Arrested for security research?

Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.

I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.

But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences – while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.

If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?

There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.

I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) – I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?

Share
  • http://www.computerdefense.org Tyler Reguly

    @Aviram

    I think that some of what you are saying is slightly sensationalist… trying to drive more community support based on your comments. Before I say this, don’t take these statements to mean I agree with action, however the truth is slightly more understandable than what you posted.

    Fyodor had SecLists.org shutdown because it held an archive to the MySpace username and password list that was going around. While this is an outrage to people because the list is archived everywhere… Perhaps the MySpace employee who reported the issue was unaware of other archives. I’m also sure that if we were talking about child porn or even phishing, that you would be happy with a 1 minute or 1 hour turn around. Do I agree with it? Nope. Do I understand how it could happen and be an honest mistake? Yeah.

    As for Dmitry Sklyarov, you have again skewed the facts. It wasn’t for “breaking PDF encryption” but rather for selling a program to remove PDF encryption. This was also the first case tried under this portion of the DMCA. In fact once Adobe had all the facts they pulled their support for prosecuting Dmitry and once again turned their focus on his employer. Do I agree with it? Nope.. Do I understand it? Yeah.

    Now that being said, I have a short write-up with a link to a presentation that Dr. Richard Reiner gave at SecTor last year ( http://www.computerdefense.org/2007/11/22/growing-the-security-profession/ ). He discussed a security profession, not unlike lawyers or doctors have with their own set of rules and regulations and their own governing body. You might be interested in reading through it.

  • el pasajero oscuro

    Tyler Reguly you are totally right, furthermore, the problem is not that they can break GSM, because, THC didn’t do *anything* new in the theory field. as you can see:
    http://en.wikipedia.org/wiki/A5/1

    The attacks in real time using a time-memory tradeoff are known singe years (8 years), the real problem is that they naively (or not?!) want to sell it as a service. It’s obvious that as usually they did it for fame, and now they get all excited at THC and live in a movie, saying “see you if they don’t catch me at airport, wow so exciting finally, in my geek life I feel important!”. Just a note: show how to create fake Nike shoes (even if it isn’t your method and it is 8 years old (at least the fact that you can create a fake nike shoes is 8yo)) at a conference and then try to sell them on the interweb (with the conf putting you under the lights, again the *fame* …), you will notice it doesn’t work. Grow up, stop working on old stuff just for FAME and get a real LIFE.

    el pasajero oscuro.

  • http://www.BeyondSecurity.com Aviram

    Tyler, thanks for the comment but I have to disagree.

    I think Fyodor had seclists.org shut down because of who he was. Sure, the myspace list was the trigger, but godaddy would have never dared to shut down securityfocus.com or mcafee.com (or securitydefense.org) if they would have published the list in a mirror archive.

    Dmitry Sklyarov wasn’t arrested for distributing the program – he wasn’t the CEO of the company or a marketing manager. He was the one that actually broke the encryption, and that’s what he talked about in Defcon. There are several password decryption program out there, some are owned by public companies – I have never heard of any of them being legally threatened despite the fact that the US law basically prohibits from selling these types of programs.

    We also have our own experience: we occasionally get the casual DMCA threat mail by a vendor who doesn’t like when the first google hit is a securiteam article about a vulnerability in the product. They back down when they get a mail back from our law firm who is on retainer. I don’t know what a person who is not backed by a commercial company would do in such cases.

    I do agree with many of the points raised by Richard Reiner (in fact, we tried unsuccessfully to establish a security researchers guild. We actually still own the domain name). But that’s not what the post is about – the threat I am worried about is not from inside the profession – it from forces outside the profession that are serious threats.

  • aviram freedom of speech

    Why didn’t you accept my post? Do you think you’re a model of democracy? If so, accept to publish my last comment, or maybe you don’t want to let the public decide about if what I said is right or wrong, you claim yourself judge and in the same time the ‘law’. Pathetic.

  • http://www.computerdefense.org Tyler Reguly

    @Aviram

    I guess we’ll have to disagree on why things happened to both of them.

    That being said, perhaps something is lost by only seeing the PDF of the presentation… but part of what Reiner talked about was that as a recognized “profession”, Security Professionals would answer to their own ethics board on many matters… This is essentially what you want… a governing body that has “some” legal precedence. At least that was how I interpreted it.

  • http://www.BeyondSecurity.com noam

    Editor’s note – we don’t block any comments – even if they are offensive, however our spam filtering had a better idea of what the comment was and classified it as spam.

  • http://www.BeyondSecurity.com Aviram

    Tyler, that last part I certainly agree with. I would very much like to see an organization like that taking form.

    I don’t see how that can happen practically, though – some of the best people I know in our profession will shudder just from the thought of having been ‘certified’ by anyone :-)

  • http://www.computerdefense.org Tyler Reguly

    @Aviram

    That’s the same problem I see with it… The way that IS has worked historically doesn’t mesh well with the idea of a professional body with a governing set of ethics. If the full disclosure debate can’t be settled, how could a whole list of ethical questions.

  • http://www.BeyondSecurity.com Aviram

    Tyler – exactly.

  • Nir Goldshlager

    Tyler you are totally right ,shit law