I Went Phishing and Caught a Charge — Maryland Law for Pentesters

sick for a while so i'm just testing my voices like the first time i've spoken all day can you guys hear me in the back all right can you guys hear me way too loud now trying to figure out my distance from the mic on this maybe i'll just i'll hide back here but these fine people still get to hear me so no i'll try to stay near the uh try to stay near them like good all right uh my name is josh rosenblatt uh today's presentation is gonna be i went fishing and caught a charge i have a series about 14 disclaimers which is uh how you guys know that i'm an attorney uh the first disclaimer is that uh turns

out the law is complicated there's a lot of moving pieces a lot of moving pieces we're going to hit some of the high points but that doesn't mean that you're going to leave here knowing the law okay so you know like you know a little bit and as they say a little bit kind of a dangerous thing all right what we're going to talk about here is maryland law i'm going to get into it a little bit in terms of the the variation among the states with regard to law uh but every every state sort of inherited the common law class and then just went out on their own after that so i'm going to be talking

specifically about maryland law but a lot of these concepts carry over to other states especially the original colony states uh i work for the baltimore police department i teach at the university of baltimore uh which means that i'm also beholden to the american city council of baltimore uh i do not speak for any of them today so whatever i say uh hold me accountable that's fine but none of these fine folks in addition uh like i said before i've been uh battling a cold so uh might also be influenced a little bit by things in the pharmacy aisle the regular pharmacy aisle nothing over the counter should be good still good to drive all right uh who am i like i said my

name is joshua rosenblatt i am an attorney i'm also a sergeant with the baltimore police department i'm the head of the legal instruction uh took over there about a year and a half two years ago took over their law program uh changed a lot of things whole separate talk whole separate talk in addition to that i also an adjunct at the university of baltimore i teach in the digital forensics department teaching criminal and civil liability specifically with regard to digital crimes i'm also the former division chief of the crime strategies unit with the office of the state's attorney for baltimore city so i'm a former prosecutor current police officer who is also a former police officer who's also an adjunct at

the university of baltimore and mostly i'm a law nerd i mean i'm an everything nerd uh but specifically i am a law nerd uh so we're gonna get into it a little bit all right so the the whole idea here is i'm gonna give kind of a mocked up situation with regard to a full scope black box penetration test and we're going to talk about what maryland law might have to do with those things so let's suppose situation you're hired to do a full black box pen test of a company we'll call them creatively company x contrast said full assessment but there was no set scope company employees frequently work from home and it operates a bring your own

device environment in addition to that there's also shadow i.t different divisions have their own little setups that they do without talking to the the official i.t department and people bring their own devices not only mobile phones laptops things like that but you also see things like commercial i'm not sorry consumer grade routers that sort of thing company x is located in an office building you will find many companies don't actually own the real estate that they they exist in and that's the state with company x here we'll call them landlord l is the person that they rent from now company x does a lot of business with baltimore city so baltimore city employees are in and out

of there all the time uh landlord l has a security guard but they kind of wave through anyone with a city id anyone with a company x id and with a landlord id almost anyone with an id all right so that's the situation we're going to work with and we're going to go ahead and talk about how different aspects of the pen test relate to maryland law so at the beginning we got the uh the physical assessment we're gonna talk about different criminal entry crimes all right criminal trespassing criminal burglary uh gonna hit on a couple other different points we're going to talk about social assessment social engineering what aspects of social engineering are actually crimes in maryland uh what

do you have to do what are the limits we're going to talk about digital assessment basically the federal government set up the cfa wiretap laws everything like that maryland has also enacted its own local versions of all these different things and then we're going to talk about okay things go wrong uh what do i do if the police show up so we're going to talk a little bit about that sort of thing before we can do that we have to talk a little bit about the law we got a little uh you need to understand a couple things before i start uh heading straight into uh maryland law you have to understand the law in general

so where does the law come from well basically it turns out on july 5th 1776 it was not anarchy people were not free to murder and pillage and everything like that because you know we just gotten rid of england uh now there's no laws now it turns out we just kept all the laws deleted the parts about the king and went on we referred to all that as the common law the common law the law that we inherited from england now we have different levels to our government a little 20 seconds on high school civics we got the federal level we got the state level we got the local level now federal level it's all statutory

congress has to make a law for the law to exist however once congress makes that law it's interpreted all over the country in different ways if you're in california the ninth circuit tells you what that law means if you're in maryland the fourth circuit tells you what that law means so the exact same law can be interpreted different ways depending on where you are in the country now the problem with the internet is let me tell you guys a little bit about the internet uh it turns out it's worldwide one might even say there is a worldwide web now what does that matter well you could be in maryland accessing a uh a server in delaware accessing uh you know

resources in california that are going across uh across the pacific over into japan it's all over the place so who's law applause and it turns out pretty much everyone's law applies and because of that you have to look at all the different points and figure out what the narrowest area to work in is it's what makes uh being an attorney in this particular field so very interesting now maryland law maryland law has that common law i talked about all those laws we inherited from england maryland has again just erased the part about the king we also have statutory law every year uh the fine folks down in annapolis come up with a new set of laws that they

feel like everyone should uh should follow uh based largely on what's been in the baltimore sun and usa today uh they then go forward and they make laws they take action to protect all of us uh like i said before the common law of the laws we inherited from england that's why you'll find uh the laws in maryland laws in virginia the laws and all the original colonies um have a very very similar base uh because they all inherited these common laws from england in addition to that you also have your local municipalities uh county governments city governments things like that and they all make their own laws now the way it works is that that no one

can go can overstep the branch above them but they can kind of create their own little niches so let's pretend uh you got this guy let's call him russell all right now russell lives in baltimore so what laws does russell have to worry about well at the federal level he has u.s constitutional laws interpreted by the supreme court narrowed down he has us constitutional law as interpreted by the fourth circuit he also has u.s federal law as interpreted by the supreme court in the 4th circuit he also has u.s administrative law dealing with things like how many pounds per square inch a seat belt has to stop things like that you also have state laws all right you

have state statutory laws administrative regulations in addition to case law and at the local level you have city ordinances the city statutes you also have agency regulations if you want to apply for a permit for something agency regulations are going to affect that so that's it that's all russell has to worry about as long as he never leaves baltimore city of course russell might have bigger issues but that's a whole separate talk again fortunately you may think to yourself there's so many laws if only there was one centralized location where i could find them and it turns out there is the way the criminal justice system works in maryland is that everything is screened through what's called a court

commissioner they're the ones that assign say okay this charge is being applied to this person here's the code we're going to give it uh there's you know a four-digit code that goes with every state law well court commissioners are not attorneys they are you know college graduates who who have this job they need a resource to use and we can take advantage of that the resource they use is known as the sieges manual the court uh criminal justice information system manual so it's a handy little cheat sheet for all the laws at the state level it doesn't deal with federal level laws it doesn't deal with local laws but it only maryland and at it as a

cheat sheet um it's it's it's you know 457 pages so it's it's quite a lengthy cheat sheet but if you want just one central place to go you can either do a site search of uh maryland laws or you can just go to the sieges manual see what it has to say about that uh no all right now again here we're just talking about maryland law all right so i'm limiting the scope to just these 457 pages of summary uh hopefully you guys did your homework you read this before you came here so you can know exactly where i am when we get to different points all right first thing i'm going to talk about in terms of the pen test is going

to be the physical scope all right the physical scope of the pen test let's pretend you come home you uh you go to the store you go to talk to a neighbor something like that you leave your front door wide open you come home and this individual is sitting on your couch eating potato chips eating his own potato chips just to make this nice and uh nice and linear has he committed a crime has a crime been committed at this point he he invaded the privacy of your home and is munching on potato crisps well there's two main crimes when it comes to uh entry we have trespass and we have burglary generally speaking trespass is being

somewhere that you're not supposed to be burglary generally involves some sort of breaking and entering in maryland there are two types of trespassing crops there's trespassing on posted property and there's what's known as wanton trespass or trespassing after a warning so posted property is pretty straightforward if it's posted against trespassing and you trespass you're guilty all right that one's pretty straightforward that's why you see these signs all over the place that say posted no trespassing obviously the fact that they are posted never mind you get all right but these signs must be posted conspicuously they must be posted in a way that anyone who walks in would be you know their attention would be called to it that's why they're

frequently in this sort of fluorescent orange coloring you're supposed to draw your attention to it now the other way is wanton trespasser trespassing after warning that's where you've been told not to be there maybe you did something you weren't supposed to do in the dressing room i don't know all right but you are not no longer supposed to be in this location you've been warned not to be in this location by either the owner or an agent of the owner and you came back anywhere all right that's what's known as wanton trespass well let's go back to our friend with the potato crisps do we know this guy let's say no so we've never told him not to be there

and have we ever do we have a posted no trespassing sign most people don't have that in front of their home so has he committed the crime of trespassing no let's go to burglary let's look at burglary that's what a burglar looks like same way same hoodie exact same hoodie goes home in hacks exact same thing all right so there are four different degrees of burglary although fourth degree burglary has three subparts so pretty much i just refer to this as the six degrees of burglary you'll notice that most of them involve b and e breaking and entering most of them involve breaking and entering well what does that mean what do you have to

do to break into a building it sounds pretty uh pretty you know like you got to do a lot of stuff baseball back to a window you got to kick in the door or something like that well the maryland courts have drawn it way way way way more narrowly than that and other common law courts have gone a similar route all you have to do is displace something so just just the slightest pushing open of the door that's alright that's closed you with your little you i forgot which one was the thinking you use your pinky just push that door open and you've now committed a bne if you have to move anything to gain

access if you have to move anything to gain access that is considered breaking and entering now even if you don't have to move anything to get in you can still be convicted of burglary it's also illegal to be on someone's property with the intent to commit theft all right so even if you didn't move anything if you were there to commit a theft that is also going to be burglary that's why i specified that our buddy on the couch was eating his own potato chips because if he came in and ate your potato chips now he's a burglar all right but because he brought his own he's a very conscientious trespasser all right he brought his own and

therefore is uh guilty of no crime now you get there and you're like hey get out if he doesn't get out at which that point we have a wanton trespass he's been warned not to be there he stayed okay which doesn't mean he has to like you know cross his fingers wrinkle his nose and disappear here's a reasonable period of time to gather up his potato crisps and leave but he must leave otherwise he is a trespasser along lines of the physical scope of a pen test uh being on someone's property with the intent to invade their privacy is also a crime in maryland all right just some of the other things to uh to be aware of now i

did a lot of questions about lockpicks all right uh i have them i'm sure a bunch of uh bunch of the rest of you you know you could probably do a vote maybe a third of you probably have them on you as well uh are they legal all right in the state of maryland they are legal the only time they become illegal is when you're using them to commit a theft or a burglary so as long as you're using them to open locks that you're allowed to open that you're allowed to open they are completely legal it's only when you use them to commit a crime that they become illegal but by that point you're already

committing a crime so you already have other issues what counts as a burglars tool pretty much anything that can be used to commit a burglary and since a burglary we got that b and e pretty much anything that can be used to displace something almost anything can become a burglar's tool all right you have lock picks all the way up to a thermal lance anything could be a burglar's tool if it's if it can be used uh to commit a burglar so what issue are we going to have within uh our little framework here well company x is located in an office building owned by someone else anytime you're dealing with someone who's renting property

you have to figure out how you're going to get in there without either trespassing or committing a burglary which means that somewhere along the line someone's going to have to get permission from landlord l now are the only two ways to get into a building breaking in is the only one way to get into a building i didn't have a second one i thought i did turned out no all right it's the only way to get into a building breaking in absolutely not absolutely not all right we also have social engineering well unfortunately marilyn's already thought about this that is the one loophole that we've successfully closed because there's something called constructive breaking constructive breaking constructive

breaking and entering occurs where you trick someone into letting you in where they would not otherwise so if you cleverly can convince someone that you actually belong there that's why they let you in you've still committed a uh a b e all right it's called constructive break constructive break now does that mean you can never do it absolutely not absolutely not what it means is you need to have permission all right if you trick someone into letting you in somewhere that you are not supposed to go like for real not supposed to go you do it's not within the scope of work you don't have authorization you've committed a constructive dna unauthorized use of ids all right making

fake badges very popular easy way to gain entry into especially large buildings something like that where people don't really know each other uh you can use a corporate id to uh to go ahead and get in unfortunately once again under certain circumstances it is illegal in the state of maryland not always just sometimes all right you may not make unauthorized use of an identification batch so if the company allowed you like it's in with it's within the scope of work to make fake ids you're completely fine you're completely fine but what if you use someone else's id what if for example in my situation i said that baltimore city employees frequently go to that location to

conduct business and the security guard waves them through would it be allowable under this law to copy a to make a fake baltimore city id and the answer there would be no all right it has to be within the scope of work has to be within the authorization that you've been given if you're going to use an unauthorized id now it's considerably more limited than that it's limited to making fake state ids city light any kind of government ids you can't make fake government ids unless you have authorization uh it's also factories warehouses plants mines quarries railways or utilities all right those the other there's the other other ones that are that are limited uh you also can't fake entry tokens

entry tokens being things like tickets uh the little coins things like that that's also going to become an issue again i'm just kind of doing broad strokes here obviously there's 14 different exceptions to every sub-exception it gets pretty uh pretty detailed but just to give you an idea of laws that are out there fake government issued id all right it's also generally speaking illegal with fraudulent intent to have a fake government-issued id all right regardless of the purpose i'm sorry not regardless of the purpose that you're using it for it is only with fraudulent intent it's not only with fraudulent intent you also can't do it to buy alcohol get away with a crime get health insurance things like that

you also can't use it for a variety of reasons in the realm of pen testing all right you may not use it with fraudulent intent well if you've been hired to come in and test security and so you present a fake government id that is not going to be that fraudulent intent just use your skills for good don't use your skills for evil you should be good under this particular law uh you also you also can't have fraudulent uh government documents you can't pretend to be an irs uh collection agency hoping that people are gonna send you money that should be pretty uh intuitive should make sense all right but you also can't fake any government seal in

general all right you cannot fake a government seal so if you're gonna go ahead and do uh some social engineering pretending to be a part of the government make sure you do not fake any uh government seal all right the emblem the uh indicia of uh authority for any government organization unless again that government organization has approved it all right it is also illegal to knowingly and willfully claim to represent another person without the knowledge and consent of that person with the intent to solicit request or take any other action to get personal information does that sound kind of like all of social engineering kind of all right so uh this law makes it is pretty clear if

you don't have permission don't pretend to be from that agency but what does that really mean well maryland law is not very well defined there have not been a whole fortunately there have not been a whole ton of pen testers arrested and the courts haven't had to test these cases my recommendation would be don't be the test case so stay within the scope of your authority don't don't necessarily test the line on that one because even if you end up vindicated that means that at some point in time you were criminally charged had to go through a trial be criminally convicted appeal that conviction wait for the court of a special appeals to rule on it it's a while

it's a burden i highly recommend not being the test case so going back to our setup all right the easy an easy thing to do here would be make a fake baltimore city id wear it walk right in the building let the security guard wave you through if you don't have permission don't do that okay if you do not have permission from baltimore city do not do that okay it's gonna be outside of if it's outside of your scope you don't have permission you're gonna run into issues with that being a crime um also all right uh the company x lane lord if you don't have permission from landlord l don't fake hits okay don't fake things that you don't have

permission to do don't pick locks that you don't have permission you you kind of see where this whole talk is going yes sir so if i have permission from company x and i have permission from the landlord but i also need permission from the security company so if the security company has its own independent generally speaking you can only give permission that you have if the security company is just an agent of the landlord they only they work for the landlord they have no they have no independent discretion they have to do what the landlord says then if you have the landlord's permission you're good yes

i would recommend avoiding being the test case all right so remember constructive breaking tricking your way in is the equivalent of breaking your way in although one of them is much more likely to get the cops called if you're discovered uh identification badges only fake ids that you have permission to fake uh false claims be careful of who you're claiming to represent and fraud don't don't do it all right going on the digital side the biggest uh excuse me there are three major federal laws that come into play here and each of them has a state analog something very similar on the state level uh the computer fraud and abuse act has been broke i mean around for a very

long time um it's you know came around uh it was revised 80s 90s it's been around a long time i remember what i was saying before about different interpretations by different courts there is hugely different interpret i'm sorry there are very wide uh a very wide range of interpretations when it comes to the cfa uh the cfa is definitely one of the most hated laws if you go to the eff website they have plenty to say about it but it also has an analog on the state level and that's the illegal access act in addition you have illegal wiretaps and access to stored communications wiretaps tend to be while something's in transit stored communication is when it's in

storage uh and there's analogs on the maryland side as well all right the cfa has a bunch of different parts to it a bunch of different parts to it the widest part of it is 18 usc 1030 a2c which makes it illegal to access a protected computer without authorization or exceeding your authorization and thereby obtain protected information but there's a whole bunch of other stuff in the cfaa as well makes it legal to extort anyone using a computer traffic and passwords intentionally recklessly or and this is the danger for pen testers negligently cause damage all right if you're doing a pen test in an area that might be outside of the scope or or maybe you did something that

was unexpected and you cause things to crash that's generally speaking going to be negligent damage especially again sorry if it was outside the scope of what was allowed in your scope of work accessing a computer to defraud and obtain value hopefully that doesn't obtain uh sorry pertain to anyone in here trespassing in a government computer if you weren't authorized by the government don't do it and the obtaining national security information uh don't don't don't do that neither like i said 18 usc 1038 2c is the broadest provision it is crazy broad especially depending on where you live in the country all you have to do is intentionally access a protected computer all right and you obtain information

uh and that's it so you log into something you're not supposed to log into or you gain entry to something you're not supposed to gain entry to you get some information you might not have even been looking for you're guilty of a federal crime uh what computers are protected on the federal side uh you have the anything with a financial institution or the u.s government also anything used in interstate commerce or communication or foreign commerce or communication this is where the category blows up because the courts have defined interstate commerce or communication as being anything using the internet um i think as the the previous speaker a bunch of the speakers today and tomorrow and for the foreseeable future

everything is increasingly being connected to the internet so intentionally accessing anything without authorization or exceeding your authorization and getting some kind of information could be considered a federal crime yes sir does your contract contract protect you against them if i go to a client i say give me your id addresses you want me to test and they say one two three four and i say okay you want one two three four you say yes i want to keep it four i go halfway through the question is going to come down to was it reasonable were you like willfully negligent you know i'm sorry willfully blind he was like yeah it's probably one two three four

and you were like yeah okay then uh you know that kind of situation wink nod kind of deal that might get you in trouble but if it's reasonable for you to you know for you to think that they know their ip range which generally speaking that is going to be reasonable um yeah you're that's going to be okay because you did not intentionally access a uh a protected computer that being said once you find out you're there yeah you can't keep poking around you can't keep poking around uh did someone else yes sir uh so in order to gain access you have to do something that is not open to the public right so if something

is wide open just similar to a burglary right if something's wide open you're inviting you know anyone can go in and out that's not a problem um if the password is password it may seem like anyone can go in and out and yeah practically speaking anyone could but that's still going to be considered protected so if there is nothing at all all you have to do is go to this ip address and bam there it is then that's going to be a a different thing [Music] well then i think you've kind of answered your question right yes

yeah let's say um you know you're doing an amit you know something on an amazon web server or something like that maybe they'd have some stuff for the department of education they have some stuff for a local company whatever um yeah it's it's basically if you're when you access the department of education data right any any part of the server that's used for or by the department of education is going to be protected or if you accidentally take down the entire server that's also going to get you um but yeah but the other parts of it are not going to be protected considered protected

yeah yeah if there's something saying don't go in then yeah you can't go in even if all you have to do is click ok and you're in like even that simple uh act is gonna be enough to get you in trouble yeah all right now what's the difference with the maryland law well on the maryland side it gets writ it takes out that whole pesky protected computer thing so under maryland law it's any computer any computer within the jurisdiction of maryland so instead of that whole financial institution federal government interstate commerce blah blah it's going to be any computer computer network etc uh the way they've defined computer as we'll see in a second is very broad very broad all right so

the most important change between the difference between the federal side and the state side is that it you don't have to worry about the protected computer thing it's any computer it's also really interesting how maryland has defined computer maryland's defined computer as meaning an electronic magnetic optical organic or other data processing device or system that performs logical arithmetic memory or storage functions um i don't necessarily think they thought that one through uh because yeah entirely possible screwing with somebody's head a state crop illegal accessing a computer now this issue has not been addressed in maryland the question is what does it mean to access a computer all right on the maryland side right it's illegal to intentionally willfully

without authorization access attempt to access or cause to be accessed a computer well there's two different ways of looking at the word access does access mean actual entry or does access mean any interaction right is uh war dialing is that access or not um if you're just dialing every phone number in a range just you know regardless of whether they pick up or not right is that interacting with the computer yes right if let's say there's a modem on the other side the modem picks up that is interacting with that computer but is it accessing that computer and different states have gone different ways on this all right different states have gone different ways on this and maryland has

not weighed in yet so even something as simple as like a a ping scan of an ip range right would be interaction with different computers okay but it is not entry it is not access to those computers so until maryland comes down one way or the other again i would uh be particularly careful with regard to what it is that you're doing yes sir so how does the second clause or attempted access play into that because i could say uh yeah i mean but because pings are used for so many other things it's not as clear-cut that that's what you were trying to do um now you know let's say that you're doing like a uh like a little like smurf

attack you know some kind of crazy thing where you're just sending things from all over the place to one particular ip then yeah clearly you're attempting to do something to that service but if it's just you know a simple ping scan of a of an ip range then then you know again it's going to depend on what the courts come down that would be interaction that's probably not attempted entry uh because that's just not a standard way for entry to be made unless you have like really carefully crafted uh packets all right wiretap is the next big federal law um we think of wiretaps with regard to oral communication a lot uh you know conversations and things

like that wiretap also applies to uh electronic and wire communication all right the way the the the federal government's defined it uh oral communication people talking to each other all right uh why are communication are people talking to each other over the wire electronic communication is not the other two all right so computers talking to each other is gonna be electronic communication uh the federal the federal wiretap act makes it illegal to intercept an electronic communication means you have to use a device uh means you have to acquire the contents of a communication the contents itself we'll get that in a second has to be electronic communication it has to be contemporaneous all right your acquisition has to be

contemporaneous with the transmittal now contents of a communication means more than just the header information all right where is this routed to where is it coming from is not going to be the contents the communication the content is going to be the actual substance itself oral communication sort of sets the way the thing that you might might not be intuitive about oral communication is that it doesn't apply to things that are in the open all right uh if we are all here uh let's say we're all in a shopping mall uh little eatery kind of deal uh where you know there's very clear cameras things like that there's no reasonable expectation of privacy if there's no reasonable expectation of

privacy there is no wiretap uh it's very similar that the courts have held the ones who have decided on it and maryland once again not one of them so the courts that have considered the issue have said that uh wi-fi or any any kind of a wireless signal is the same if all you have to do is use the protocol to find out what information is being transferred then that's not going to be considered a wiretap right because uh you didn't have to do anything other than what anyone could do if you have to decrypt it uh even if it's wep even if it's something crazy easy to break uh if you have to do anything

to break it that is going to be considered a wiretap because there's there is a reasonable expectation of privacy even if you're using the worst form of encryption possible i'm not saying web is the worst form possible it's not good but it's not the worst form possible but even if you know you did like a pig latin right if you have to do anything to get to the communication then that is going to be considered an intercept so we have the federal wiretap act maryland has almost the identical thing almost um does anyone know why maryland wiretap law is famous sir why yes uh you may have seen this fellow before uh well there was a little incident

where uh he may or may not have engaged in uh sexual relations with that woman all right now now that woman in that case had a confidant who she decided to talk on the phone with miss tripp over here was in maryland if you're gonna have if you're if you're gonna decide to wiretap a conversation don't be in maryland when you do it it's a bad idea it's a bad idea the reason being is that a wiretap under federal law if anyone gives permission to record it's good if any part if any party to the conversation gives permission then it's good under the federal wiretap act not maryland maryland is what's known as an all-party

consent state every part of that conversation everyone who's involved has to give permission now the permission doesn't have to be explicit it can be implicit for example uh you got you know this call will be monitored for quality assurance purposes if you stay on the line you are implicitly giving permission for the call to be recorded all right and so that's not not an issue um in terms of maryland wiretap law if you just decide to start recording people bad idea in maryland there's exceptions there's limitations things like that but in general don't do it uh was there a yes uh over here

so miss tripp was in maryland miss lewinsky i want to say was in virginia or dc but because one party was in maryland it could be prosecuted under maryland law yes sir so be specific about that answer so if anybody on the call is in maryland well then the the party whoever does the wiretap could be charged in maryland okay right um they're generally you have to interact with a state somehow for it to get jurisdiction over you so maybe uh maybe you live in texas or i don't know southern texas all right you could live in mexico something like that you could record it maybe there will be a warrant waiting for you in maryland if you ever happen

to come here right but for maryland to charge you you have to interact with it some way being part of a phone conversation involving someone in maryland is going to be enough to give maryland jurisdiction what's that yeah it's going to be considered the same all right how was sitting on time all right now let's say the thing about a wiretap is it has to be contemporaneous it's an intercept right think about an intercept in football i assume you know some of you guys are familiar with the sports ball all right so the ball is in the air you reach up it's on its way to the receiver you pull it down now because internet communication because

networking communications protocols don't work that way generally speaking things are broken it down and sent different rates etcetera etcetera contemporaneous is like ish all right it has to be acquired more or less simultaneously with the person that you're setting it to so if you uh you know doing something as simple as maybe you somebody walked away from their computer left their left their email open you set up a rule to automatically forward you all of their emails right when someone sends them an email it is going to be considered contemporaneous that you are receiving their email at the same time they are and so could be considered an electronic intercept if on the other hand they get the email

and then you somehow gain access to their email all right that's going to be considered stored access which is a different thing all right so there's the federal uh unlawful access to sword communications there's also a very similar thing in maryland uh the thing about stored communications is it's in storage they're stored so wiretap is in transit stored access is after it's already been received so what are the complications here again if you have a full black box assessment meaning you're not you know maybe you're given an ip range and that's it but you have no idea what's that next layer down you might run into issues specifically where you might run into issues are going to be with byod environments

things like that things where the resources even even if they give you the right ip range the resources in that network might not all belong to the employer uh again like i said up here people bring their own devices things like that let's say you run across a uh commercial grade router hasn't been updated the firmware hasn't been updated ever okay like you come across that as you're doing your uh as you're looking around you're like oh this is gonna be awesome all right you gain access to that you can man in the middle everything etc etc well one uh the company didn't have control over that router meaning they couldn't give you control let's say that

it was implicit that because you use their network you gave them permission let's set well what might happen with that router let's say you set up your you know you get reversed interpreter sessions on like you know five different uh things off of that what happens when they take those home uh if you gain access on a bring your own device and they bring it back to their home network you could very well create an issue so when i uh the way to avoid that complication is to make sure that the company that is giving you this uh this assignment has something in place with employees that when they decide to have a byod device or they decide to

bring something onto the network they have given permission for whatever it is that you're about to do uh otherwise there could definitely definitely be complications uh when you get that uh reverse perturbative session and you're looking around you're like i don't recognize this network where am i okay uh could could possibly present an issue obviously if you just close out the session and just pretend it never happened maybe nobody notices but that's not what the talk is the talk isn't like you know what you can probably get away with the talk is what is technically legal yeah i'm sorry for those of you leaving in the back now like no this is not what the talk is

just what's technically legal or illegal all right so tip here is uh scope of work is everything all right the scope is definitely everything when you just to blindly accept a black box uh pen test is a very very dangerous thing uh because there's all kinds of complications that could be involved i'm not saying don't do it i'm saying be careful uh because you're potentially exposing yourself to liability uh just for trying to help someone else out uh if you have a well-defined scope of work if you have authorization from all parties involved you make sure you go up and down the chain uh you're much more likely to be okay because in the end

generally speaking you've committed a crime there has to be some knowledge of wrongdoing there has to be something in your head that uh that you were doing something uh wrong i'm not saying like you know you've heard the thing defense of the law is no i'm sorry mistake of law is no excuse not knowing the laws no excuse sure but it's not about not knowing the law it's about not trying to do anything wrong as long as you stay on that side you are more likely to be covered both equitably and legally now sometimes that doesn't work out great sometimes the cops show up that's when things get fun the thing to remember is that it turns

out police are people uh who knew all right when you get pulled over uh the the yeah sure they may be um some part of the anatomy head they may seem that way to you at the time all right but underneath generally speaking unless you're in virginia uh they are people all right they are people underneath that all right and as people like the police officers exposed over the course of their duty to ridiculous ridiculous things okay uh that the the well this is being recorded i'm not gonna tell you my stories all right but you get exposed to a lot you deal with a lot you don't know what it is that the officer has just come

from uh maybe they were just drinking coffee and eating donuts all day maybe they were i don't know all right but probably there have been a couple of things that have happened all right um thing to keep in mind is it is not about who's right if the police show up let's say that you were you were engaged to do this pen test you were allowed to right they asked you to try to break in something went wrong an alarm got tripped or maybe you just got unlucky and the police just happened to be driving by as you were gaining entry okay it's not about who's right all right probable cause is the standard for

arrest and probable cause is just a fair probability that crime has been committed by this individual a fair probability which means that all the officer has to be is reasonable all the officer has to be whatever decision the officer made just has to be reasonable which means that do police make mistakes yeah yeah police make mistakes not all the time but with some frequency all right and the issue only is that the mistake has to be reasonable it has to be the mistake of a reasonable person so my recommendation is don't be that reasonable mistake all right if you see a police officer as you're trying to gain entry and you're like i could probably outrun him

that's a poor choice now maybe you can in which case don't do that all right but on the other hand maybe you can't and if you can't the chances of you talking your way out of that are almost non-existent okay um so stay calm stay calm and realize that the number one priority for a police officer is safety so like that bag that you're protecting that has all your cool gadgets and everything in it uh that makes us real nervous especially if there's weird things poking out of it and like things that are long and slender like you know it could be a rifle something like that sure it's just a yagi antenna for you

know like but the officer doesn't know that until everything's been calmed down so allow the situation to de-escalate help the situation de-escalate bring everyone's tension nice and low because then you can have a reasonable conversation if you get in the officer's face and you're like i'm allowed to be here it's my right right then the officer is going to get a little nervous and and you might i'm i'm not i'm not saying this in a way as in like you know the officer is going to be vengeful i'm saying the officer may not be able to put all the dots together in the heat of the moment is what i'm saying all right so don't

run don't act evasive you're there legally right you're allowed to be there you've been given permission you have your scope of authority everything like that you are good just relax now that being said maybe you're walking out of some dark bushes maybe you see the police officer maybe you just lean back on that back hill hoping the officer drives by maybe you do maybe you don't but if they stop stop hiding in the bush okay makes us real nervous makes us real nervous all right so don't act aggressively don't try to flee don't keep you know evasively i'm not saying you have to just confess everything to the officer uh you know if the officer notices you

if they address you have a conversation have a conversation like people but uh but yeah but definitely the more nervous the officer is the less likely they are to make a nice well-informed decision if you feel like if things are just going the wrong direction entirely you've already tried to de-escalate you're nice and calm good everyone's friends here here's my hands okay uh if things are still going the wrong way then calmly ask to speak to a supervisor okay calmly ask to speak to a supervisor not all officers are like super aware that uh penetration exists like security assessments things like that even exist like that's an option okay uh maybe they've never heard of it before

you don't have time to like sit down and like watch sneakers with them or anything like that all right but uh but yeah so just you know it seems weird to us it seems weird to us so just kindly explain if they're not getting it maybe talk to a supervisor okay don't be a jerk when you say that but if they're not connecting these dots you don't want to go to jail so ask to talk to a supervisor there is no get out of jail free card would i laugh if someone handed me one of course i would that's hilarious all right but it does not exist it does not exist and just having a

contact like oh i got this phone number of this dude it's written on this piece of paper here uh that is that is not helpful to us because um very frequently when i find somebody uh who is unlawfully gained and free to a structure they present me with oh i'm working for carl well who's carl uh he lives here oh where do you meet carl that place right like we get lied to constantly okay and so having some guy's contact information on a phone uh maybe a phone number is not necessarily enough to save you we don't know who's on the other end of that phone all right we don't know who's on the other end of that phone

so the more professional information you have the better the more likely you are to be able to successfully convince us that maybe you are legitimately allowed to be here okay um so like a business card a website with your information on it you may want to prepare just a short slideshow on this is what penetration testing is right um again just the more professional uh information you have is gonna be better just having a contact information even if we call that person may not be enough because i don't know who it is i'm talking to on the phone um so just sort of to review everything have a good scope of authority all right set established rules of engagement

don't make up things on the fly if things get made up on the fly sometimes the wrong decision gets made you may accidentally out act outside the scope of your authority when i say don't do it i'm talking to a room full of hackers you guys are going to do it all right i'm just saying try to limit the amount that it happens all right try to add do it in a reasonable well calculated way uh have a standard authorization form okay have an authorization form that you work on with all of your clients uh and maybe have as part of that form say like okay well who's other you know who services do you use

do you lease this space if you're you know especially if you're doing a physical test something like that uh who hosts your email server who does this do you have amazon right like what what just have everything laid out because they may not think depending on who you're working with they may not think about all these outside vendors who may come into play uh within the uh the penetration test so get permission stay within the scope of your work don't be the test case and if the please show up stay calm stay professional um this is me if you guys have any future questions anything like that i obviously can't give you legal advice i

work for the city of baltimore i work for the police department don't be like hey are you going to arrest me if i do this like don't that's not something i can tell you all right um i'm i'm big on open source i'm working on getting a uh yeah so i'm this is my youtube channel uh it's law and otter um right now there's one series on there but eventually eventually there's going to be more i'm also working on a open source guide to maryland law for law enforcement that's going to be aimed at law enforcement but it's also going to be uh you know useful hopefully to uh to everyone i wouldn't check that website tomorrow

it's not going to be up tomorrow but uh but yeah so there's just things that i'm working on if you do need an attorney the maryland state bar association has a lawyer referral service i give them a call uh you may need to do some explaining with regard to what it is exactly you're trying to get a lawyer for usually they refer people after the actual burglary hit like i got caught in this guy's house and their pets are dead and you know like it's a different it's a different thing it's a different thing um we're also a couple of uh attorneys that i uh that i came up with as prosecutors they now do civil

uh and criminal work uh jeremy eldridge and kurt naughton uh they they're they're reasonably uh well-versed in uh both the corporate and the criminal side uh i like them i'm not necessarily saying they're uh you know you've got to use them anything like that i'm not going to give them any special favors uh one of my favorite thing to do is actually be jerks to them but uh you know it's uh it's a thing so uh so yeah yes sir so um

uh probably the person that you're talking to on the phone does not have the ability to uh regulate that so basically your option if they are to get off the phone or to stay on the line i mean if they have the ability to then awesome but my guess would be that the whatever call center they're working out of they wouldn't necessarily be able to adjust that um

yeah so if you want to say like you know look i'm not consenting to that is it turned off and they say yeah it's turned off and then you continue and it turns out it was recorded then yeah then that would be an issue yes sir interesting question uh i don't think that they anticipate being recorded uh i uh you know uh on the on the spot i'm gonna go ahead and defer on that one and say that uh that is not a well-established legal question um there's i could see the arguments on both sides of that i could see the arguments on both sides of that uh guy there

so if you had like if custer if you know you had called some uh some company and they had that blah blah blah customer service this is going to be recorded when they transfer it within the company i would you know the implicit can say because it's your consent that they're concerned about not necessarily all the other members the employees

generally speaking you'd probably have to repeat it yeah like the safest thing to do would be to repeat it um otherwise it gets all into all kinds of questions of agency and permission who has permission to speak for whom and so the safest thing to do would be just repeat yes sir so if i'm doing a contest of a company and i think i have my eyes dotted and t's crossed but then i find that i land on an aws instance or something am i supposed to just stop then and do i have any reporting responsibility or anything so uh what i would say is don't go further right if you realize that you're there

you realize you don't have permission to be there then yeah because the fact that just because someone's data is hosted with a third party does not automatically give you permission to go in and try to access it other than the way that they can so if you gain control of something that has a connection already set up so that you're accessing it the exact same way that it was already being accessed then that might be one thing let's say you gain access to a computer that already has a drive map to it from some right something like that that's one thing but if you try to gain access to it a different way that's going to be more of an issue yes

sir

um how do i put this researchers more than pen testers um yeah because generally speaking like pen testing someone's hired you to come at them researchers have are doing it out of their own uh you know out of the goodness of their heart right um and so it's that lack of authorization that tends to result in bad feelings

so there is somebody who is hired by a police department in the midwest i don't remember which one and they did a it was just a simple ping sweep and they found something that wasn't supposed to be there and they brought it to people's attention and then it became this thing of well why were you doing that in the first place you weren't supposed to be doing that and that became this huge contentious issue um but yeah so i mean aside from that maybe a couple others like i'm not uh aware of any but again i highly recommend not being the test case yes sir

um again it's going to be about all about authorization right what did the bug bounty authorize you to do and did you stick with it is it just on them or did you spill over onto a third party uh so it's just gonna be about the wording of that exact bug bounty and what it is that they've invited maya yeah all right so just uh one one more yeah uh getting back to the question back there about if you give the company request permission to record do you have permission to report that there was a case within the last couple of years when this guy had called comcast or verizon something was trying to cancel his account they

asked him why he said none of your business and the guy proceeded to give him the runaround for the next couple of hours and he recorded it and every time the guy came back on

so he recorded this and when he didn't get the results uh i forget how it panned out as far as cancelling the account but he