Hacked Opinions: The legalities of hacking – Scot Terban

Researcher Scot Terban talks about hacking regulation and legislation

Researcher Scot Terban, known to many online simply as Dr. Krypt3ia, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.

hacked opinion small Thinkstock

Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. Now, this second set of discussions will examine security research, security legislation, and the difficult decision of taking researchers to court.

CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A. The deadline is October 31, 2015. In addition, feel free to suggest topics for future consideration.

What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?

Scot Turban (ST): “CYBER” this is the worst word with the worst connotations within the milieux of information security. Cyber does not exist and it only gives people ideas of flying through crystal palaces like in the movie Hackers.

They have no other conceptions of what the problems are even on a non technical level. Look at these people in Congress today. Watch a hearing on something to do with information security and you will see people who have no concept of basic principles of how computers work. Now think about how they are the ones making the laws concerning aspects of hacking/security they only know about through the word “Cyber” it is maddening.

Let me give you another example. In 1984 the congress saw or heard of the movie “WarGames” they did not understand the technology but then created the Computer Fraud and Abuse Act. [The CFAA is an] outdated law that is still in use and leveraged against would be hackers or security researchers today with punitive actions for things that should not be even considered hacks.

Along this line of thinking I would also cite the conviction and incarceration of Weev [Andrew Auernheimer] for enumerating a page by increasing a number at the end of a URL. The lawmakers do not understand the technology; this is the biggest problem.

What advice would you give to lawmakers considering legislation that would impact security research or development?

ST: I would recommend that they sit with and learn from not only security luminaries (I hate that term) as well as their staffers who really are helping to research and write these bills that become laws. These staffers are younger and likely understand the technology much more than the sitting senator or congressman.

If they had some comprehension of how things work and why perhaps they could define what is right and wrong and then apply the law to that. Instead we have people who are ill equipped to understand what is happening and scared into a corner from tales of terrorism and hacker extortion we see in the news daily.

Learn. Ask questions. Then learn more before you just spew out poor legislation. Oh and certainly don’t just be a beltway security bandit toadies either! You have to understand the motivations of the companies out there lobbying you on these issues.

If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?

ST: If said researcher made a good faith effort of disclosure with the company and can prove it, they are shielded from any and all legal prosecution civil or otherwise.

Now, given what you've said, why is this one line so important to you?

ST: Companies rule the world today. How many talks have been cancelled? How many GeoHot’s are there in the world who have been harangued by legal attacks because a company felt threatened or embarrassed because they failed to listen to the researcher? Work with us, don’t hide from your flaws and then knee-jerk prosecute.

Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?

ST: No. Never. If anything perhaps they should ask the researcher to work with them and to perhaps delay a talk until they in tandem have worked the problem out and remediated it (i.e. re-code or patched).

I think it would be equitable if a company asked me to not write or speak about something until after the fix was in. Unfortunately this is not how it usually happens and we have seen more than a few talks cancelled under threats or worse, one remembers what happened to Dmitry Sklyarov at DEFCON in 2002.

What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?

ST: I believe that threat intelligence is a rubric that needs a lot of work to become actionable for companies to start with.

We need to get what threat intelligence really is, and how to use it, out of the way first. It will take work on the part of the companies to create programs to collect, analyze, and use that data. This is work that we're not seeing done today.

So when you say threat intelligence in my world, you mean threat feeds of data from SIEM/IDS and the like. Add to this certain data on malware C&C’s, and some facts as to how malware works and you have data you can work with to create threat intelligence, post analysis. I won’t go into that any further here, but I think that kind of lays out the problem.

Now, when talking about sharing that data, the model is already out there in the form of the DC3. This is the military government defense base group that shares their intelligence internally between those companies doing business within the DOD space. It is a good thing, and it has gotten much better over the last few years. That data is mostly actionable to a team that can analyze it and apply it to their environment. This however does not really exist outside of the DC3 though and is all secret squirrel.

What I hear being proposed by [President Obama] and others is that we create more sharing on a corporate basis between corporate entities (either within their silo or altogether) on the attacks that are being seen by them. Sharing that data properly between companies like the DC3 model would be good. Sharing that data with government too? Well, that kind of scares me. Why?

Well, let’s just take a peek at OPM shall we? Yeah, I am not so enamored with the idea of sharing my SIEM and other feeds as well as analysis with the government because so far, they have shown that they are unable to really digest and apply any kind of security data to date properly within regular government channels.

On the opposite side of this argument I wonder just how many companies are going to be willing to really pony up to join such an intelligence sharing organization at all. It would mean that someone like Target would have to really be doing the work that the certainly weren’t doing up until recently post their schadenfreude hack experience right?

Can you imagine that Sony would do the same? I think this is a hard sell to most [organizations] because they would have to put in money and time and with that trained [full-time employee's] with experience.

As to the question of what the government should be sharing with us...

Say, how many cleared individuals are there commonly in a regular corporation anyway? The fact of the matter is they won’t share much if it is classified. So it’s kind of a moot point. I think the data flow would be more into them and they would use it for their own purposes.

Join the CSO newsletter!

Error: Please check your email address.

Tags Hacked Opinions

More about CSOElcomQSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place