Personal Ethics is not something that changes too dramatically over time. The foundation of our ethics is typically laid as children with small changes throughout our life. Untypical, then, was a major shift in my personal ethics as it relates to “security research”, aka hacking.
Has your spouse ever told you something a million times, but it didn’t make sense to you? My wife, for years, has been questioning my shady security research practices. Over the last few weeks, starting with John Strand’s talk at Derbycon 2017, I’ve been hearing a recurring theme. This theme has probably been there all along, but I wasn’t listening to it, or to my wife. The theme is, “Did you hack into that? Yes? Did you have permission?”
Ethically (and legally for that matter), there’s a line between vulnerability hunter and unauthorized computer access. That line, and even the definitions of terms, is different to everyone. For those of us that literally seem to have vulnerabilities just fall right out in front of us, that line is a bit over towards the dark side since easy equates to it’s okay in our minds.
Like many honest, well meaning security researchers, I’ve never received any personal gain from doing security research and reporting vulnerabilities; not a dime. People like me truly feel that by finding these things before the bad guy does, the good guy will be safer. It’s that feeling of discovery, followed by helping make the good guys a little safer, that drives us.
Starting in 2015, soon after leaving the NSA, I became super addicted to security research and started spending a lot of time searching for vulnerabilities and creating/testing attack vectors. In some cases, I would make contact with the potential victim myself, but with many I would report my findings through federal law enforcement.
As an example, one common scenario I exploited frequently was “discovery and verification of a password”. Password compromise is, unfortunately, still a very common attack vector in the absence of, and sometimes in spite of, multi-factor authentication. For those that come across passwords often on paste sites, malware repos, popping bad guy infrastructure, in good guy code, etc., you know this information could give a true evil person access and allow them to do some serious damage. But, the vast majority, depending on source, are stale, or otherwise unusable passwords. There’s only one way I am aware of to know if the password you discovered is valid. Seriously, do you know of another way besides trying it?
I asked a few of my contacts in federal LE, multiple times in fact, questions like, “If I obtain a password (from wherever), is it going to far to “verify” that password?” and “Is verifying a vulnerability, safely, acceptable?” The general, combined guidance, was as follows:
With that feedback, I went to town. I began hacking into bad guy infrastructure, typically associated with malware, on a daily basis, and often multiple times per day. I became very good at it, discovered multiple vulnerabilities in well known malware infrastructure, and wrote dozens of automated exploits against bad guy infrastructure. Once I popped a bad guy server, I’d dump everything they had stolen from their victims: passwords, SSH keys, credit card numbers, bitcoins, etc. In addition to sharing this information with LE, I’d frequently provide this information to various intel channels of which I am a member.
I didn’t stop there, though. I was taking it a step further. I’d extract HVTs (high valued targets) from the password dumps, see what bad guy had access to, if anything, and then report my findings to LE. Some of the bigger HVTs that I verified access to include:
Another common thing I would do is connect to an open wifi and run a port scan at every store, restaurant and business I was at. Examples of things I found doing that include:
There are so many other categories of examples I could give, but you get the idea. I was hacking so often, I’d be breaking out of kiosk mode on a touch screen at a theme park while I was there with my family. I was an addict (still am, to be transparent).
Side question (comment below). For those that do/have done this sort of stuff, and then it makes the news, does the news always get the details 100% wrong? If I “know” they are wrong about these “breaches” that I have full perspective on, what would make me think anything else they say it true.
After Derbycon, I spent a considerable amount of time researching the ethics of vulnerability research. On 08 OCT, 3.5 years after he gave it, I watched his talk at https://www.youtube.com/watch?v=skYeNYeVY58.
According to Kevin, even dropping a single quote into a form field is going too far. That one hit me hard, as it is something I do every time I create a new account or leverage a new service for something. I have even used this, during interviews with potential employers, as an example of security research I perform.
Kevin’s talk transformed my personal ethics as it relates to security research. He was the straw that broke the unauthorized-hacking-is-wrong back for me.
I’m not going to lie, I’m having serious struggles right now knowing where to draw that line. Based on the wisdom from Kevin Johnson, and others, I’ve got this far:
I have had the opportunity to discover hundreds of vulnerabilities and weaknesses in the last several years, and in turn, the privilege to help hundreds of businesses mitigate gaps in their systems. Because of my overwhelming desire to see the good guys win and bad guys lose, the implications of my new self imposed limitations have me feeling somewhat helpless.
I firmly believe that this ethics change will, in the end, cause more harm than good for the industry as a whole. There are many more bad guys in the world than good guys authorized by company X.
Thanks to Kevin Johnson @secureideas, Mano @manopaul, and @HackFormers for the presentation on the ethics of security research.
What are your thoughts? Do you draw the line somewhere different?