Ethics Panel

The speaker asked not to publish the slides of their contribution.

The speaker asked not to publish the video of their contribution.

The Ethics of Responsible Disclosure panel at last year’s Defcon left a lot of questions out on the table. In today’s climate of data breaches and information leaks, how do we in the infosec community disclose the vulnerabilities we discover responsibly? Who are we responsible to? Can we set a standard practice that is ethical, fair and effective? Should vulnerability researchers have immunity from repercussions of disclosing vulnerabilities that a vendor is non-responsive? What steps can researchers take to get protection from the coercion that occurs during the disclosure process with a vendor? Join us for a continuation of the discussions started at last year’s Defcon.

Moderator: Bigezy

Panelist: Graeme Neilson, Kai Thompsen, Rodrigo Branco, Mystery Panelist (ask Enno), and Enno Rey

Introductions will be kept to a minimum. Most of the panelist ore well known and for those panelist and moderators that are not as well known I think they would be okay without a lot of attribution anyway. The moderator will kick off the panel by asking open questions that follow up on concepts discussed by the ethics of disclosure panel at Def con. To start the idea that the times have come to consider the idea that it is no longer in the interest of researchers to follow the process widely known as “responsible disclosure.” In deference to Katie’s suggestion at the defcon panel. We will only talk about this process as disclosure. This question will be followed up with the following reasoning, since the market for 0day is matured and nation states are in the business of driving up prices. Isn’t it better just to sell 0day rather than disclose it? Vendors have matured their process to use coercion and threat of legal action to suppress research. (Examples include vendors threating careers of operators of technology and direct threat of prosecution. Anecdotal stories can be spontaneously provided by moderator, audience, or panelist). To keep this discussion fresh and hopefully bring the discussion to an actionable conclusion. The moderator, after letting panelist and audience get their feather ruffled over the topic, propose that researchers need to take a more coercion based approach to disclosure with the goal being to either 1) get paid or 2) get shit fixed. Since we all know that shit ain’t never gonna get fixed we might as well find a way to stay out of jail or be branded a troublemaker in social media. This will lead to a discussion about whether it is ethical to sell but also is it ethical to sell to one side of the conflict or to both sides of the conflict.

About the Speakers

Bigezy

Edmond Rogers ‘bigezy’ - Before joining the University of Illinois Information Trust Institute (ITI) in 2011, Edmond Rogers was actively involved as an industry participant in many research activities in ITI’s TCIPG Center, including work on CyPSA Cyber Physical Situational Awareness, NetAPT (the Network Access Policy Tool) and LZFuzz (Proprietary Protocol Fuzzing). Rogers also has developed and delivers customized training on ICS defense at the TCIPG Summer School and to utilities directly. Prior to joining ITI, Rogers was a security analyst for Ameren Services, a Fortune 500 investor-owned utility, where his responsibilities included cyber security and NERC CIP compliance aspects of Ameren’s ICS SCADA network. Before joining Ameren, he was a security manager and network architect for Boston Financial Data Systems (BFDS), a transfer agent for 43% of all mutual funds. He began his career by founding Bluegrass.Net, one of the first Internet service providers in Kentucky. Rogers leverages his wealth of experience to assist ITI researchers in creating laboratory conditions that closely reflect real-world configurations. Before that is was the 80’s and Rogers spent this time as a dual major computer engineering and english major. He started his studies at Louisiana State University in 1983. Rogers has spoken across the world regarding defense of critical infrastructure at conferences such as Blackhat, Defcon, BsidesLV, Troopers, BerlinSides, H2HC, 31c0n, Daycon, 617con and he is currently the president of Hackito.