DEF CON 31 War Stories - The Risks of Pointing Out the Emperor is Buck Naked - Renderman, Tom Dang

preview_player
Показать описание
Post 9/11, the phrase “If you see something, say something” became ubiquitous. If you saw something of concern, better to report something that was nothing than let something bad happen. Problem is, no one let the authorities know that they should apply this to the online realm too. Threats of arrest and criminal investigations have the opposite effect and chill anyone from wanting to report security vulnerabilities that affect everyone.

Lack of clear reporting paths, misunderstandings, jurisdiction issues, superseding laws, and good old fashioned egos can make trying to do the right thing turn into a nightmare that can cost livelihoods, reputation, criminal charges and even worse, particularly when government systems are involved.

This talk will cover the presenters personal experiences with poorly written or a lack of vulnerability disclosure policies with their governments and what it cost them in trying to make things better. The presentation will then move to a discussion about what should be done and what is being done to make sure that reporting a vulnerability doesn’t cost you everything. Anyone who is responsible for writing such disclosure policies or legislation will benefit, but so will any hackers that want to make it safer to report issues they find by advocating for changes.
  1. DEFCONConference
  2. DEF
  3. CON
  4. DEFCON
  5. DEF CON
  6. hacker conference
Рекомендации по теме
DEF CON 31 0:47:46

DEF CON 31 War Stories - Living Next Door to Russia - Mikko Hypponen

DEF CON 31 0:20:31

DEF CON 31 War Stories - Tracking the Worlds Dumbest Cyber Mercenaries - Cooper Quintin

DEF CON 31 0:46:03

DEF CON 31 War Stories - The Risks of Pointing Out the Emperor is Buck Naked - Renderman, Tom Dang

DEF CON 31 0:43:28

DEF CON 31 War Stories - Nuthin But A G Thang Evolution of Cellular Networks - Tracy Mosley

DEF CON 31 0:20:43

DEF CON 31 - War Stories - Finding Foes and Yourself with Latency Trilateration - Lorenzo Cococcia

DEF CON 31 0:34:09

DEF CON 31 War Stories - A Series of Unfortunate Events - Ben Sadeghipour, Corben Leo

DEF CON 31 0:44:18

DEF CON 31 - War Stories - Youre Not George Clooney, and This Isnt Oceans 11 - Andrew Brandt

DEF CON 31 0:37:50

DEF CON 31 War Stories - CON trolling the Weather - Paz Hameiri

Foundation for Inner 1:07:13

Foundation for Inner Peace - The Spanish Story: From the Foundation’s History to Our Service Today

DEF CON 31 0:49:20

DEF CON 31 War Stories - A Different Uber Post Mortem - Joe Sullivan

DEF CON 31 0:37:04

DEF CON 31 War Stories - New Isn’t Always Novel Grep Your Way to $20K at Pwn2Own - Horseman, Hanley...

DEF CON 31 0:25:20

DEF CON 31 War Stories - UNConventional Cybercrime - Bad Treaty Becoming Law - Rodriguez, Budington

DEF CON 31 0:46:43

DEF CON 31 War Stories - Legend of Zelda Use After Free - Allan Cecil

DEF CON 31 0:44:37

DEF CON 31 - Contextualizing The Vulkan Leaks & State Sponsored Offensive Ops - Joe Slowik

DEF CON 31 0:44:35

DEF CON 31 War Stories - Designing RFID Implants Flipping the Bird Opens Doors - Miana Ella Windall

DEF CON 31 0:39:49

DEF CON 31 - Ringhopper - How We Almost Zero day’d the World - Benny Zeltser, Jonathan Lusky

Hacking challenge at 0:06:16

Hacking challenge at DEFCON

DEF CON 31 0:23:23

DEF CON 31 - Snoop On To Them, As They Snoop On To Us - Alan Meekins

DEF CON 31 0:45:05

DEF CON 31 - Infinite Money Glitch - Hacking Transit Cards - Bertocchi, Campbell, Gibson, Harris

DEF CON 31 0:37:01

DEF CON 31 - Physical Attacks Against Smartphones - Christopher Wade

DEF CON 31 0:42:19

DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle

DEF CON 31 0:45:37

DEF CON 31 Car Hacking Village - How an Auto Security Researcher Had His Car Stolen - Tabor, Tindell

DEF CON 30 0:20:54

DEF CON 30 - Kenneth Geers - Computer Hacks in the Russia-Ukraine War

DEF CON 31 0:19:54

DEF CON 31 - A Broken Marriage Abusing Mixed Vendor Kerberos Stacks - Ceri Coburn

Комментарии
Автор

most defcon intro. the bottle drop was perfect
moral of the story: don't fire your hackers for finding stuff. give them raises and they will gleefully fix it for you

quillclock
Автор

One of the many reasons we need reliable, trusted journalists is because while we should absolutely fight for better legal protections, there will always be some risk associated with going public with this kind of information, so it will always be safer to drop an anonymous tip to a reputable news outlet rather than go directly to the government.

cogspace
Автор

This is so funny, because I have a relatable case!

I reported QR collisions to the Dutch government and got faced with the "these are non-issues" e-mail. Basically for the COVID QR code they used a TOTP based on first letter of name and first letter of surname plus date of birth.

So any "SP" born on my birthday could use my QR codes with my credentials.

Even worse was the fact that you could simply generate any QR code yourself, the app didn't use any API to fetch codes... no it just generated codes based on a secret bundled with the app.

So much for "non"-issue, never heard anything from anyone. No cops tho, no cops!

sjoervanderploeg
Автор

The moral of the story, kids, is that when you discover a vulnerability you shouldn't report it and instead should sell it to shady folks on the dark web.
Or at least that's what punishing well-meaning hackers causes.

JustPlainRob
Автор

God Bless Dan Kaminsky - R.I.P. - missed but never forgotten

stiLLa
Автор

This should be required watching for all bug researchers.

Derbauer
Автор

"what are the problems here"

it's frustrating how much 'laughing it off' there was about their two anecdotal experiences. How many people could survive being attacked by powerful systems, whether the banks or the government, losing your job suddenly, having to pay lawyers, etc... and even for these guys who have the social and financial support to survive those attacks, nothing was done to make it right. I'm sure lawyer fees were never reimbursed, and a government fine of 5k is nothing to sneeze at. Many people could not absorb that easily, although the lawyer fees dwarf it.

Governments and these companies are effectively waving a gun around like a madman at anyone knowledgeable about security and hacking and making it clear that when you find a vulnerability you can't have a rational discussion with this nutjob. Your only option is to put on your black hat and monetize exploits otherwise nothing will ever be done to fix them.

Anyway, great talk but it's a dark topic when you consider what might be happening to people with less voice or knowledge in navigating the corruption.

craigslist
Автор

When hackers realize en masse that the government is lying when it says it cares about security is when this changes. There is no reasoned argument that will convince an apparatchik that a real problem is more important than the governments reputation.

If you report something embarrassing or issue an ultimatum to those people, most will respond with guns ( police and prosecution ).

timothyblazer
Автор

Still have one of these service medals pinned to my Def Con bag.

thatlamp
Автор

THIS is how I find out Kevin Mitnick is dead?? RIP

LordNAg
Автор

god, the canadian government is such a joke sometimes. Sometimes i think we have it bad in the states, then I see stories like this, where a guy gets fined $7500 for reporting a freaking vulnerability... jesus. They act like he published the info online and didn't save their butt.

moonasha
Автор

The only thing I learned from this is "See something, shut tf up."

jvsonyt
Автор

“A hacker with time on their hands is dangerous”

yeh in 2005ish I knew what Snowden reported. I’ve basically only ever had one job. Go figure. But it was really a bad idea for society to punish me by preventing me from having a job. They really assume that if they destroy your career early in, that you’ll never become anything. They undervalue talent and natural intelligence, thinking that (as it was in earlier decades), if they just prevent you from ever being respected/employed in society then somehow you won’t be intelligent. We have things like github, Wikipedia, free online education…

DavidConnerCodeaholic
Автор

Doors and corners, kid. Don't come into the room too fast.

RoamingAdhocrat
Автор

Damn Renderman is still kicking, respekt

MadeAnAccountOnlyToReplyToThis
Автор

12:59 I think there was a mistake here. The HTML "hacking" case occurred in Missouri, not Mississippi.

MyThreeLivesASMR
Автор

Damn the Defcon audience has either gotten super stuffy or (impossible) they fixed the audio finally

MadeAnAccountOnlyToReplyToThis
Автор

say nothing to anyone, you will only get yelled at.

Stjaernljus
Автор

The problem is stated succinctly at the beginning - the lawyers. The attorneys told the CISO that they HAD to be heavy-handed from the jump, otherwise if it turned out to be a LEGITIMATE THREAT, then they (the government) would be liable. The problem is that attorneys have ZERO CLUE about what constitutes a legitimate threat versus "responsible disclosure." Hence the talk. Bottom line, educate the attorneys (and their minders) to recognize the difference between responsible disclosure and "Yuri the Ransomware Czar."

GregoryMacPherson
Автор

5 minutes of "wow I'm so great"

Cyber-IoT-bhqv