Defcon, the almost infamous hacking convention, started off well enough. When the doors opened, newcomers saw various voting machines, some decommissioned and others that are still in use, which were setup so that they could attempt to hack and probe the machines to discover vulnerabilities. This open, collaborative approach to vulnerability detection is crucial for public safety and security, and in this case, for maintaining the integrity of our elections. You might think this is generally welcome. If hackers are open about their pursuits, don’t we all benefit?
There’s nothing that highlights the division better than this subtitle from a recent Ars Technica post written after the hacker who disarmed the recent WannaCry ransomware attack, “Marcus Hutchins was hailed as a hero. Federal prosecutors say he was a criminal.” Traveling from the UK to Las Vegas in order to attend, Marcus, a researcher at security firm Kryptos Logic, was detained by the FBI. After spending a week off the radar, friends and family discovered that his indictment alleged that he “created the Kronos malware” and the other person later sold it for $2,000 (£1,500) online.
Security researchers often write malicious code to discover and exploit vulnerabilities. They have to make their own tools for the job, but these tools are in a legal grey area since they can be used by black hat hackers, “black hat” denotes illegal behavior and malicious intent, and the dissemination of these tools can be considered illegal, especially if the tool is sold for profit. He’s since pleaded not guilty. The FBI’s case most likely hinges upon proving Hutchins coordinated with the other hacker that sold the tool.
So the FBI detained a hacker at Defcon, but that’s not all. To show just how controversial hacker’s tools of the trade are, Ars Technica followed up with news that Salesforce’s “Red Team” members were fired as they stepped off stage after presenting their own internal attack tool. Salesforce’s Red Team is considered rather elite by industry standards, and they had reportedly received prior approval to speak at Defcon from Salesforce management, but approval was still pending to open-source Meatpistol (which is currently in a very rough “alpha” state but was at use internally at Salesforce). Meatpistol expedites malware implant creation from weeks to seconds.
At the last moment, Salesforce’s management team had a change of heart and tried to get the talk pulled. As ZDNet’s Zach Whittaker reports, “a Salesforce executive sent a text message to Schwartz and Cramb an hour before their scheduled talk, telling the pair not to announce the public release of the code.” According to one source Ars spoke with at Defcon, “Schwartz turned off his phone prior to the presentation so that he couldn’t be told directly not to speak.” Schwartz told the audience during the presentation that he would push to get the tool published as open source because he felt that it could only get better through community contributions. As the left the stage, they were fired.
Exit Stage Left
As the Red Team left the stage, they were more than likely offered much more lucrative jobs, but these clandestine FBI detentions and corporate hatchet jobs still have a chilling effect on the industry as a whole. Hackers don’t exist in a vacuum. One hacker’s work helps another a long, and so on into perpetuity. By breaking the cycle of sharing and collaboration, especially in legal grey areas, hackers become incentivized to keep their exploits private, which means that patches and bug fixes are less likely to occur.
At Defcon, we fear some corporations and government officials may be backtracking in an effort to secure their own interests, instead of the public’s interests at large. Collaborative stress testing of critical technology and infrastructure is crucial for public security. White hat hackers deserve scrutiny when their actions create unnecessary risks, especially if there appears to be a profit incentive, but we shouldn’t seek to disarm them when public security is at risk. Hackers deserve clear cut rules of engagement and regulations that will support their efforts, not suppress them. But unfortunately, our justice system is years behind in developing the capacity to deal with these cases with the expertise and clarity necessary to achieve just outcomes. Given recent events, we fear there is backsliding occurring where we may be turning some of our best and brightest into criminals when they should be patriots.