Hacker Rights

hi everyone my name is claire miss doggie and today we're going to talk about hacker rights i first want to give a big thank you to besides boston for having me keynote it is such an honor to be virtually there and to be able to present this talk that goes right to my heart and i hope it um you know it helps you to during this time so i'm gonna share my screen and i will turn off my camera at some point just i should let you guys know ahead of time because i have to read word by word verbatim when it starts going into legality issues um and the reason for that is that i'm not an attorney and i did not

memorize everything so yeah anyway let's go into this welcome to hacker rights visas boston attendees so first i want to say that this talk is completely dedicated to to all the hackers who've been scared to disclose to all the hackers who've been prosecuted for trying to do something good or doing their job to all the people who are in the fight to bring rights for hackers if you don't know who i am my name is chloe mistaki once again and i'm an infosec advocate and activist i'm also a vp of strategy over a point through security and the president and co-founder of voicetack which is women of security on the founder we are hackers also known

as women hackers back in the day but a podcaster also for itsp magazines the uncommon journey with alyssa miller and phil wiley i'm also the organizer for the hacker book club where we basically read a new book every month and we meet every tuesday at 5 pm pacific time and the author does attend and yes the books are about people in the hacker community and written by people in the hacker community and the author attends and those are much of the books also attend so it's a great opportunity to be part of it that's my url if you have any questions about who i am what i do inside and outside of infosec chances are it is on that url

and by url i mean that website that is my twitter and instagram feel free to follow my dms are always open so let's dive into the real parts now first things first i want to cover the current landscape so i know this is scary but we're going to go into this together so first things first pretty sure maybe equifax somehow impacted you or someone that you know but did you know that a hacker warned equifax six months in advance about the vulnerability that later caused the breach and this is based on motherboard and also equifax own timeline but the one thing to note is that we have these cases off and where someone does not report the

breach and why is that well first things first that sixty percent of researchers don't report vulnerabilities and this was a statistic that was discovered by emit elizari when she was doing her research around possibly having safe harbor for hackers now another statistic that came out was in the hacker ones um 2018 hacker report they actually uh surveyed their hacking community and found that one out of four ethical hackers would not disclose unless they had a vdp in place now a vdp is a vulnerable disclosure program but the one thing to note is that those who did try to notify about a possible vulnerability to a company they usually do this by email or via social media and the

most common one is actually a dm on twitter um but what happens is that majority time is that they're frequently ignored or misunderstood and then it can become something very ugly which we saw recently with giggle so why are hackers scared you know besides prosecution looking for contact information radiant policies have been such a burden to report vulnerabilities because let's be real none of us are attorneys we're just having to try to be one at times we're reading what what is okay what's not okay and sometimes it takes hours days and weeks um to try to find the right contact information to report a vulnerability and so it's even if we are hired as an ethical

hacker we still are scared of being prosecuted so there's a lot of reasons of why we're scared is that there's a missing trust link between us and the organization that we're disclosing and this is one of the cases um so this one i tend to use quite often because it showed a researcher doing everything possible to prevent what actually ended up happening to him so after dji the drone manufacturer uh launched a bug band program on their own so once again this was not done by a bug mounting platform like buck rod synack or hacker one this was they decided to do their own and at the very beginning of that two hackers sean and kevin and kevin's in

that photo you see there um they saw the scope and the scope said that the bug boundary program covered all security issues and firmware application and servers including source code leak and secure workaround and privacy issues now kevin he did email them just to reconfirm the scope that was shared and it took them two weeks to finally confirm so once it was confirmed he then submitted a vulnerability so remember he didn't exploit and he was within scope when he found his vulnerability okay now he has provided thirty thousand dollars for the finding however the agreement of receiving the funds itself offered no legal protection for him so instead he walked away from it but what ended up happening was that dji

was worried that they were gonna he was gonna come after them or um it was gonna be a bad pr mess for them so what they did was they turned around and basically brought a lawsuit to his door claiming he went out of scope and stated that he broke the cfaa which is the computer fraud abuse act and in return the good news is that he kept a paper trail and decided to publish everything all the communications that they had on his blog post and they they actually withdrew the lawsuit in return it's a really good thing to read because it gives you a good idea why it's so important to keep a paper trail

but also the one thing to note is that in the paper trail itself the messaging that he had with dji there was internal conversations that he could see because they weren't aware that it was being shown when they emailed him back and they kept saying that he was a threat a potential threat and so that was their reaction so once again he was in scope didn't exploit but yet he is facing being prosecuted for it another case is with coal fire back in september of 2019 on the iowa state asked the cyber security firm coal fire to conduct a penetration test to see if the staff could gain access to sense of data or equipment

now the two coal fire employees found a door to the dallas courthouse open and when they decided to close the door to see if it would lock and then attempt it the alarm was set off which is great right it works but what happened was following the protocol the employees had to wait for the police to arrive and they had their paperwork that they were hired to do what they do and they were told they were going to go however one of the sheriffs came up and actually ended up arresting them and they had to spend a night in jail and the charges were later dropped in january of 2020 but this is just another case of where

we have some laws in force that don't represent what good hackers do instead it puts us in a category that hackers are all terrible things doing criminal activities so they should be all punished so it prevents good hacking in the same ways that it prevents bad hacking and community wise even though like it is a scary thing to have a vulnerability disclosure program for many companies organizations and government they all know that it's a necessity because also people will report it regardless so having a clear communication channel for someone to disclose something is critical for their own security and us tying them and sharing and disclosing and whatnot it also puts us in a threading position because we

don't know how they will react so having a place to go to is so important and i know program managers they're they're asking be hacked at times but not badly and how they can conduct and handle situations when hackers do report something is something that they're still struggling to do at this day but i know this overall is so scary in general it's it's hard to get a hacker i get it um so here are some pictures of some puppies and a kid um because you know there are some cat lovers out there but why are they scared of us and that's what i want to approach with you is that overall we still have

this imagery of this dark room dancers basin i have a black hoodie on and a ski mask and it doesn't really represent who we are at all and because of that the thing is is that if you type in criminal hackers and ethical hackers you get these images and it looks exactly the same because the reality is that the public still sees us the same even if you're a hacker or cyber criminal you look the same because you are the same thing and so these images really do hurt us from getting rights because society has this false belief of who we are and it's not just the imagery per se it's also the language being used by the

media and when i say the media i mean press and marking yes even in infosec we have companies in infosec that use the wrong terms and use such dark imagery that don't really portray who are hackers and don't really know who is a hacker and this still sets us up to having problems for us when we need to ask for rights and so it's really important is to try to change the terminology being used so if it's a bad actor to use criminal attacker cyber criminal malicious actor instead of using the term hacker when reporting on any breaches or anything that's in a negative life of a hacker because to be honest with you language

and imagery really does impact us because overall it continues to feed the fear of stereotypes and biases that exist because of socially constructed beliefs and if you don't know what socially constructed beliefs it's basically the things around you that have basically internalized created um basically ideas of how the world works so say for example um you're told at a very young age um indirectly in movies or you know in comics that spiders are scary and and they're dangerous so for the rest of your life you're going to be afraid of spiders because you have internalized this messaging of a socially constructed belief that spider all spiders are dangerous but in reality not all spiders aren't

unless you live in australia let's be real australia can be a scary place we have a lot of scary sweaters there but i want to dive into fear a little bit more because it is fear that holds us back as society from really getting to know one another so i want to first dive into the amygdala and you probably have heard of this amygdala but it's a fight versus flight mechanism in your brain it's completely subconscious it's programmed basically who's like me who's not like me so anyone who's not like me is stranger danger and that means is if we don't have something in common i see you as a stranger danger and so that's the whole thing so

survival mechanism is always about who's like me who's not like me and those are not like me are usually things that we have internalized believed in socially constructive beliefs about people around us the way that they look the way that they dress all those things um or what jobs that they have and versus who's like me people that look like you and i or wear the same clothes or like the same things we see them as not as threats we see them as someone who's like us so we kind of trust them there's trust already there now the thing with the hacker community is that because of these imagery that's being used and the language being

used by the media um our public perception of who are hackers is that we're devious people that were somehow criminals so we're not like them because they are good citizens and because they're good citizens um they're separated from us so they categorize us as stranger danger because they've never met us or they don't know of our story they don't know what we do because they've been socially constructed to believe that hackers are dangerous people and so that's one thing to remember about this now how the amygdala works is that it then sends a message to your prefrontal cortex to let it know that a warning warning stranger dangers approaching or a warning warning we need to react right away get some

ideas in your head now the thing is the prefrontal cortex acts like the ceo of your brain and it basically breaks it down into different um ideas of what kind of actions to take next and so you use logic and reason to basically question the threat and to come up what is the next step once it comes up with the next step and it's evaluated all the options on the table at that moment it sends a message back to the amygdala either to relax or take action and so you might see this when you tell someone you're a hacker who isn't in the hacker community oh yeah i'm a hacker or i work in the

hacker community you might notice that their eyes get a little bit bigger or their mind might just drop or they take a step back or they try to find a way how to get out of having a conversation with you now um so that's usually because those are the actions that they took because of the socially constructed beliefs that have been stored in their memory and the amygdala reacted saying stranger danger this is a hacker a criminal and your prefrontal cord is like okay i need to react on this i need to get out of this conversation i need to do something immediately so i can stay safe and survive afterwards and then sends the message

back to amygdala saying what action it wants now the thing to note about is that because it is a completely conscious moment you're able to actually break it down so if people knew who our hackers and the imagery started shifting the language started shifting and they heard personal stories of people in the hacker community and how it's impacted them when they try to report something or how the public views them and how it's hurt them and the community that changes things personal stories change everything a personal story has so much incredible positive things involved with it it allows us to question our biases and allows us to really see the world and how it is and

understand one another it provides us with empathy and to be able to have empathy from the public the public has to know our stories they have to know who are hackers and who are attackers and we need to work with the media to do that so what overall what i want to remind you is that the public can always question their biases about hackers and of course they have to be okay with being uncomfortable because as humans we like to feel comfortable with our thoughts we don't like to challenge our thoughts sometimes because we have you know self-esteem issues sometimes or it just it's one of those moments where you want to feel as strong as

possible but when you find that you're wrong it can put you in a very vulnerable position sometimes so it's really important to be okay with being uncomfortable to get outside your comfort bubble because when we go out of our comfortable well that's what we're asking for the public to do too to understand who we are so we can bring about a change now the reason why it's very important to understand fear and how fear works is that it's this mind sets up by society and the people in the media that's keeping us unsafe and preventing hackers what we do well in and more companies are becoming more open to receiving you know information on vulnerabilities

but still 94 of the forbes 2000 list still don't have vdp and they may come to regret this in the end but companies are afraid of hackers and don't want to create vulnerability disclosures of policies because of this lack of bilateral trust amongst hackers and organizations slash government it's one of the reasons why in particular 60 percent of us don't report vulnerabilities because we're scared of outdated laws such as cfa and dmca and we're going to go into that next i promise you but also one thing to take away is that when i interview attackers about why did they shift over from being a hacker to an attacker one of the reasons that they said was it

wasn't just about the pay it was also that the public just saw them exactly the same and they would still have to worry about being prosecuted regardless if they were or were not you know in scope and exploiting and to them there's like well there's no point at this point if everyone's gonna see me as this bad person uh no matter if i'm doing something good then i might as well just do that way and plus i get paid for it but it's also you can see that on the opposite spectrum from attackers becoming hackers in a sense because the reason for that was that they were very worried about being prosecuted at some point

and it would haunt them so that's why they they basically they switch or they didn't know that bug bounty or volume disclosure programs actually existed and when they found out that they did they realized oh wait i have a a place where i can disclose something and have some sort of protection this is great um and so that's why it's really important to understand that i'm going to turn off my camera now like i promised i said i would reason for that is we're going to just dive into some legality things and i want to make sure that i know word by word what i'm saying so i make sure that you guys are covered

you understand everything to the fullest detail because it's important to know your rights and the laws right now all right so let's go into this so first things first we're gonna dive into the worldwide legislation and yes all around the world has anti-hacking laws anti-circumvention laws and acceptable use policy and a lot of it from all those countries have borrowed it from the u.s so the u.s kind of started it and that's why we need to go to the u.s to change it so then the other countries follow so the first things first i want to dive into the current legislation so um anti-hacking laws in general um it's used when a hacker goes out of

scope and it's usually used to prosecute prosecute hackers but the cfa the computer fraud abuse act in the u.s is a cyber security bill that was enacted in 1984 as an amendment to existing computer fraud law which has been included in the comprehensive crime control act of 1984. the law prohibits accessing a computer without authorization or an excess of authorization um so remember that but did you know that what happened was that ronald reagan he watched war games the movie and he completely freaked out about it and he pushed for cfa to be created and to pass forward and to be made into a law so because he watched four games he didn't have a conversation with the

hackers of course right but it's one of those reasons that we are where we are today because there was no representation of our community at the table when this was being enacted now anti-surface circumvention laws these are also known as copyright laws but the digital millennium copper and act dmc is a 1998 united states copyright law that implements two 1996 treaties the world intellectual property organization basically right to repair seeing reverse engineering as a breach of property now the thing to know about the dmca is that there has not been any cases of hackers being prosecuted under the dmca but it does create a chilling effect so it's important to note of it but the

cfa is the one that we have to be worried about the most all right so acceptable use policy is how many of you guys ever read your terms and conditions say for an apple product yeah i tried i got bored and i decided to watch a movie instead but in general they could be so long too much rubbish it can confuse anyone especially if english is not your like let's just put to say if if you're learning english still it's going to be hard on you if you even know english it's going to be hard for you it's written for attorneys by attorneys for attorneys to understand and to be able to apply it and this is the reason why it leads to

some serious miscommunication issues for hackers in the end but overall the main takeaway here is that these laws are completely old and out of date and obviously they were created out of fear and we know about fear and how it's done but it's very clear that there was no empathy in taking the time to understand what is actually needed and why law should only prosecute malicious actors instead of criminals and not good hackers and this would have been solved a long time ago if they had representation of our community at the table but once again the stereotype and the biases towards the hacker community prevented that from occurring so laws do prevent good hacking the same

way that they prevent attackers and we need good hacking in the end but i want to dive into the cfa because i hate it and i think you should too if you don't know about it but the computer fraud abuse act passed in 1984 it has grown widely outdated and it offers prosecutors discretion to threaten huge potential fines and jail sentences for relatively undeserving violations of the computer policy first the cfa was written punishes exceeding authorized access to a protected computer a phrase vague enough to inspire some broad interpretations another fall in the cfa is the redundant provisions that enable a person to be punished multiple times for the same crime these charges can be stacked on one on

top of another resulting in the threat of a higher cumulative fines and jail time for the exact same violation this also allows prosecutors to bully defendants into secting a deal in order to avoid facing a multitude of charges from a single solitary act it also plays a significant role in sentencing the ambiguity of a provision meant to toughen sentencing for repeat offenders of the cfa may in fact make it possible for defendants to be sentenced based on what should be prior convictions but were nothing more than multiple convictions for the exact same crime but most important to know about the cfaa it gives companies the right to sue us hackers have more of fear from

companies and states than the justice department so the doj in general they have not been going after hackers they've been supporting the hacker community since 2013 by working with some of our organizations in the hacker community so please note that the doj is not your threat the real threat is local government and also companies but i you did probably notice that aaron sports was on there and the reason i want to bring up aaron swartz is because it's important to know of his situation and what occurred to understand the dangers of cfa being used against us so in 2011 carmen artes's u.s attorney office charged swords with hacking it into the mit computer network to download millions of

scholarly articles from jstor an of civil disobedience meant to protest the restricted access to research funded by taxpayers for this the us attorney brought charges that carried a maximum penalty of 35 years in prison and 1 million in fines i want to pause there do you know first degree murder charges the minimum is 25 years in prison and he was looking at a maximum penalty of 35 years in prison overall the thing to take away from here is they were able to charge such number of years because the way cfa is written and the issue that has yet to be soared since it was made into a law overall looking at aaron's situation he was dealing with a 17-month legal

battle one that had no set trial date and wasn't ending anytime soon and through schwartz perspective it must have been so overwhelming with the future of the legal battle cast into doubt swartz unfortunately hung himself in his apartment on january 11 2013 and following his death federal prosecutors went on to drop the charges his family still says to this day that the government's prosecution contributed to his decision to take his own life it was because of what happened with aaron that uh legislators try to push forward this thing called aaron's law in 2013. and unfortunately it didn't pass but the reason for that was there were some major lobbyists that basically wanted to make sure that it

didn't pass but aaron's law it was trying to remove the phrase exceeds authorized access and just replace it with access with that authorization which is defined as to obtain information on a computer that the accessor lacks authorization to obtain by not only circumventing technological or physical measures designed to prevent unauthorized individuals from obtaining that information in other words it would also make sure that there would be no more duplicated charges which was the case for aaron but overall with improvements to legislation we can change where we stand today but in order to do that we need to dive into three categories and which we've already touched on because they work together to bring about public change

and in order to have rights for hackers we need to get the public on board in order to do so we need to dive into these three categories we need the press to push for public to become aware in other words we need to change the language and imagery of a hacker and start using cyber criminals for those who commit unethical hacking oval really separate the two in order to help the press organizations need to be on board with bilateral trust and having vulnerability disclosure programs by showing they support hackers the public changes their view in general and lastly to have organizations and public opinion to push and motivate capitol hill to get on board and update the current

legislation that will protect ethical hackers overall we need all three to be supporting hacker rights for it to become a reality so how do we get there exactly and yes my camera's back on because i covered the legality parts so first things first these are the five needs how to get there yeah and the good news is that i haven't already listed for you so you don't want to do any further research at all um but i do need you if you want to help me out that'd be great because it's going to take us all in the community as a grassroot efforts to change how things are today so first things first there is

this petition that has been created back in the last week of february and this is a petition to show that there is a need for this right now and it's broken down by hackers politicians organizations and the media to understand that this is what's needed everything that i talked about in this talk is in that document itself so sign it share it anyone can sign it who agrees with it you don't have to be a hacker to do it but it's very important is that we need to get the signatures going up because the more signatures we have the more convincing it looks to politicians when trying to set up appointments with them also check out hacking is not a

crime.org so once again hacking is not a crime.org oh it's basically a one-stop shop that i created with brian um basically so you can know of all the organizations that are doing everything possible to give you rights but also to know about what our purpose is and the people that are advocating for rights for us as well if you want to be an advocator check out the action tab on our website you can actually see what are the tenants and if you agree with them we'd love to have you as an advocate too but it's a one-stop shop for anyone who wants to know about what is happening in the hacker rights world and you can also follow us on

twitter at hack not crime second step is to let the press know and how do we do that is we fact check them we tell the press and remind people there's a difference between a hacker and a criminal hackers are like locksmiths criminals are like burglars or attackers you say and that's the thing that they need to know so anytime you see the media portraying hackers in a negative light remind them politely that that is that there's actually a better term for that and it's attacker or a cyber criminal or criminal or malicious actor hackers are good people we're trying to protect you um and also if they use the imagery of the hooded figure and the

you know dark dark place i don't know a dark dark room in a dark dark corner who knows anyway correct them on the imagery too third step if you work at an organization or you are basically at a company that's trying to push for hacker rights and want to join the fight uh connect us with them because we need as many companies or organizations to partner with us saying that they stand with the hacker community and that they believe that we should have rights too um also to push for organizations to have disclosure programs if you work on a company that doesn't have one look into it there's a great resource called disclose.io it's a wonderful place to get started on

fourth step contact your local representatives you should know who your local representatives are and chances are you probably don't know so uh it's good to know who they are and update your current legislation as well tell them how this is impacting you and your community and if they can help us out that'd be great don't go out alone uh contact myself and we will put you in touch with other groups that are trying to that have experience in talking to politicians about this subject also follow the van buren versus united states case because it is the first time the cfa is being visited at the supreme court so it's a very big deal for us and it's this fall the last step

support i am the calvary disclose dot io cert coordination center eff cti league reach out to them volunteer your time donate if you can these groups are trying to do whatever they can for rights for you and i now the main takeaways overall we need to push for awareness of ethical hackers and how we do it is by working together and here are the things if you want but most importantly i just want to remind you once again that change starts with you and me we must not give up and we must continue to fight our rights because it's going to take all of us or at least a good portion of us to push

for rights and be advocates for each other i just want to say thank you again to besides boston for having me as your keynote i am so honored that um to be here with you guys and a big shout out to uh beau woods and harley gager for helping me understand a little bit more where we are in this position when it comes to legality place and also to casey ellis for really providing further insight into disclosure um i i so thankful for everyone if you have any questions i'm here to answer them for you um in the meantime thank you guys again and if you're signing off well i guess goodbye and i hope you enjoy the rest of

your conference and i will catch you guys in i think we're gonna be chatting next all right bye rim