Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to bad web sites. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.
I'm sometimes asked if we ever get 'tempted' to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding a SQL injection exploit that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.
But not everyone understands that, and that's scary. A member of THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating.
My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences - while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.
If you think the previous paragraph is a paranoid conspiracy theory, lets talk about investigating the links that pop up whenever we deal with botnets, phishing and malware. The police are demonstrating zero tolerance for child porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o'clock news arrested on charges, that you are not a dangerous criminal and that you had no idea the link you clicked was to a nasty site?
There will be more incidents like the THC one. Security professionals can tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can't, and often don't seem to care about the difference. Some of the time it's not even law officials: Fyodor had his site shut down to prevent spreading his nmap tool. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.
I wouldn't want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) - I've seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a 'get out of jail' card?
0 Comments