Meet the Nation This Week on Sunday: A Special Vulnerability Edition

good evening and welcome to besides Las Vegas common ground this talk will be self introduced by a panel that needs no introduction but they'll handle it in the meantime we'd like to thank our sponsors especially our inner city inner circle sponsors critical stackin Valley male and our stellar sponsors microsoft robin hood and secure code warrior and without further ado I will mention these talks are being streamed live so as a courtesy please turn off your cellphone's or silence them and later on or during the to talk we're gonna live questions oh yeah okay so if you have a question just raise your hand and I'll bring you the microphone so we're gonna do something a little different today we

are going to give you a it's experimental theater and I'm gonna get interrupted non-stop Everett it's on stantly it's gonna be like a news discussion show I'm you're very serious anchor and host generous and I just want to like be explicit upfront we may say things that we don't personally really believe shocking I know imagine that on TV so don't hold anybody accountable to what you hear and also some things may just be completely incorrect totally made-up he jumped in cuz he was worried I was gonna swear then so yeah the other thing is we Tony want audience participation we want to hear your opinions your questions get involved you are our live studio audience for the recording of

this particular news show or perhaps you'd like to be a caller we can have callers whichever you prefer so yeah if you want to speak up at any point I mean actually the size of this room you can probably just shout but I don't think that's good for the recording so microphone so put your hand up and and we'll make we'll make movie magic it'll be fantastic all right so here we go [Music]

[Music]

[Applause] sports [Music]

[Applause]

[Music]

okay welcome to our show thanks for being our live studio audience

this is a very special episode of our show tonight we're focusing on news headlines the artist is a heading hardest to the headlines on vulnerability disclosure all the news you wanted to have we are joined by a regular featured guest leonard Bailey of the Department of Justice he really is from the Department of Justice so he really is starting on whatever hurts our lives and we have two first-time guests we have mr. Todd Bisbee security researcher extraordinary thank you and mr. Connor Morgan who represents the voice of Emanuel pleasure to be here Jan pleasure to be you thank you for being a corporate shell so just before we jump into our show and our main news stories

we're just gonna have a quick word from our sponsor blockchain help us don't forget blockchain it's a security software it's a body spray its breath freshener and it's a fire retardant there really is nothing the blockchain can't - it's available now in blu-ray DVD a spray and my favorite suppository so what's that first news story for the week so this seems to be guys a story about a research of the disclosed and asked for a buck bounty laudable effort by the way from this week's is that the disclosure think you know the disclosure bug bounties yeah for sure I mean like when I first find things they should say try to make money right I'm sorry

so I'm so I'm hearing two very different point of unit so as far as I can tell shocking me I'm as far as I can tell you believe that this researcher is motivated by a desire to do good in the world is that right oh for sure for sure now I mean researchers do good right pretty much yeah so when and they work hard and so for sure they should get paid but like ultimately their goal is is laudable it's noble it's it's it's a virtuous act just just the does the requesting of a buck 92 in any way diminish that absolutely not absolutely so tell us more about this you sound like you've had some bad

experiences with researches well well I mean you know researchers you know some of them are good but most of them are they're just for money they're extort statements they just want to get paid whether or not they maybe maybe we should keep moving on to just learn more about how how far is this research okay so let's let's take a quick look at the story although minute would you like to would like to say one thing about bug bounties so department just insist and support of vulnerability disclosure public policies we we've been so since 2017 explicitly we also support bug bounty programs they make it clear what authorization individual has and interacting with a network which tends

to remove when you possibly give a cfa issue but the one thing that that concerns a little bit is the advent of bug bounty programs may have altered a bit the perception of some researchers have they're entitled to a payment in title that is a very very important word now you can debate whether that should be or not but any we will but the issue of whether one is entitled to payment you're heard or entitled again there can spill into researchers whether one is threatening in a way that's extortionate to extract payment from a company and so that we'll talk about the language and the care that maybe researchers need to exercise around the issue of how they

discuss payment with a company they find a vulnerability and will quickly learn how in this exact example somebody is doing everything he just said but from the wrong that they're trying to extort money half the company so sometimes we should we should as you suggested just learn a little bit more about the story we we don't we I mean we can but we already know so I mean it sort of haze it appears to the researcher discovered a a bug for the in video conferencing software made by him zip so one thing I'm interested is obviously it's not it's not one of the bigger companies it's a midsize company maybe even a start-up does that mean that we have a

different level of expectation on what there's gonna be you know is it fair to expect a midsize company to have a bug bounty well I mean midsize companies are very agile and lean and they can operate pretty quickly so we'd expect never to see vulnerabilities from them you know they're perfect they they can they can patch things as quickly as they want they have great practices and processes that make zippers only bad company that it has a vulnerability we said as a vulnerability I believe I think so here's two things right like so midsize tells me amateur hour right like unless you're at Google you don't know what you're doing when it comes to right because all the actual

hacks are don't happen to big companies right so but what it but you know like what I what I believe is happening here is that I will simultaneously argue that they have no idea what they're now doing and they should also know better the right the researchers exactly what they're coming up companies owner abilities and trying to scare people I mean like I mean I know is it you know I use it they're fantastic never had it everything right they care about my privacy they're perfect so you you still feel confident absolutely absolutely yeah well I gotta say from our experience we have seen companies on the small side of this we we've had an

incident with researchers and a company that had maybe a few hundred employee customers we've also had an incident with a company owned by one of the largest companies in the country I think there are three conferences in Las Vegas right now premise on the notion that companies of all sizes have problems with vulnerabilities yes unfortunately over 50 right software you ship bugs like . now these hackers think they know everything come on ok so perhaps if we took a live in their pants base might help we look at the eva drink Jolt Cola so this researcher goes by the name fight lord exactly whiteboard video with mr. bite lord who's Tim cuz you know did you know

okay and how much do you think this I worth in a he's clearly so this is a prime example of a researcher who is outside the country and we definitely need to go and find it so how did you come to that conclusion because the last sentence is gramma Klee incorrect and we take all this training it's one now no no no we take all of this training about not to click on links an email and they all look exactly like this this is a fishing expedition so let it is get your fishing rods out because that's what they're doing is this the kind of email that the diploma justice would want to investigate absolutely so if there's one

thing I would say the researchers is one of our challenges is trying to figure out who's a good guy who's a researcher acting in good faith that becomes an entry point so this and he was actually able science companies are good guys and the way we're gonna do that all companies are looking at all the conduct and trying to discern from that whether this is someone who is engaging one activity or another so if there's nothing there's no one thing in this email that's dispositive that says you know I am I am threatening you and that's one thing that may be lacking in this particular email in terms of it being actionable a clear explicit threat

of destruction to a computer - that's crazy zone insertion for some swordfish or to basically break into a network again based on the information they had which would all be illegal under the Computer Fraud and Abuse Act it's extortion provision 1037 okay so thank you thank you it's nice to get like a single point of view of now okay so perhaps if we learn a little bit more about who our researcher is mister mister by Lorde so he's a part I better say is that is a common thing he's part time vendor sir is that a normal part time oh for sure yeah I mean there there's an enormous there's a preponderance I'd say of researchers who

hast worked on their own time they you know they have a love of it they are puzzle solvers they're very much into you know the intellectual challenge of it and I would say that a part-time pentester is absolutely I mean that that sounds legit to me like someone who's working IT who also likes to you know take things apart so as media we often hear you know quite quite a sort of stereotype about what a hacker it's like how they behave perhaps where they live their parents basement doesn't do these do these stereotypes sort of seem fed they it resonates with you yeah but you gotta aim like bite lord I mean in your part time I mean

come on commit to something already if you want to be a pen tester commit to it why are you going part-time here well and it will end well you know Sebelius to be the coin going all the researchers Pro tying illustrate materials on Silk Road 12 on the dark just one opinion inside so so told you saying that the Bitcoin is a very reasonable common practice on the Internet know for sure but it sounds as if you are saying that perhaps this is funds crime oh absolutely a Bitcoin is only for this view Bitcoin so yeah that we think of Bitcoin as a legitimate form of currency that said as I said we look at it totality of

circumstances is someone acting like a good guy or a bad guy there's nothing illegal about use of Bitcoin but to the extent that someone is going to measures to conceal their identity it might be one factor that that weed way if there were a researcher who came in full court and said I am real identity it demonstrates they have they have nothing to hide again I'm not saying that that there is anything unlawful about doing this in an anonymous way but it is you know it may play into a larger narrative of whether you are acting in a way that's actually threatening and perhaps illegal look at the end of the day mr. Tim here take a bite Lord

okay mr. Bitcoin whatever you want to call it he's fake you know he doesn't give you any information gives you no details whatsoever says pay me and Bitcoin when pay you for what something you said you found but you won't tell me what your name is you honor your spell sentence you make sentences incorrectly grammatically incorrect so Todd it's a very it's a very seasoned researcher how how could mr. Biden would have got about this differently um I don't know like it could have probably been a little more diplomatic on the whole asking to get paid part like if he's looking for you know a bug bounty like I don't know it feels don't get me wrong like zip should

absolutely for for the kind of company they are today zip should absolutely already have some kind of vulnerability handling some kind of bug bounding going on that said I would have preferred if it were me right like I would provide some kind of proof ahead of time right like I want to be able to show some kind of like proof of exploit proof of the vulnerability proof like some notion of like how like some criticality of it right like I mean don't get me wrong all of us hackers hate CBS s we all have plenty of things to say about it but CBS s of course is a scoring system used to rate credit explained stream audience

yes through our mainstream television audience but it would have been nice to see a little more detail in the in the initial in the initial contact well I have to say Todd and I are in total agreement here that this researcher was outside their bounds it shouldn't be messing with things on our thirst they they don't have full information says they're not sharing it and they want money for something that they didn't even do so I'm in total agreement at the top thank you for clarifying my points and I think correctly this is something that we have advised researchers to do to the extent that they have this sort of contact with a company and are

suggesting there's a vulnerability when you get paid for it is very helpful to have that transaction in some form I say this because we have reviewed instances where there's been a report to us of an extortion of threat and an extortion of threat is really defined by the sort of language as interaction it doesn't have to be Express many people have run into someone who said nice car be a shame if something happened to it and that may be enough based on the surrounding circumstances but what we're gonna do as prosecutors and investigators just look at the evidence and try to determine does it meet the elements of a statute and so we haven't had instances where there's a difference

of opinion about what happened how it was set what the exact words were and so to the extent that we're gonna have to look at that our researcher is doing him or herself some some service by making sure those words are preserved in some sense okay great so so what do we think that this story is gonna go somebody's gonna end up in jail I hope he gets bit did you say you don't think it's good I hope he gets paid Oh nobody gets paid and what I just out of interested what would be a reasonable amount to get paid out on something like this I mean it depends it depends a ton on the bug right like do

we get the details of the bug is like you'd like no you didn't share anything he makes a claim where you like open your video camera mic without you knowing so that's a pretty big deal right like that's and for the it sounds bad for the kind of customers that that's if has that sounds like that sounds like something spooky I I mean I don't know I have no idea what way this is the thing like buck bounties are still new enough where we don't like I don't think there is a normal eye is set of Tears for this kind of bug and on this I think this is one of those areas where the novelty of bounties and

pricing is an interesting x-factor so in other areas where we think about extortion one of the elements may look at is whether you're a medics - exactly cease and desist the first step when we look at expression is whether you've asked for something that caught you on that yeah and then the reason our firm love compensation for the thing that you've done and so you know that's easy in some context if someone says you know essentially I'll watch your car for five hundred dollars in this parking space you have some notion that there's something going on internet transaction this may be a little bit harder here where you've got maybe not a clear rating structure on exactly how much a

bug is going to be worth but whether an exorbitant amount of is asked may be part of our analysis and as I mean from from my side as the Department of Justice clearly just stated this is an example of extortion and we're gonna have a criminal and a civil angle to this one I mean I don't I don't think that's what they said just I think right yeah I think it would be it would be much much I mean that's you know I mean that's I agree with them so today okay so do we so we're gonna Sumon what angle and we're gonna try to put them in jail we have any questions of Kools or comments

from our live studio runs anyone on the phone oh yeah okay we do excellent fantastic the audience is still awake how can our experts help you all themselves witness make any difference if the researcher had presented their requests in the form of a contract or with legal representation saying I have X information what would it be worth to you to disclose some defect in your product oh that's way worse I mean that's just so you're gonna you're gonna go find things and expect a consulting agreement you're gonna find something you're gonna get a lawsuit on your you-know-what and then how would you how would justice for you that with a well as I said the issue of whether you're

looking like a legitimate researcher or someone who is looking to it snorts someone I think you know this sort of kind of normalized arrangement a business arrangement would seem to suggest a a more business type arrangement rather than something that's criminal again not dispositive people could still the context of this do something that's extortion but it's again something that would have to be considered how would you feel if someone walked up to your car and smashed it with a hammer and said hey guess what there's a hole in your car here's a contract for me to fix it not the same he didn't write the bug I think zipper up the bug don't get me

like it's not like he walked up to zip and like inserted a bug and said like hey let me tell you about well how do we know he says he doesn't ever says anything about the details he says I can turn the camera on I can turn my laptop on my camera turns on I mean maybe he's talking about that perhaps we should leave this story here and move on to our next news story okay so our next story some nice animation right there that's our next story we is around so we have a very large very very household products yes I always say no the researcher here it's Tony bring out of proportion it's

not a real risk that's a little bit I'm sorry I really got to jump in here I mean this might be perhaps a little personal look Ajax is amazing they're an unbelievable company they make the best phones on the planet they protect my privacy better than anyone and I tell you these researchers are out to get these companies they care about their name they care about making money the notoriety around it and so they're gonna blow it out of proportions as best they can many of them in fact all of them are best friends with the media oh that's so when they find a hug person to get the phone and they call their friends don't

have and they say guess what I think can you put it on the front immediate I'm gonna go presented it I'm gonna go present at Def Con two days around not tell anybody about it that they they blow everything out of proportion so everything I think I heard you say hackers don't have prm's Tata Steel company have a PR firm I'd rather not talk about it exasperation perhaps we should take a little look at the story more detailed look at who the researcher is does this help us understand a little bit more about this story I mean she's biased she's a bad history with hood which means she probably doesn't like the products did and is

going ham you know you take out of this I mean Ajax historically has not been friendly to independent research have not been friendly to independent bug reports and so I mean I do think that Jan is kind of bent over backwards here I mean first up she's using your real name everybody knows who she is she's like super hacker X right now we don't think John's a hacker handle I'm sorry no no very familiar with alike no but but clearly Jan is not collaborative I mean it's been five months it's busy class much given all the details you need so paging how long is the manual how long is the manufacturer of the phone here supposed to give her to share

that information before they have to move on you know just give it the information on five so five months we don't we don't consider five months to be a reasonable amount of time if I should know or in there I know the information to the window well that's why it's taking so long clearly I'm sorry do you guys do you have knowledge have you they have a vulnerability disclosure process right so they care about this they have a security at which is great which is ingress is writable for like this size set their vulnerability handling process is step one attorneys step two PR that there is no step three step three we should step 0 should be engineering right like it

won't get an answering Department on then this issue would have been resolved in two weeks I guess again but because of their because of the friction and introduced by lawyers and PR people brings up another example that we have a challenge with researchers is the paranoia right everybody's out to get them they're scared to share anything and this is a prime example she found what she thinks is important and she's paranoid sure I think the evidence supports it dear Todd have another jolt and go back to your mom's friend Lee here yeah well in the meantime I two points I'd like to make very quickly I mean one is the law is a very blunt instrument to deal with

some of this particularly a criminal provision you know in asking a court to get involved in a civil matter you're asking them to play referee and spat in asking the government to get involved in a criminal manner you're also asking to sanction someone for whatever they did and so that's one thing it's kind of a blunt introduce something that maybe a disagreement the second though is we do not bring a lot of cases this is more likely to be a DMCA issue rather than cfa issue but the numbers are roughly the same for the CFAA we bring let's see it is less than one tenth of a percent of federal cases a year are brought

under the CFAA so there are very few criminal cases brought under the CFAA what that means is we triage we look for the most sort of significant harmful instances of of crime before we bring the case and so and unless your kiss looks like that there's a decent chance it's not going to end up certainly in the criminal proceeding the difference though is it may still be civilly brought that as a company does have the ability to bring us so now that's the risk that researchers independent researchers take upon themselves right is is the the the risk of litigation over doing what is inarguably the right thing right see something say something and you know when they do see something

and then say something they are inviting litigation maybe not so much criminally but certainly civilly yeah yeah but I mean they are not seeing something they're hacking into something or trying to if you see a car and you break the window and get in implanting my my you can't just say I kind of bug in your windshield but but another point too I mean Leonard what about the Digital Millennium that was a digital millennial right Millennials copyright where they've got research exceptions in there and clearly Jana's violated every single one of those research exceptions because she's not partner and she's not doing this in good faith so therefore it's absolutely good faith but she shared them five months

she hasn't given the right information

absolutely so but don't Digital Millennium Copyright Act makes it unlawful to circumvent the technical measure that is intended to protect a copyrighted material now there are exceptions to a prosecution of a DMCA that are built into a statute and there are some additional ones that resulted from this triennial DMCA process that occurred last year which means that there actually are expanded exceptions for researchers under the DMCA now there are certain factors to those exceptions I don't have enough information here to say whether it falls under those exceptions but again as I mentioned we bring precious few criminal DMCA cases that doesn't mean still DMCA like the CFA has a civil cause of action so a

company would still decide to bring a DMCA case against against Jan so I'm sorry I just sold my Ajax on this um I believe that was your question or comment from our live studio audience so if you were to take this scenario and flip it and say Jan is actually an employee at Ajax in their application development environment and also a part of their security team right so she found out everything about this is the same five months ago she found a bug in the code and someone internally said it's not a big deal we'll push it out anyways she decides to go to blackhat and present on it never gets fired how does that change this is it a similar

scenario whistleblower riot you mentioned the whole security researchers take on a bit of risk by even doing this to begin with regardless of the intentions does that change if she had worked for Ajax versus it being external you are fired and you're going to go to jail and you violated your non-compete good luck with your one yep is she going to jail absolutely do not pass go so in that context I mean our experience is there's a decent chance we're less likely to hear about that matter because there would be some employment action that the employer may take now they may still report them you know as a potential violation of some crime of some statute maybe with the MCA

but my first answer still holds we've looked at it to see about the legitimacy of the of the prosecution the federal substantial ancient interest in bringing the case and you know some cry out for it this one feels less like that

as a follow what statute are you talking about for the cff a foreign type a Computer Fraud and Abuse Act that's 18 USC 1030 and that's a criminal statute is a criminal statute did this in your scenario hunted to it though woody and Jan have the right to publish the information that her research has developed so this is unlikely to be a safe CFAA violation in the under the CFA that requires you to access a protected computer without authorization in this instance and I'm assuming making some assumptions but this is a phone that Jan has acquired and is now essentially in possession of and has someone some authority to to interact with the issue was whether she has the

right to circumvent she didn't take a lot of measurement which is a DMCA issue no she should not be doing when she's done she should pay the price sorry so the bug exists correctly I hate yes yes there's no bug exists so the action is more against the researcher releasing the bug rather than addressing the bug itself hey nobody said there's an actual bug I mean I believe that John intends to prove it at blackhat it says it says it says disputes importance of buck which logically makes it seem like there is a ball exactly because as as we always talk about but this doesn't lead to my question though I do have a question

about that okay my question is is that if you have someone who's bringing the bug and the action of the vendor is more against protecting their assets more than protecting their customers regardless of the importance of the bug if the bug isn't that if the bug isn't that important and you would think that it would probably be an easy enough fix so my question is what difference is it for the researcher who's trying to do is in a legal way versus someone who may be trying to approach it illegally as in taking advantage of that vulnerability to exploit customers well I mean in this scenario you know this is not a big deal there's non big deal issues everywhere

and they don't all get fixed look I know a little bit about this security stuff and I've heard about things called what information disclosure vulnerabilities which are usually very very it was that thing CBS d CBS is 1.0 or something you're not going to face all them I mean clearly this is like that so if you're gonna fix every little tiny minutia that you see you know companies are gonna lose tons of money so but you know you got to try oriT eyes and hearing injection can so the problem would a presenting at blackhat it's that lame then know by about what you found and then the fake media is gonna create this and there's gonna be this crazy news

cycle and then we're gonna be under that company is gonna be under fire so yeah I guess Bloomberg could do that yeah there's a lot of mount there that are you know sensationalized everything expect corporate lawsuits if Jan workforce a global Plex the major competitor of Ajax so now you're stepping into a different ballpark of IP theft which you not we're gonna sue that company for everything they got because they did it one because Jan then did it on behalf of that company she directed her to do it I just like to go back to the prior going to Todd doesn't follow you know the point here that if the bug is a minor bug that it's actually a

quick fix like is that normally the case oh boy severity the bug rarely has much to do with fixing but also like you can fix anything in three months like I don't care zero to ten it doesn't matter it is if you put your mind to it you could fix anything in three months okay good yeah go back to one point the last caller had a question about whether Jan goes to work for a competitor and I do think it's a interesting point that is let's say again was an employee of Ajax and then went to another lawyer there would be a whole nother set of concerns which would be about theft of trade secrets right we have to figure

out whether it was actually a trade secret but you know that only underscores the fact that different facts can suddenly shift the legal analysis even on the criminal side an unusually we have a question for my cameraman longtime supporter of the show so listen to the last few colors it seems like it'd be much easier for Jan if she just anonymous anonymously publicized absolutely I just walked away from it 100% easier so why not all for it like she's a researcher and she wants to credit for so she gets the fame is that is that a common thing that research is a very interested in some researchers are motivated by by prestige by by getting by that Fame but many

aren't many many like I said before like many are interested only in the intellectual challenge and making people safe and possibly in getting paid like the prior bite Lord mr. Lord but Jan's clearly not of that that persuasion I mean where she's right so it was like a 7,000 square foot mansion how do you know whoa Twitter Knights dogs Google I do my research yeah so so so some researchers of the kind that will come on news discussion programs and sure others on some perhaps we should invite her onto a show in the future sure oh can I participate too first we'll be talking to the producers about that so I'm just curious I haven't heard

the phrase responsible disclosure [Laughter] my hose down my unreasonable speaking request was the lyrics from whatever that stupid pinnacle other song was this is great thank you very much I appreciate it so for this scenario don't use the phrase responsible disclosure and I was curious if the department justice has some guidelines on responsible disclosure and how a researcher should behave so we have not attempted to get mired in what is I understand a decade's long discussion and the argument about that coordinated schools are responsible it's always full disclosure we are interested in making sure that again this is done in a way that doesn't violate the law and the laws that we tend to look at our horizon

fall on issues of things like authority and and consent which is why we like things like PDP's and and bug bounty programs because they earn that out now the question of whether someone coordinates first before discloses I can tell you on a policy level that's preferable all right we want to make sure that systems are safe and information is not put at risk ideally it's polite but there's yes and but there's a difference between what would be good policy and something that we have a statute that criminalizes and on its face we don't have a statute that makes responsible disclosure coordinated disclose your full disclosure any sort of ruling on that per se it's about the

other facts surrounding how you do it what your your claim is when you do it again whether you make a threat of some sort as you do it and I mean at the end of the day she could have approached this totally differently you know I hear that Ajax hires people of this type of skill rather than threaten them and exposed and then a conference per se she should applied there and tried to work I mean they hire people that have her skills and they reason do have value dad yeah I mean they would hire her and they'd have her do let me see they probably have her do pentesting they probably have her do policy writing

they probably have her secure the infrastructure they probably have her everything on that cloud environment they probably have her talk to like their internal do training for people inside the company and the NA I mean they pay amazing for money like they probably pay her about you know a hundred thousand dollars to all of that for the entire company maybe maybe maybe you know twenty-five percent has probably onus I mean the fact remains that she found a bug she told she she saw something she said something and nothing's nothing's have it's her own thought that that's gonna happen oh and I just like a show of hands from from a fantastic live studio audience just five

months seemed a reasonable amount of time view yes super law fact reasonable no way dude super long unreasonable amazin ibly law okay and you could you could triple that and we'd be good much so yes so why don't we think that this is gonna go do we think the Ajax now that has been you know major national news coverage right the Ajax will invite patch this issue I expect a patch in the next 20 hours hiring oh yeah because they've been working one for five months I'm sure that they will start work now and they will have what I expect to hear a statement from Ajax saying that they take security seriously uh-huh that does

also exact issue whatsoever this is a somebody with you know before da door yeah yeah I mean it's a truthful statement because you have you have some sort of insider information on them oh no no I just like the products yeah isn't that that new phone that's like yep so our next story annex story is is around a researcher hundred thousand records Isis seem like a lot holy cow that's that's tons million okay that if those are health records that researcher or researcher criminal is gonna pay a hefty fine from the government for breaching all those health records well absolutely so let's perhaps find out didn't write the ball health records yeah oh one of

my favorites the Church of online trolls oh my gosh and they're gonna answer a non-profit what are you home with this mad we've had on the show before yeah they're always entertaining Wow I mean these wow they duped the new levels here to target nonprofits doing good charge of online trolls no one's asked them does it change the dynamic if it's if it's a non-profit oh absolutely they don't have any money and they're doing good they're helping you that are they they're doing they're doing good your information is in this dump Colin look they are they break the politically correct barrier they make sure proper information is disseminated they they don't want to they be through all the BS

so yeah they're doing good they're spreading good news good information so just on being assertive it sounds like they they have information from all their donors 300,000 of them and that's what the researchers reactions right so does this include do we believe that this includes financial information it looks like the story sort of suggests that it does from what I can tell it's like first name last name address credit card kind of it's it's the thing it is the identity get and get I mean good for them like if first first off regardless of how I feel about the Church of all night rolls the this researcher is doing a public service by by releasing this

information by proving the vulnerability to let the Church of online trolls donor list know what kind of risks they take when they contribute to to this particular nonprofit well this is clearly criminal behavior and I'm I guarantee that the Department of Justice is going to agree with me I mean if they broke into a database they stole the information for the next immunity what your problem was the researcher has improved anything and then this one the researcher proves something and now you have a problem with that yes okay well not surprising I have to tell you that we would have to be agnostic on the nature of the organization there are a victim of crime so we would look at that

first and foremost it's not a criminal organization well my choice though has had some interesting things to say about about the Attorney General and the department they would have to take a number so it's it's it's something we would not care about if they were the victim of an offense of a intrusion the question we would have I think at the threshold would be why they have three hundred thousand records belonging to this organization that is kind of facially evident guess again the researcher didn't write the vulnerability they committed a crime by stealing data but it was the Church of online trolls that made it available through their negligence of a violation of crime of an offense of a statute that

is if they access the Church of Armond trolls server and obtain information without authorization for I'm sure they just used the API as it was written then they were violated and I'm sure there was a clear disclaimer that says unauthorized access is prohibited so that is it this is hereby I mean this is cut of all our sonars is cut and dry cron come on this is a little bit more about it like let's take a look at okay so here's an example of some of the very highbrow work of the judge of all my jewels good job sticking up for yourself yeah I love that I love that emoji I corporate comms team uses a lot okay it's

definitely um so yep so you seemed very certain Todd's that there was no no sort of hard technical hacking going on here is a you know it was probably pretty without research area that they are they part of your organization they're not part of my oriented say I mean they've been around right like I know people who know people okay and yeah I mean like the fact once again like this this is this is hacker blaming right like this this researcher saw something said something I mean short maybe three hundred thousand records exposed is a lot but like it's not like he exposed them they exposed them through the API and who knows if he's the first know any

of your colleagues would you would you condone them doing something like this I mean if it gets the message out that and if it fixes the bug so I can you're not a security research and you're and you're in blackhat you're an evil absolutely I mean in our previous in our brief examples and their previous examples you argued about how you know the researcher was acting in good faith and collaborating and sharing the outstation and that's what they should do and in this one they didn't even try they didn't try I don't know what brought them to this point of dumping the these these records I have to imagine that it is they they came to an

impasse so in instance this where we've asked the question why do you have a tranche of records what answers sometimes someone will provide is we need a proof of concept ominous there is no exception in the Career Fraud and Abuse Act for downloading information to provide a proof of concept right now on Gerson now I will say though that one of our factors we consider when we bring a CFA prosecution is the degree of harm the degree of damage and for example if a researcher finds a vulnerability and you know doesn't take the entire database finds away screenshots something that demonstrates the damage without also violating the privacy of a bunch of customers in a bunch of third parties

it's a better case for the researcher we still think there probably is a better way than perhaps breaking into the network and obtaining the information but there are ways of at least minimizing the harm such that we may have some countervailing considerations when we perhaps take a look at what the researcher did and see if that if that so how would the department view a thing like this obviously you can't come on and open cases but yeah he's sort of hosed so they essentially took three hundred thousand records are now publicizing them I there there simply isn't really a case to be made under the statute that this conduct was not a violation of law

so I mean again even if there are some other reason that we didn't bring this case criminally because of resources or something of that sort they would certainly face civil liability and there's a very real chance that they would end up in though in legal jeopardy you learn I can write my imagine that we were talking about this unless this this attack of this what was his name Sadiq you know dropped all these all these records so you know okay how much I am happy to learn that future possible contributors can can steer clear of these bad actors and so perhaps I should have had this rest Judy audience who thinks the dropping these records is an appropriate

way of getting the word out interesting whose just terrified to put their hand up because the tomorrow justice in the room okay so do we have any any questions or comments from our studio audience mister plug hey so you said oh they try and provide a screenshot or any wave something like this comes up but if they provide a screenshot they're gonna have to redact the stuff then they've already seen it like then there already has been a violation surely like that can't make any difference and then what if the only way to view the records is to make one API call and they're dumps the entire database I mean what are they can do can

we just ask the producer to add subtitles when we when we

yeah so I I guess I guess two answers you're right there may still be a violation of law you know if you're in a position where you are seeing something that you're gonna screenshot as your proof of concept the point is as I mentioned that when we look at the CFAA case one of the considerations is the degree of damage that's done if you are and there's no right that researcher has going to violate the privacy of three hundred thousand people in addition while this information may begin secure on the server research I didn't has been finally done privacy with some trolls finally on the Friday see this is a very passionate topic it's unclear that we

live in a better world now about this information exists both on an insecure server and with the researcher right and so there are ways of going about this that you think would minimize the likelihood of causing no kind of external unnecessary damage as far as there being other techniques for doing this you know I guess I would suggest that if there is no other way other than dumping three hundred thousand records that perhaps that's not the course you need to go you may need to risk that your company will not believe based on your representations that there's a problem rather than putting yourself in greater jeopardy and putting other people's information later definitely by dumping that database yeah I mean next

time the research you really should think about like those like eighty five year old grandmother whose information was taken and now she lost everything because somebody spoofed her identity and you know took all her money researchers they didn't they don't think about that this scenario only thought about himself or herself would it be a violation if they downloaded the records but sent it directly to the church or not as many records but just downloaded a handful of them and sent them to the church as proof of saying that there's a vulnerability so yes it probably would still be a technical violation but again they took some steps to mitigate the damage and you know that will be

relevant to our prosecutorial decision I'm not saying that that would be a safe harbor and suddenly you're out of any legal jeopardy but it would be a relevant consideration as I said in the beginning our goal is to try to figure out whether you are someone who is engaged in malicious activity or someone who's actually looking to do some good there's no simple way of doing that so we have to look at indications of your behavior how you you know shield it the information you obtain there are many factors we have to consider but you know in Attucks instance they took some steps to at least mitigate the degree of damage they helped themselves they've

reduced the risk but they're still in jeopardy

[Music] the duj have any additional implicit or responsibility for the implications that the data being hosted an editor you domain is it is a good question I mean I think in these instances we would reach out and try to secure the information that's out in the wild right so we would have the ability to contact the educational institution and say you've got material on your network once we had verified that's what's happened if the company came to us and said he suffered a breach and this is where our information is you know in the course of that investigation we would have to reach out and determine that information is there once we've done that we would

try to take steps to mitigate the harm so we would try to get that information offline off of that so that sounds I mean it does sound a little bit as if the way that this story might go is we might see some sort of legal action board against this certainly it is [Music] unfortunate oh yeah I don't think that oh no I'm one okay so I think that that probably brings us to the end of our show it just remains for me to thank let it and the rest of our panel and thank you a live studio audience