Fixing the Internet's Auto-Immune Problem - Chloe Messdaghi

hi everyone thank you for coming and good morning it's great to be here actually I grew up up will not grow up but I did live in Everett for a bit so it's good to be back in the UK so we're gonna cover a little bit about UK laws currently and then a little bit on US laws any US people in here raise your hands okay I'm going to touch on that very short then how many of you guys are actually hackers yourself sweet how're you guys our program managers okay this is great for me you know so just a disclaimer I am NOT an attorney at all I was thinking about going to law school I

was looking at Cambridge Oxford and then I was like no you know what I don't think law schools for me so anything I give you is not advice at all it's just me sharing a little bit of research so I'm a scary searcher advocate a buck rod I co-founded women and security woah sec we have chapters all over the world and we're looking to build them out also in the UK so any ladies in here who are interested connected me I do mentor women to stay in InfoSec and also to get them trained on burp suite so they can start hacking themselves I do speak on diversity inclusion and bug bounty and a board member for nonprofits creator

women hackers the slack so ladies that are hackers message me I'll add you on to the women's slack channel drop labels founders and nonprofit and most importantly the one takeaway from this entire slide is this puppy right here this is Sherlock Sherlock is not happy in that photo most likely because she's wearing a diaper she is a Shiba Inu if anyone knows what a Shiba Inu is like it's a cat it's literally a cat dog that acts like a fox sometimes so let's touch it a little bit on the current landscape in the UK so one thing is it's interesting there has been a significant drop of cases however there's also has been evidence that shows that there was an increase by

1.7 million cyber related crimes in the same period which is very interesting but I thought the one thing that I have noticed in the research is that the language that the UK has when it comes to talking about hackers it's quite negative it's already assuming that you are a bad person which is probably not a good thing to stay but also not just that but in almost every written document it always is using he and not she or they either so it's already very it's a very one-way straight of looking at things but the most important thing is that when you do switch it around by putting ethical hacking in front or secure researcher you get a little bit

more positive just a tad though so 1990 the computer misuse Act how many of you guys are aware of this act yes you've read that's fantastic so it was introduced in 1990 of course but it basically it was a way to you know anyone who's gained on the authorized access to a computer and uncompassionate a sizable application of computers files would be prosecuted that means even hacking tools or exploits such as used by legitimate secure hackers can also be considered illegal but I think one of the most important things is this first line right here unauthorized access to computer material did you know there's actually no solid definition of computer materials so except that they used this old old text

in 1968 that they still reference till today so that's one thing to note is that they use something very old not just that but the penalties are pretty clear-cut here which I was actually surprised he could go anywhere from two years of 14 years of being imprisoned but just to note that there's also three different levels of doing so and it can range penalties from five thousand pounds to unlimited that's right unlimited people that's little scary however in 2015 the state police and intelligence personnel realized oh wait we're also obligated to follow this so 2015 they decided to make an addition change to it that allows them to not have to go by this act but

most importantly is that accidents happen how many you guys when you're hacking or what not you go things out of scope accidentally at times right those that's illegal but apparently it's also and here it just shows that there is a tricky situation when you watch a report of vulnerability that's very important but the good news is that there are some landscape improvements so in the UK even though it comes off very negative towards hackers itself you had the Data Protection Act 2018 which actually offers protection for those secure researchers I'd do it as their lifetime career but also gives them kind of more of a right situation however once again it's it's not always perfect either

so you have been warned the other thing is that the NCSC the great news is that they do participate in one really disclosure a bug bounty programs and they're very accurate when I dived in on What's in scope what's outer scope and the expectations or rewards that you can get but the most important thing I think of all of this is the good communication they actually will tell you that this is will get a hold of you within 90 days or whatnot so that's pretty good that's clear-cut but let's go into post briggsie ok I know it's very scary and everything actually I'm just kidding I'm not touching that I'm not touching that at all ok good luck but let me dive into

some us loss in case of you're doing any vulnerability disclosure and you're it you're like on a US company or whatnot so the CFA it was basically the same thing as you cannot access this computer with that authorization or you will be prosecuted now the interesting fact is this was created in 1984 after Ronald Reagan watched wargames that's right so it was created fantastic president so that's something to keep in mind the DMC a which is the Digital Millennium Copyright Act is the way that you do not have quote unquote the right to repair so that's one thing to note is that you could be violating in many ways so reverse engineering is seen as a breach of property to some

companies as well so that's another interesting fact last but not least does anyone know when was the first bug bounty ever found or created anyone 1995 Netscape so I mean overall we use secure researchers to find vulnerabilities for us but also we use you can also say hackers whatever definition you want to use on that front are always looking for vulnerabilities and yes program managers are very scared sometimes to be like I don't know if I want to do this or not I don't want to put my contact info there I don't want a policy terms and conditions because that's setting me up to have a situation but to be honest they also know that it's necessary so

it's on both sides from the secure researchers side to program at your side and one's kind of bit scared and I know this is a scary subject so here are some pictures most of puppies can but you know don't worry I did practice inclusion in the slide for cat lovers can anyone see the cat there's a cat right there so what do we need perhaps better sleep better communication standardized language oh yeah we're getting it to that point another Red Bull but really what do we need we need standardized easily readable language so everyone can be on the same page when it comes to communicating with each other and that's also a good way how to start

incorporating secure researchers to be able to do the good work that they do as everyday heroes also reducing ambiguity around potential conflicts between any existing terms and those specific to Siri research and increased visibility for secure research programs I include an explicit safe harbor status let's dive in to disclose I am so disclose IO is a project that is run by the hacking community and program managers there's two parts of it that I'm going to touch on it shortly but in case if I forget I do have a bunch of these stickers so if you guys want to help pass it on I have a lot of stickers if you guys want them so a quick summary it just goes IO the

realization is that we need standardized disclosure language and the reason for that is so we're all on the same page especially since many of us around the world don't really use English as their first language so this isn't an issue - and how many of you guys actually read your terms and conditions if you have an iPhone yeah exactly so we made a make sure that it's a little bit shorter right then you know hundreds of pages but also that we can understand it we don't need a lawyer to turpis what is going to happen even though it's very ambiguous most of the time so this goes I came about because companies want to start practicing safe harbor but also we

have a bilateral trust agreement with the hacking community and it's broken down in the two parts like I mentioned earlier there's the list which I call my hacker list of companies that practice safe harbor or partial safe harbor and also basically terms and conditions that companies can adopt and bring it onto their own terms and conditions page that is simple and easy to read so everyone's on the same page and that's the most important thing is that we need to work together as a community so everyone feels protected but not just that but Aaron understands everything so in this everyone in this room if you want to participate there's the easy way out to do it and I'll go into that a

little bit close but also we're looking for people that are in the legal field any people in the legal field here yes I like you back there we should chat afterwards because believe it or not we're going to try to bring discuss IO to the UK as well so I'm gonna quickly go over what is safe harbor versus partial in case some people are aware of partial safe harbor are any companies that pretty much participate in any bug betting of audibility disclosure platforms such as book crowd because they easily define the rewards what how to communicate with the person how many guys have found a vulnerability and then you're looking to everywhere to find the

contact info I mean it is irritating it's ours and it could be days and then you kind of like you know what I just give up so having that it's going to be really important and explicit permission to complete security researching any type of materials and whatnot so that's really cool partial self safe harbor but safe harbor as it is it's not just those three but also has a disclosure policy and it could be the ones that we list on disclose io but also it's extending it so then if you need to find these vulnerabilities that you're allowed to do certain things and it's applicable to federal laws but also that knowing that you won't be prosecuted and especially

if you find something you have escaped you didn't need to but it's actually very important to share that you won't be prosecuted of that either but also being specific on what is in scope is very important so the requirements like I mentioned earlier if you want to participate as a company you need make sure to share your scope what is in scope what is a scope and be very specific rewards what kind is it swag is a monetary official communication channel so does that mean a slack does that mean an email does that mean a signal message and what is your disclosure policy so you need to have a link and share it with us and the

expectation is that you will extend the vulnerability research that's relate to this policy you'll work in remediate discover vulnerabilities in a timely manner that means yes someone contacts you please respond they're just trying to do their job I could read the rest of these but I think you guys can read it for your now for hackers yourself if you want to participate you also have to agree on these following things these are just some of them but I can't let me just point out that last one right there please do not engage in extortion you're not doing us a favor anytime you do that you're making us look bad so please don't do that be nice and this

is a safe harbor language that we usually share when it comes to the US but because we are working on the UK it's gonna be different it's gonna incorporate your laws as well we will have a Canadian one releasing it in two weeks time so that's pretty exciting so who wants to be on the 18 because it takes all of us to continue this this is a grassroots effort for all of us to come together so there's two different ways safe harbor language we are looking for people to give legal advice to us while we build out the UK that's one the other thing is that you can take this language yourselves and try to bring it to your

own company to have a better idea of what is the next steps if you want to practice safe harbor also everyone hacking make a there's a list so and this goes like oh we have actually a github and this list basically shares what company was the policy URL and also what kind of rewards to expect what is you know what are you partial are you full and most importantly how do I reach you so anyone who's ever curious about like well if I if I find something like how do I get a hold on actually check out this list because chances are you can actually find them here too as well but any newbie hackers in here and you

want to dive into what companies can I look for vulnerabilities for I always say go for the safe harbor companies first any questions yes the US we listened but how does it work if I try to use this a part of our testing US company will pay the price daily which close my concerns that I present my plans no you can go to any that disposal in both countries to use it yeah so usually wherever the headquarters are those little loss that they get prosecuted how are there is an exception to that you can still be prosecuted regardless in your own country that you are hacking in so you can out didn't know that it could have applied either

way unfortunately technically yes or just go on make sure they have a vulnerability disclosure I count on one of like a one of the platforms like background or what not and if they have that listed then that's really good and then if anyone in this room if you are in a situation where you do find a vulnerability that is out of scope and it's a very bad one and you need help with that feel free to like DME and we can figure out a way how to approach the company most likely any other questions you know with a program can't even hear you there sorry Russell you still have a few expiry citizens yeah yeah so there are definitely

companies are like I really don't want to put myself out there for doing the vulnerability disclosure or a program or whatnot because I'm kind of scared of what will happen will I be flooded will I be attacked will they go out of scope to tell me these things and these are all you know these are all fears but to be honest most evidence has shown that by having one of those you're actually making your company a lot safer so I mean there's plenty of articles and research out there that you could always use to share with companies and I have definitely have those in my file so if you ever need anything just let me know