Hanno Böck, 2018
You won't get legal advice from me
Many IT security professionals engage in different ways
(There's an active Zero Day market)
Many people in law enforcement circles think it's legitimate to keep vulnerabilities secret, even though it harms overall security
While I won't use vulnerabilities to attack people technically, I make vulnerabilities public and people who are sloppy with their security won't necessarily like that
Responsible disclosure means to notify a party responsible for a security vulnerability before making it public and give them reasonable time to fix things
Responsible disclosure does not mean waiting for an undefined amount of time until the vendor is "ready"
<script type="text/javascript" src="https://example.org/fancy.js"></script>
Unclear costs, unlimited responsibility for the security of someone who doesn't even want to talk to me
They load Javascript from my subdomain
It took them some time, but eventually they removed the Javascript reference.
Outcome: A security vulnerability was fixed.
Even after this they never contacted me
Given the circumstances I think Yes.
The alternative would've been that probably someone else would've attack them, likely with malicious intent.
Database with 200.000 addresses from an address change service from the german postal service (Deutsche Post)
Backup of MySQL database is stored on web root with an easily guessable name, everyone can download it
I scanned the Alexa Top 1 Million list and found thousands of affected sites
How do you do responsible disclosure for thousands of sites?
Use abuse contacts to reach out to affected sites
Surprisingly many web hosts have abuse contacts that don't work (emails bounce)
Some will just ignore abuse mails
Some will ask you to jump through additional hoops to contact them, e.g. fill out a special form
Very mixed results: Some care, others don't
In the case of the database leak I tried to make sure I contact all hosts with Gigabyte sized databases manually
Yet some of them are still online
(This was in 2017)
When you have vulnerabilities in thousands of targets there will be targets left vulnerable once you disclose
I have an undisclosed similar case right now, around 1/4th fixed and I don't expect it to get much better
For some severe cases I did a brief check what kind of data there is
In the case of the postal service I counted the number of affected datasets
I deleted all data before I made the incident public, in case anyone asks me about the data I can truthfully say "I don't have it"
Password reuse is a major and underappreciated problem
This guy knows your Myspace password
But he won't give it to anyone else and he's generally trying to do the right thing
Are you okay with that?
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
Passwords obtained from previous breach corpuses.
(And I think they're right)
Troy Hunt, the guy who knows your Myspace password, provides a list of hashes of breached passwords. If you run a service with user accounts and passwords use it!
Let's get into ethically even more murky territory
Would it be okay to download all the breaches you can find on the Internet and use it as a Pentesting company? Or for Bug Bounty hunting?
It's not just companies like Myspace or Linkedin that are getting breached
2017 databases from Freedom Hosting II were leaked
Freedom Hosting II was a Dark Net web hoster
Their favorite customers: Web pages for child sexual abuse content
Would you want to have the Freedom Hosting II data on your hard disk?
The Internet of Things means a large number of companies that have no background in software are now software companies
In many IoT devices there's literally no security
In 2016 Mirai was used for a DDoS attack against the web page of the journalist Brian Krebs
He had to take down his web page, because his sponsor Akamai said they couldn't handle it any more
The masses of insecure IoT devices have created a situation where you can hire a service that will take down someone's web page
In other words: IoT threatens freedom of press and freedom of speech
The only protection against DDoS is to have more infrastructure: more servers and better Internet connectivity than your attackers combined
There are very few companies that can handle such attacks, we don't want freedom of speech to depend on their goodwill
They don't care and there's almost no business case for better security
They usually are not even aware of the problem
This is probably the right way to handle this, but things are moving very slowly
California has created a law forbidding default passwords, but that's pretty much the only example of meaningful political action on this topic
BrickerBot was trying to compromise trivially hackable IoT devices and destroy them
This is almost certainly illegal and I wouldn't do it
But I have a hard time condemning actions like BrickerBot
We're in a situation where basic rights (freedom of press/speech) are under threat by an irresponsible industry with little hope for any meainingful improvement
If you know about IT security issues act responsibly and try to do the right thing
It may not always be easy to know what the right thing is