 --> 00:40:06,469 in reporting it to the 1138 00:40:06,470 --> 00:40:08,629 people, the person or people who have the 1139 00:40:08,630 --> 00:40:10,909 ability to fix it, 1140 00:40:10,910 --> 00:40:13,519 whether it's in an application or 1141 00:40:13,520 --> 00:40:15,919 of, you know, a protocol or a stack 1142 00:40:15,920 --> 00:40:18,019 or whatever it is is 1143 00:40:18,020 --> 00:40:19,020 the best way to go. 1144 00:40:20,860 --> 00:40:22,420 Two. OK, number two, please. 1145 00:40:23,470 --> 00:40:25,599 Hi, I'm one of the founders of 1146 00:40:25,600 --> 00:40:28,089 Hek Militant Fentanyl, which is 1147 00:40:28,090 --> 00:40:31,089 a possibility for Dutch people to 1148 00:40:31,090 --> 00:40:33,369 anonymously disclose. 1149 00:40:33,370 --> 00:40:35,739 OK, you've briefly touched the subject 1150 00:40:35,740 --> 00:40:38,739 of being anonymous, but 1151 00:40:38,740 --> 00:40:40,569 what would you recommend in which 1152 00:40:40,570 --> 00:40:41,709 circumstances do you 1153 00:40:42,850 --> 00:40:44,889 report something anonymously and when do 1154 00:40:44,890 --> 00:40:46,989 you not do it anonymously? 1155 00:40:46,990 --> 00:40:49,539 Is there any, uh, 1156 00:40:49,540 --> 00:40:51,579 uh, rule of thumb for you? 1157 00:40:51,580 --> 00:40:52,479 There's no. 1158 00:40:52,480 --> 00:40:54,069 No rule of thumb. 1159 00:40:54,070 --> 00:40:56,499 No, it it totally depends. 1160 00:40:56,500 --> 00:40:58,869 You know, if you're Jake Appelbaum 1161 00:40:58,870 --> 00:41:00,639 and you find a vulnerability disclosure, 1162 00:41:00,640 --> 00:41:01,809 there's probably no reason to do it 1163 00:41:01,810 --> 00:41:03,069 anonymously. 1164 00:41:03,070 --> 00:41:04,389 Or if you find a vulnerability, there's 1165 00:41:04,390 --> 00:41:05,469 probably no reason to disclose 1166 00:41:05,470 --> 00:41:06,470 anonymously. 1167 00:41:07,930 --> 00:41:10,149 If you're someone with a checkered past 1168 00:41:10,150 --> 00:41:12,279 and maybe there is, if you're someone 1169 00:41:12,280 --> 00:41:14,469 who just wants to be anonymous 1170 00:41:14,470 --> 00:41:16,599 for whatever reason, if you live in 1171 00:41:16,600 --> 00:41:18,819 an area where being 1172 00:41:18,820 --> 00:41:21,219 a hacker is not OK, if your employer 1173 00:41:21,220 --> 00:41:23,379 is not great with you doing what you do 1174 00:41:23,380 --> 00:41:25,269 and then disclose anonymously. 1175 00:41:25,270 --> 00:41:26,709 But no, there's no rule of thumb. 1176 00:41:26,710 --> 00:41:28,389 OK, thanks. Mm hmm. 1177 00:41:28,390 --> 00:41:29,529 OK, number one piece 1178 00:41:29,530 --> 00:41:31,989 isn't hunting down a project manager 1179 00:41:31,990 --> 00:41:34,209 on LinkedIn was that isn't 1180 00:41:34,210 --> 00:41:35,739 hunting down a project manager on 1181 00:41:35,740 --> 00:41:37,539 LinkedIn and then confronting him with 1182 00:41:37,540 --> 00:41:39,729 the bug that he probably should have not 1183 00:41:39,730 --> 00:41:41,799 let public in first place? 1184 00:41:41,800 --> 00:41:43,299 Isn't that more likely to scare the crap 1185 00:41:43,300 --> 00:41:44,859 out of it? 1186 00:41:44,860 --> 00:41:46,389 Again, it depends on how that first 1187 00:41:46,390 --> 00:41:48,489 interaction goes. If you say, 1188 00:41:48,490 --> 00:41:50,619 Hey, I'm a friendly hacker 1189 00:41:50,620 --> 00:41:52,569 on the internet and I found this thing 1190 00:41:52,570 --> 00:41:54,489 which you probably weren't expecting a 1191 00:41:54,490 --> 00:41:56,649 bizarre and strange use 1192 00:41:56,650 --> 00:41:58,959 of the product that will 1193 00:41:58,960 --> 00:42:00,519 allow someone to do something that you 1194 00:42:00,520 --> 00:42:01,539 didn't intend. 1195 00:42:01,540 --> 00:42:03,609 And I would like to help you 1196 00:42:03,610 --> 00:42:04,659 fix it then. 1197 00:42:04,660 --> 00:42:05,660 Probably not. 1198 00:42:07,690 --> 00:42:09,429 But it depends if this is someone who 1199 00:42:09,430 --> 00:42:11,829 with a particularly big or thorny ego, 1200 00:42:11,830 --> 00:42:14,079 then maybe it will. 1201 00:42:14,080 --> 00:42:16,389 But we have found that the closer 1202 00:42:16,390 --> 00:42:18,729 the people are to 1203 00:42:18,730 --> 00:42:20,949 being developers like you, like people 1204 00:42:20,950 --> 00:42:23,169 who know security engineering, they know 1205 00:42:23,170 --> 00:42:24,759 you're not likely to piss them off. 1206 00:42:24,760 --> 00:42:25,979 If you 1207 00:42:25,980 --> 00:42:27,759 have you seen numbers that 1208 00:42:27,760 --> 00:42:29,529 I don't have numbers. 1209 00:42:29,530 --> 00:42:31,179 I only have an anecdote anecdote. 1210 00:42:33,460 --> 00:42:35,829 But again, like the your product sucks 1211 00:42:35,830 --> 00:42:37,959 vs., hey, I'd like to help 1212 00:42:37,960 --> 00:42:39,070 you make your product better. 1213 00:42:40,450 --> 00:42:41,979 That can really set the tone for the 1214 00:42:41,980 --> 00:42:42,980 communication going forward. 1215 00:42:44,030 --> 00:42:45,030 It. 1216 00:42:46,450 --> 00:42:47,889 What would you recommend to product 1217 00:42:47,890 --> 00:42:50,229 managers of companies or organizations 1218 00:42:50,230 --> 00:42:52,179 that are not experienced with dealing 1219 00:42:52,180 --> 00:42:54,429 with security vulnerabilities that are 1220 00:42:54,430 --> 00:42:56,439 contracted for the first time? 1221 00:42:56,440 --> 00:42:56,799 That's a great 1222 00:42:56,800 --> 00:42:57,800 question. Yeah, 1223 00:42:59,270 --> 00:43:00,460 we think about that for a second. 1224 00:43:01,930 --> 00:43:04,059 I guess I take it seriously and 1225 00:43:05,140 --> 00:43:06,759 treat any. 1226 00:43:06,760 --> 00:43:08,859 I'm just talking off the cuff on this 1227 00:43:08,860 --> 00:43:11,079 one. But you know, there's no reason 1228 00:43:11,080 --> 00:43:13,029 to treat a bug report off the internet. 1229 00:43:13,030 --> 00:43:15,189 Any difference, any different than a bug 1230 00:43:15,190 --> 00:43:17,169 report in your internal reporting system. 1231 00:43:17,170 --> 00:43:18,819 You know, any any developer is going to 1232 00:43:18,820 --> 00:43:20,889 have a 1233 00:43:20,890 --> 00:43:23,229 reporting system, a bug tracking 1234 00:43:23,230 --> 00:43:25,689 system. I mean, maybe if 1235 00:43:25,690 --> 00:43:26,829 this is the first time, just open a 1236 00:43:26,830 --> 00:43:29,079 ticket on it. I don't know that 1237 00:43:29,080 --> 00:43:31,299 that would be my best advice if 1238 00:43:31,300 --> 00:43:32,949 this is not a software company. 1239 00:43:32,950 --> 00:43:35,349 If this is, you know, if this is an 1240 00:43:35,350 --> 00:43:37,689 insulin pump manufacturer, then maybe 1241 00:43:37,690 --> 00:43:38,769 you have to think about it a little 1242 00:43:38,770 --> 00:43:40,929 differently, but they 1243 00:43:40,930 --> 00:43:42,339 probably have a bug reporting system 1244 00:43:42,340 --> 00:43:43,340 also. 1245 00:43:43,810 --> 00:43:45,789 So treat it like you would any other bug 1246 00:43:45,790 --> 00:43:47,049 treat it like you would an internal 1247 00:43:47,050 --> 00:43:49,329 report? I guess that would be my advice. 1248 00:43:49,330 --> 00:43:50,330 OK, thanks. 1249 00:43:51,100 --> 00:43:52,390 OK. Are there any more questions? 1250 00:43:56,010 --> 00:43:56,999 OK. 1251 00:43:57,000 --> 00:44:00,029 OK, well, then thank you, Nate, 1252 00:44:00,030 --> 00:44:01,469 and everybody have a good time.