Security researchers participate in conferences such as DefCon to demonstrate the vulnerabilities of products or present new security tools. For example, DefCon is one of the world’s largest hacker conventions, held annually in Las Vegas, Nevada and tens of researchers showcase their work at this conference. Last year in DefCon 2020, researchers presented their recent research on hacking phones, cars, satellite communications, traffic lights, smart home devices, printers, and popular software services, among many others. However, some of these talks require ethical reflection on the harms of these disclosures.
We present two examples here to compare and consider from an ethical viewpoint.
A. At DefCon 2020, two researchers (Wesley Neelen and Rik van Duijn) at Netherlands-based applied security research company Zolder, showed how they hacked a traffic light management system that is connected to a smartphone app. They talked about how a hacker could remotely control traffic lights. The affected product is used in over 10 municipalities in the Netherlands.
Assume that Wesley and Rik informed these 10 municipalities regarding these issues in the Netherlands, however, only one of them (e.g., Utrecht) took the right action to minimize these risks. Please watch the following YouTube link to get more information about this research talk.
B. At DefCon 2017, two researchers (Josh Schwartz and John Cramb) of Salesforce (i.e., members of the Red Team) aimed to reveal MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction, aimed at reducing the time and energy spent on reconfiguration and rewriting malware. The tool does not launch attacks or exploit systems, but it allows red teamers to control the system once access has been granted. MEATPISTOL was pitched as taking the boring work out of pen-testing to make red teams, including at Salesforce, more efficient and effective. Also, they aimed to make it open-source tool so that other security researchers can improve it. However, an executive at Salesforce told them not to release it as open source because it could be used by hackers for other purposes. Just an hour before they were expected on stage, a Salesforce executive sent a text message to Josh and John for not to give this talk. However, the message was not seen until after the talk had ended. On stage, Schwartz told attendees that he would fight to get the tool published. The two researchers were fired as soon as they got off stage by a senior Salesforce executive. Several security researchers criticized Salesforce following the firing, and the community has since forwarded these two researchers a number of job offers. You can watch their talk from the following link.
Answer the following questions based on these two case studies:
Question 1 Stakeholders and Potential Harms/Benefits (1%):
1.a. Who are the stakeholders whose interests Zolder researchers (Wesley and Rik) needed to consider in giving their DefCon presentation, and what potential harms/benefits to those various stakeholders did they need to consider and weigh?
1.b. Who are the stakeholders whose interests Salesforce researchers (Josh and John) needed to consider in giving their DefCon presentation, and what potential harms/benefits to those various stakeholders did they need to consider and weigh?
Question 2 () Ethical Considerations:
2.a. Do you think the 2020 Wesley & Rik presentation was ethical, all things considered? Why or why not?
2.b. Do you think the 2017 Josh & John presentation (including its planned code release) was ethical, all things considered? Why or why not? Was Salesforce right to block the open-source code release attempt and stop their public talk?
Task 3 Similarities and Differences:
What are the most important ethical similarities and differences between two case studies?
Task 4 (Professional Reputations:
Assume that you are looking to hire a security researcher for your team. Would you prefer the researchers of Zolder or Salesforce? What ethical considerations would need to be evaluated in your decision?
Task 5 (Legal Issues:
What are the relevant laws in Qatar and GCC related to cyber security and what implications would the laws be on the presented cases?