Damned if you do - The risks of pointing out the emperor is buck naked

Presented at DEF CON 31 (2023), Aug. 10, 2023, 1:30 p.m. (45 minutes)

Post 9/11, the phrase “If you see something, say something” became ubiquitous. If you saw something of concern, better to report something that was nothing than let something bad happen. Problem is, no one let the authorities know that they should apply this to the online realm too. Threats of arrest and criminal investigations have the opposite effect and chill anyone from wanting to report security vulnerabilities that affect everyone. Lack of clear reporting paths, misunderstandings, jurisdiction issues, superseding laws, and good old fashioned egos can make trying to do the right thing turn into a nightmare that can cost livelihoods, reputation, criminal charges and even worse, particularly when government systems are involved. This talk will cover the presenters personal experiences with poorly written or a lack of vulnerability disclosure policies with their governments and what it cost them in trying to make things better. The presentation will then move to a discussion about what should be done and what is being done to make sure that reporting a vulnerability doesn’t cost you everything. Anyone who is responsible for writing such disclosure policies or legislation will benefit, but so will any hackers that want to make it safer to report issues they find by advocating for changes. REFERENCES: - No references cited formally. Law excerpts will be noted in slides where relevant.

Presenters:

• Thomas Dang - Cybersecurity Architect at Yukon Territorial Government
  Thomas Dang was (until May 2023) a politician in the Alberta Legislature. The youngest MLA ever elected, he was pursuing a Computing Science degree before his first term. As an MLA, he served various roles including Deputy House Leader and on various legislative committees. While elected, he continued following his passion in Cybersecurity including certifications along with his university education. In an attempt to recover from politics, he’s spending his time hanging out at DEF CON and has a day job as the Cybersecurity Architect for the Yukon Territorial Government.
• Brad Haines / RenderMan - His Holiness, Pope of the Church of Wifi   as RenderMan
  The man in the black hat with a monkey on his belt and a suitcase of sex toys. Pope of the Church of Wifi. Don of Dongs at the Internet of Dongs project. Hacking random things for 25+ years. Usually referred to as “oh, that guy” around Defcon.

Links:

• https://forum.defcon.org/node/246099

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Hey! I found a vulnerability – now what?
• Kiwicon 9: Cyberwar Is Hell (2015) / A Bitter Story of Aftermarket Vehicle Tracking & Control
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10