ethics for security practitioners - ernw
TRANSCRIPT
![Page 2: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/2.jpg)
2
#whoami
o Infosec since 1997, in different roles.
o Some background in security researcho Amongst others, six talks at Black Hat US/EU
(2006–14) plus numerous talks at Trooperso Have been involved in a few high-profile vulnerability
disclosure cases
o Founder of a security research & assessment company in 2001o Established ethics committee in the organization 2012
![Page 3: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/3.jpg)
33
Agenda / Objectives
o Discussion & critical reflection of ethical dilemmata relevant for our work
o Jointly coming up with some general guidelines for certain situations
o Foster individual ability to develop own (ethical) perspective ;-)
![Page 4: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/4.jpg)
4
Where Ethics Affect Our Work As Security Practitioners
o Everywhere ;-)
E.g.
o Vulnerability Research & Disclosure
o Most infosec activities that involve humans
![Page 5: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/5.jpg)
6
Ethics
o The task of practical ethics is to identify moral problems in different target situationso clarify what the stakes are in each case,o conceptually explore possible courses of actions
(considering their most relevant implications)o and justify and suggest what the best course of action is
likely to be.
o Practical ethics suggests what is the right thing to do by appealing to moral reasons.
http://ensr.oii.ox.ac.uk/wp-content/uploads/sites/41/2015/09/ENSR-Oxford-Workshop-report.pdf http://networkedsystemsethics.net/
![Page 6: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/6.jpg)
7
Practical Ethics (2)
o dilemmata (at least in this talk ;-)
o
o The whole thing could be codified in some simple rules.
o
![Page 7: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/7.jpg)
8
Some Approaches
o Consequentialism
o Deontology
o Principlism
o
![Page 8: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/8.jpg)
9
Consequentialism
o The ends justify the means.
o Can justify actions that people typically consider to be morally wrong.
o Problems / critique
o difficulty of predicting consequences
o balancing different categories of consequences
![Page 9: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/9.jpg)
10
Consequentialism Critique in a Nutshell
![Page 10: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/10.jpg)
11
Deontology
o Some choices are morally forbidden irrespective of the good they can create.
o Problems / critique
o might commit one to duties that can have very bad consequences.
![Page 11: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/11.jpg)
12
Principlism
o
at/apply them and perform weighing where needed. Main principles often being
o Autonomy
o Beneficence
o Non-maleficence
o Justice
o Main critique/weakness: real-life applicability.
![Page 12: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/12.jpg)
13
Principlism – Example (fr. Menlo Report)
![Page 13: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/13.jpg)
14
Typical Approach / Questions to Ask
o Recognize/identify the issue
o Get the facts, stakeholders & values that are affected
o Evaluate alternative actionso which option→ most good/least harm?
o to society as a whole?o which option (best) respects rights of stakeholders?o which leads me to act as the person I want to be?
o Evaluate in hindsight
![Page 14: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/14.jpg)
15
To Consider Also & in General
o Power / knowledge imbalance
o The Internet as a sociotechnical systemo
o (Avoid) Setting precedent
o Be careful as for analogies between the physical & digital world.
![Page 15: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/15.jpg)
16
Also To Keep in Mind/To Consider [II]
o Be honest about incentives & (your) agenda
o Discuss question/dilemma with somebody from different background/society context
o
o You will be forced to leave your bubble ;-)
![Page 16: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/16.jpg)
17
Let Me Emphasize
o All this is not an easy task.
o If you reach (or strive for) a conclusion/
o either a strict deontologist (which can be a
deliberate decision) OR
o
![Page 17: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/17.jpg)
18
Case Studies
![Page 18: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/18.jpg)
19
Vulnerabilities in Alarm Systems
o You find vulnerabilities in an alarm system sold from local electronics stores as an OEM product (so you can't even identify the vendor) and which is widely used in your neighborhood.
![Page 19: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/19.jpg)
20
Alarm Systems / Performing the Approach
o Factso Easy (somewhat)
o Valueso Quick recap of value framework of vuln disclosure here
(see also next slide)o BUT: very different stakeholders in this case
o Risks, Benefits, Harmo
o Further reading on this one:o https://www.ernw.de/download/ERNW_Newsletter_50_Vulnerability_Disclosure_Reflections_CaseStudy.pdfo https://www.ernw.de/download/ACM_SigComm_ENSR_Rey_Vulnerability_Disclosure.pdf
![Page 20: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/20.jpg)
21
Vuln Disclosure / Assumptions
https://www.ernw.de/download/ACM_SigComm_ENSR_Rey_Vulnerability_Disclosure.pdf
![Page 21: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/21.jpg)
22
Alarm Systems / What We Did
oin contact with them.o We considered going through a kind-of industry body,
but, at some point, stopped this due to effort.
o We did not publish the 3rd part of the related blogpost series.
o In a nutshell: we did nothing.o As of today: we should have gone through a CERT.
o In hindsight this is highly unsatisfactory. #fail
![Page 22: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/22.jpg)
23
Case Study (II)
o You find a backdoor in a network device which might be actively used by an intelligence agency of a 5-eyes country.
o Disclaimer: due to the complexity of the case some
o Feel free to speculate which ones ;-)
o
![Page 23: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/23.jpg)
24
NW Device with Backdoor / Approach (II)
o At first glance might look like a vuln disclosure case.
o
o
o
o A wholly different context, plus its associated framework of objectives and values, kicks in.
o This makes it easy for consequentialists ;-)
https://www.ernw.de/download/01_04_vulnerability_assessments.pdf
![Page 24: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/24.jpg)
25
NW Device with Backdoor / Approach (III)
o
o Who are the affected stakeholders?o
inhabitants.o
o
o Main point here: make yourself aware of it!
o Valueso What about autonomy?
obroadness of) principlism fails.
![Page 25: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/25.jpg)
26
What We Did
o This was a mere speculative one, for the sake of discussion.
o ;-)
![Page 26: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/26.jpg)
27
Case Study
o You're asked to help with analyzing the logs of a domain controller, with particular focus on one employee, for reasons that remain, say: unclear & dubious to you.
The Lives of Others© Arte
![Page 27: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/27.jpg)
28
Domain Controller Logs / Approach
o Factso Unclear, which in turn contributes to the
overall dilemma.
o Valueso Autonomy?
o Might not apply here as corporate context with contracts & rules which by their very nature restrict autonomy.
o Beneficence
o To organization? To individual?
![Page 28: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/28.jpg)
29
Scoping: Organization vs. Individual
o Again, this is a classical one.
o Humans tend to favor humans.
o
human. But, then again, one has to be aware of this.
La casa de papel© Netflix
![Page 29: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/29.jpg)
30
More on This Scoping Thing
o Internet scanning has the same dilemma
o
o Harm (to): potentially individual people, namely in the age of IoT
o (Principle of) Autonomy is violated.
o Often this is further aggravated by an imbalance re: knowledge & benefits.
o Which in turn can lead to very consequentialist reasoning, with far-fetched arguments as for the (perceived) benefits.
![Page 30: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/30.jpg)
31
Domain Controller Logs What We Did:
o ERNW Ethics Committee decided against performing the project.
OR
![Page 31: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/31.jpg)
32
Case Study Telco Training
o You're asked to perform a training on telco technologies and during the setup it turns out that the participants want to perform it with simultaneous translation into Russian and they are solely interested in interception interfaces & surveillance capabilities.
![Page 32: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/32.jpg)
33
Telco Training / Performing the Approach
o Stakeholders?
o Scope?
o Values?
o Autonomy?
o Benefits?
o
![Page 33: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/33.jpg)
34
Telco Training / What We Did
o We performed the training (as we had already committed this in an early phase. Pacta sunt servanda
o This case was the trigger to implement the Ethics Committee
o Not least to relieve individual employees from responsibility of (ethical) decision takingin their job.
![Page 34: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/34.jpg)
35
Case Study: Development of PoC Code
o You haven't had a lucrative engagement for some months and there's this guy asking you to write some PoC code for a vulnerability of a smartphone OS. His business card tells you he's from a state agency in a country which get's "significant coverage" in Amnesty International's Human Rights report.
![Page 35: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/35.jpg)
36
Development of PoC Code / Some Notes
o This goes to the core the vulnerability/exploit sales discussion.o Which is a huge debate on its own.o Ftr: we @ERNW have a quite deontological stance
o Proof-of-Concept, by its very definition & terminology, can be considered to be an intellectual exercise without real-life context. In reality, here it might be quite the
o Exploit code usually can be considered to create a power imbalance
![Page 36: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/36.jpg)
37
Development of PoC Code / Approach
o Factso Quite important here but might be difficult to gather.o PoCo
o Valueso Autonomy This one probably heavily violated once
PoC leaves PoCo Benefits & Harms
o Government vs. individual humanso
![Page 37: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/37.jpg)
38
What We Did
o Actually this was a case study merging two different projects.
o We decided unanimously, so Ethics Committee against the PoC thing.
o We were ready/open to perform a project of a
![Page 38: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/38.jpg)
39
Conclusions
o Understand that in the space of Ethics there are different approaches & frameworks out thereo Consequentialism which a technical community might
have some initial sympathy for is not a panacea!
o
o Reflect your own agenda!
o Practical ethics is not about simple rules, but about critical thinking.
![Page 39: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/39.jpg)
40
www.ernw.de
www.insinuator.net
Thank You for Your Attention!
@Enno_Insinutator
![Page 40: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/40.jpg)
41
Practical Application
o In research paperso
o Example: http://mkorczynski.com/IMC16Korczynski.pdf
o Research projectso In advance answer questions from
http://networkedsystemsethics.neto Write down the answers!
o If in doubt ask ethics committee.
![Page 41: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/41.jpg)
42
References
o ACM Ethicso https://www.acm.org/about-acm/acm-code-of-
ethics-and-professional-conduct
o FIfF (in German)o https://www.fiff.de/about
o Menlo Reporto http://www.caida.org/publications/papers/2012/m
enlo_report_actual_formatted/menlo_report_actual_formatted.pdf
![Page 42: Ethics for Security Practitioners - ERNW](https://reader030.vdocuments.net/reader030/viewer/2022032602/6236d80b515fa26bb71e6676/html5/thumbnails/42.jpg)
43
Sources
Image Source:
o Icons made by Freepik from www.flaticon.com