Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning, everybody. How you doing today on this episode of the show. I want to look at some of the legal aspects are legal consequences of conducting security research that you might not be aware of. Now before we go any further. I want to cover two quick things really really quickly the first I鈥檓 not a lawyer.
I think I鈥檓 up to speed on laws that impact computers and system usage and cybercrime around the world. I covered that in my Graduate Studies in this have stayed up to date ever since the end of the day. I am not a lawyer. The second is that the basis of this topic is coming from a report from a site called SEC juice.com.
This is a one instance of this report of the story. I haven鈥檛 seen corroboration, but the digging on social media everything does seem to line up when it seems authentic. But again, I haven鈥檛 seen that sort of additional corroboration. I haven鈥檛 dealt with his outlook before so we鈥檒l take everything with a grain of salt and treated all his alleged activity and a hypothetical but that doesn鈥檛 Change the point of what I want to talk to you about on this show.
Now first the story and of course, I鈥檓 going to link to it in the description so you can read it yourself, but it basically goes like this to enterprising security researchers based in the EU were surfing Showdown something caught their eye and they dug deeper lo and behold what they find is a network of products from a company called atrient.
Now, it makes kiosks that are primarily sold to gambling and entertainment physical properties in order to manage loyalty program so you can go up in badge and it says, you know Mark you鈥檝e got ten thousand fifteen will give you free tickets to the show tonight. I鈥檓 something along those lines so attracts a lot of sensitive information in their place near throat physical properties at the client鈥檚 location now the researchers and they found a whole bunch of wrong.
It鈥檚 really the best way to put it information is being transmitted in the clear. They could identify specific kiosk there appeared to be an API. Writable there鈥檚 a whole bunch of security challenges here and they raise their hand with the vendor and tried to say hey, we found some of these things we鈥檇 like to responsibly disclose them.
So for as a reminder responsible disclosure is essentially researchers working with the affected organization on a specific time line normally about 90 days to get the issue resolved before the information goes public. So essentially giving the company time to respond so that when the information comes out in whether that鈥檚 in a cve bulletins or come in front of building exposure bulletin or as a talk customers and organizations are either already patched working quickly grab the passion and fix themselves so that the disclosure does actually create more harm.
So the researchers try to get the company鈥檚 attention didn鈥檛 work couldn鈥檛 get anybody answering basically got the cold shoulder. They went as far as leaving a message on an FTP server solo riding a file to FTP server to get the admins to call them back about the issue will get back that key Point later in this story.
Give me cold shoulder be frustrated trying to do the right thing and I truly believe they were trying to do the right thing. They reached out to the editor at Tech juice. And I said, hey, can you help here? They went out on social media. Social media post a bow.
Story being written got the attention of the FBI in their Fusion unit of the fusion unit is designed specifically stepping in situations like this where there鈥檚 researchers with positive intentions for trying to help a company fix their security in a company doesn鈥檛 want any part of it Wheels turn FBI gets on a call with everybody involved on seems like a company鈥檚 taking it seriously and they say hey researchers, let鈥檚 take this offline so that we can get some legal paperwork behind here and discuss and maybe some compensation.
So that happens and then from there on out the researchers as pancake. This is great security companies doing the right thing. We鈥檙e going to see some monetary upside, which is great as well as But the company continues to ignore them give him the cold shoulder. It ends up in the researchers confronting the company at an event an alleged assault which may or may not have happened really depending on your definition of assault.
But again wasn鈥檛 there in a lawyer can speak to it and then now the company legally threatening action against the researchers. Now what I want to talk about in this episode though was that this is par for the course is a risk that a lot of researchers are taking they are trying to do the right thing.
They鈥檙e trying to responsibly disclose it for the most part. We鈥檝e seen examples where people are not trying to do that are just trying to gain notoriety but they the most part when people are out in the public announcer on the white hat side of the equation they鈥檙e trying to do the right thing or try to help companies make better products customers to be protected a man to gain some credibility as a researcher in the industry the challenges unless there鈥檚 a published bug Bounty program laying out permissions.
They may in fact be breaking the law by conducting this type of research. This is why Call Donnie鈥檚 exist as wife third party organizations. I can help broker that relationship to help ease these illegal tensions and again, not a lawyer but we鈥檙e looking at the law in the UK and the Computer Fraud and Abuse Act.
Very similar language that basically says it鈥檚 illegal to use a computer or a computer system in any unauthorized manner. They don鈥檛 speak at all to the security of those systems to research exemptions to educational exemptions. It鈥檚 a flat-out. You cannot use a computer in a way that鈥檚 not authorized now authorization based on case law is determined by the people who owned the system which is why when you login you鈥檒l see banners in the survey responses that say Hey, you need to be an authorized user on an employee of X.
And when you login sometimes the windows used to get that dialogue that is like a Government system Bubba Bubba Bubba D鈥檚 are all reminders and more legal than security to be able to point to say Hey, you knew what authorized usage was and you went beyond it is why we have terms of service is why we have user user license agreement to this potential misuse now reading through what the researchers did and the information they gathered is clear that they went further than just a simple packet to an IP address to see if it was online like a showdown.
That鈥檚 right. Shouldn鈥檛 pigs all these IP addresses and record the banner responses. It鈥檚 clear that in their own admission writing a file to the FTP the dam now access deeper into the systems and where that line is from a security researcher perspective is really hard to judge serve a case-by-case ethical or moral decision of how far you can probe into a system to see if it鈥檚 vulnerable or from the Lost perspective.
It鈥檚 Crystal Clear unauthorised use is anybody using the system in a way that the company who owns Under the Pier? Didn鈥檛 authorize ahead of time I am so you probably from the outside and then writing files to their system is in my opinion a clear on authorized use which is why exactly we have pentesting as a service.
We have been testing as an industry and there are clear contacts to identify the people doing the penetration testing. So they don鈥檛 fall under this exact legal challenge because now we have these researchers you were trying to do the best thing and that is my belief based on their their previous work based on the responses are social but what I wanted to highlight and why I鈥檓 making this video is because the responses I鈥檓 seeing on Twitter in the discussion around this everybody is siding with the researchers, which I totally get their trying to do a good thing and it鈥檚 easy to vilify corporations, but at the end of the day these researchers might be in serious significant legal trouble just because you found something at the hey, look we鈥檙e trying to help you doesn鈥檛 mean somebody needs to receive help and we鈥檙e seeing this unfortunately decently often wear companies have a negative reaction to this kind of vulnerability disclosure because when you take off your meal Set a timer for a minute and answer put yourself in the company鈥檚 perspective.
This is a danger to their business model. They are selling to some very I鈥檓 risk-adverse and security aware customers and from the tech report server believe they鈥檝e got a crap job of it right is an absolute house of cards that can just be poked over and everything to Fall to Pieces because I鈥檓 sure the casinos do not want to explain to their customers why their private activity is being broadcast over the internet in the clear.
So this is a fundamental risk to the business model Here Comes ease to unknown researchers who say hey, we have good intentions trust us hears everything that鈥檚 wrong with your business. And if it leaks it could be absolutely catastrophic. Of course, the business is going to be very very defensive.
It鈥檚 rare that somebody company culture would allow the fortitude to say who you鈥檙e right. Let鈥檚 do the right thing here. They鈥檙e going to want to try to silence. Hopefully they silenced at me like a will pay you some money will sign some legal paperwork so that you can鈥檛 go speak about this not come back and attack but it is a risk and that鈥檚 what I wanted to raise.
Is that based on the letter of the This could be a risk for security researchers. It鈥檚 so even though they鈥檙e in the EU. This company is based in the states in the US law is pretty darn clear. We鈥檝e seen some absolutely horrendous consequences based on walks with the Law鈥檚 the law until it changes.
This is what we have to deal with and how to change that to whole another thing. I wanted to create this video based on this event really did get this discussion going and I think it鈥檚 been massive stride, but I think we need to keep talking about it specially with coffin season starting up again.
I鈥檇 love to see this as a regular topic of discussion and saying that looks getting kicked off. Hit me up online at Mark NCAA in the comments down below and as always by email Mark and I鈥檒l be at Mark n. CA tell me what you think. How are your experiences? What do you think of this issue? Let鈥檚 keep this discussion going.
Let鈥檚 take it to the next level and let鈥檚 try to get research on going and I鈥檓 in a much smoother Manor for everybody involved help raise everybody up by sharing our knowledge. So have a fantastic day and we鈥檒l see you on the show. Morning, everybody. How you doing today on this episode of the show.
I want to look at some of the legal aspects are legal consequences of conducting security research that you might not be aware of. Now before we go any further. I want to cover two quick things really really quickly the first I鈥檓 not a lawyer. I think I鈥檓 up to speed on laws that impact computers and system usage and cybercrime around the world.
I covered that in my Graduate Studies in this have stayed up to date ever since the end of the day. I am not a lawyer. The second is that the basis of this topic is coming from a report from a site called SEC juice.com. This is a one instance of this report of the story.
I haven鈥檛 seen corroboration, but the digging on social media everything does seem to line up when it seems authentic. But again, I haven鈥檛 seen that sort of additional corroboration. I haven鈥檛 dealt with his outlook before so we鈥檒l take everything with a grain of salt and treated all his alleged activity and a hypothetical but that doesn鈥檛 Change the point of what I want to talk to you about on this show.
Now first the story and of course, I鈥檓 going to link to it in the description so you can read it yourself, but it basically goes like this to enterprising security researchers based in the EU were surfing Showdown something caught their eye and they dug deeper lo and behold what they find is a network of products from a company called atrient.
Now, it makes kiosks that are primarily sold to gambling and entertainment physical properties in order to manage loyalty program so you can go up in badge and it says, you know Mark you鈥檝e got ten thousand fifteen will give you free tickets to the show tonight. I鈥檓 something along those lines so attracts a lot of sensitive information in their place near throat physical properties at the client鈥檚 location now the researchers and they found a whole bunch of wrong.
It鈥檚 really the best way to put it information is being transmitted in the clear. They could identify specific kiosk there appeared to be an API. Writable there鈥檚 a whole bunch of security challenges here and they raise their hand with the vendor and tried to say hey, we found some of these things we鈥檇 like to responsibly disclose them.
So for as a reminder responsible disclosure is essentially researchers working with the affected organization on a specific time line normally about 90 days to get the issue resolved before the information goes public. So essentially giving the company time to respond so that when the information comes out in whether that鈥檚 in a cve bulletins or come in front of building exposure bulletin or as a talk customers and organizations are either already patched working quickly grab the passion and fix themselves so that the disclosure does actually create more harm.
So the researchers try to get the company鈥檚 attention didn鈥檛 work couldn鈥檛 get anybody answering basically got the cold shoulder. They went as far as leaving a message on an FTP server solo riding a file to FTP server to get the admins to call them back about the issue will get back that key Point later in this story.
Give me cold shoulder be frustrated trying to do the right thing and I truly believe they were trying to do the right thing. They reached out to the editor at Tech juice. And I said, hey, can you help here? They went out on social media. Social media post a bow.
Story being written got the attention of the FBI in their Fusion unit of the fusion unit is designed specifically stepping in situations like this where there鈥檚 researchers with positive intentions for trying to help a company fix their security in a company doesn鈥檛 want any part of it Wheels turn FBI gets on a call with everybody involved on seems like a company鈥檚 taking it seriously and they say hey researchers, let鈥檚 take this offline so that we can get some legal paperwork behind here and discuss and maybe some compensation.
So that happens and then from there on out the researchers as pancake. This is great security companies doing the right thing. We鈥檙e going to see some monetary upside, which is great as well as But the company continues to ignore them give him the cold shoulder. It ends up in the researchers confronting the company at an event an alleged assault which may or may not have happened really depending on your definition of assault.
But again wasn鈥檛 there in a lawyer can speak to it and then now the company legally threatening action against the researchers. Now what I want to talk about in this episode though was that this is par for the course is a risk that a lot of researchers are taking they are trying to do the right thing.
They鈥檙e trying to responsibly disclose it for the most part. We鈥檝e seen examples where people are not trying to do that are just trying to gain notoriety but they the most part when people are out in the public announcer on the white hat side of the equation they鈥檙e trying to do the right thing or try to help companies make better products customers to be protected a man to gain some credibility as a researcher in the industry the challenges unless there鈥檚 a published bug Bounty program laying out permissions.
They may in fact be breaking the law by conducting this type of research. This is why Call Donnie鈥檚 exist as wife third party organizations. I can help broker that relationship to help ease these illegal tensions and again, not a lawyer but we鈥檙e looking at the law in the UK and the Computer Fraud and Abuse Act.
Very similar language that basically says it鈥檚 illegal to use a computer or a computer system in any unauthorized manner. They don鈥檛 speak at all to the security of those systems to research exemptions to educational exemptions. It鈥檚 a flat-out. You cannot use a computer in a way that鈥檚 not authorized now authorization based on case law is determined by the people who owned the system which is why when you login you鈥檒l see banners in the survey responses that say Hey, you need to be an authorized user on an employee of X.
And when you login sometimes the windows used to get that dialogue that is like a Government system Bubba Bubba Bubba D鈥檚 are all reminders and more legal than security to be able to point to say Hey, you knew what authorized usage was and you went beyond it is why we have terms of service is why we have user user license agreement to this potential misuse now reading through what the researchers did and the information they gathered is clear that they went further than just a simple packet to an IP address to see if it was online like a showdown.
That鈥檚 right. Shouldn鈥檛 pigs all these IP addresses and record the banner responses. It鈥檚 clear that in their own admission writing a file to the FTP the dam now access deeper into the systems and where that line is from a security researcher perspective is really hard to judge serve a case-by-case ethical or moral decision of how far you can probe into a system to see if it鈥檚 vulnerable or from the Lost perspective.
It鈥檚 Crystal Clear unauthorised use is anybody using the system in a way that the company who owns Under the Pier? Didn鈥檛 authorize ahead of time I am so you probably from the outside and then writing files to their system is in my opinion a clear on authorized use which is why exactly we have pentesting as a service.
We have been testing as an industry and there are clear contacts to identify the people doing the penetration testing. So they don鈥檛 fall under this exact legal challenge because now we have these researchers you were trying to do the best thing and that is my belief based on their their previous work based on the responses are social but what I wanted to highlight and why I鈥檓 making this video is because the responses I鈥檓 seeing on Twitter in the discussion around this everybody is siding with the researchers, which I totally get their trying to do a good thing and it鈥檚 easy to vilify corporations, but at the end of the day these researchers might be in serious significant legal trouble just because you found something at the hey, look we鈥檙e trying to help you doesn鈥檛 mean somebody needs to receive help and we鈥檙e seeing this unfortunately decently often wear companies have a negative reaction to this kind of vulnerability disclosure because when you take off your meal Set a timer for a minute and answer put yourself in the company鈥檚 perspective.
This is a danger to their business model. They are selling to some very I鈥檓 risk-adverse and security aware customers and from the tech report server believe they鈥檝e got a crap job of it right is an absolute house of cards that can just be poked over and everything to Fall to Pieces because I鈥檓 sure the casinos do not want to explain to their customers why their private activity is being broadcast over the internet in the clear.
So this is a fundamental risk to the business model Here Comes ease to unknown researchers who say hey, we have good intentions trust us hears everything that鈥檚 wrong with your business. And if it leaks it could be absolutely catastrophic. Of course, the business is going to be very very defensive.
It鈥檚 rare that somebody company culture would allow the fortitude to say who you鈥檙e right. Let鈥檚 do the right thing here. They鈥檙e going to want to try to silence. Hopefully they silenced at me like a will pay you some money will sign some legal paperwork so that you can鈥檛 go speak about this not come back and attack but it is a risk and that鈥檚 what I wanted to raise.
Is that based on the letter of the This could be a risk for security researchers. It鈥檚 so even though they鈥檙e in the EU. This company is based in the states in the US law is pretty darn clear. We鈥檝e seen some absolutely horrendous consequences based on walks with the Law鈥檚 the law until it changes.
This is what we have to deal with and how to change that to whole another thing. I wanted to create this video based on this event really did get this discussion going and I think it鈥檚 been massive stride, but I think we need to keep talking about it specially with coffin season starting up again.
I鈥檇 love to see this as a regular topic of discussion and saying that looks getting kicked off. Hit me up online at Mark NCAA in the comments down below and as always by email Mark and I鈥檒l be at Mark n. CA tell me what you think. How are your experiences? What do you think of this issue? Let鈥檚 keep this discussion going.
Let鈥檚 take it to the next level and let鈥檚 try to get research on going and I鈥檓 in a much smoother Manor for everybody involved help raise everybody up by sharing our knowledge. So have a fantastic day and we鈥檒l see you on the show.
