ETHICS VILLAGE - Ethical Disclosure and the Reduction of Harm

Video in TIB AV-Portal: ETHICS VILLAGE - Ethical Disclosure and the Reduction of Harm

Formal Metadata

ETHICS VILLAGE - Ethical Disclosure and the Reduction of Harm
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
How does a researcher become empowered to influence business and marketing leaders to balance coordinated disclosure, opsec protection, and tradecraft protection, with corporate interests? This talk examines use cases gone wrong, and opportunities for all groups to work together to make it right.
Slide rule Reduction of order Office suite
Dataflow Code Multiplication sign Decision theory Control flow Chaos (cosmogony) Mereology Product (business) Goodness of fit Mechanism design Malware Different (Kate Ryan album) Term (mathematics) Reduction of order Authorization Information security Traffic reporting Vulnerability (computing) Exception handling Domain name Cybersex Noise (electronics) Dependent and independent variables Information Coordinate system Instance (computer science) Message passing Word General relativity Process (computing) Personal digital assistant Network topology Website Self-organization Video game Right angle Reverse engineering
Point (geometry) Message passing Hypermedia Surface Website Knot Client (computing) Mereology Cryptography Information security Product (business)
Point (geometry) Demon Slide rule Divisor State of matter Multiplication sign Decision theory View (database) Source code Execution unit 1 (number) Chaos (cosmogony) Online help Disk read-and-write head Mereology Proper map Field (computer science) Attribute grammar Causality Different (Kate Ryan album) Flowchart Energy level Data conversion Office suite Information security Traffic reporting Position operator Collaborationism Standard deviation Dependent and independent variables Focus (optics) Shift operator Multiplication Information Content (media) Bit FLOPS Line (geometry) Instance (computer science) Message passing Data management Process (computing) Doubling the cube Repository (publishing) Personal digital assistant Blog Self-organization Right angle
Building Multiplication sign Decision theory Device driver Mereology Disk read-and-write head Software maintenance Perspective (visual) Number Mathematics Message passing Process (computing) Friction Different (Kate Ryan album) Network topology Order (biology) Self-organization Right angle Software framework Whiteboard Data conversion Data structure
Point (geometry) Existential quantification Code Decision theory Multiplication sign Client (computing) Number Medical imaging Bit rate Hypermedia Information security Dependent and independent variables Projective plane Content (media) Physicalism Hecke operator Instance (computer science) Process (computing) Grand Unified Theory Integrated development environment Telecommunication Network topology Website Right angle Whiteboard
Goodness of fit Software Code Disk read-and-write head Number
all right so thank you everyone for your patience rookie mistake I'm Maya but I like to take taking Shane on his day off for
helping me get set up so we're excited to speak here at the ethics village and as you can see by the slide I am talking about ethical disclosure and the
reduction of harm and I will tell you what that means in a bit but first my name is Jen I am chief marketing officer of a company called flashpoint and I know a lot of you don't necessarily work closely with a lot of marketing teams and might be wondering why is there a marketing person giving a talk here about this but I'm going to explain that so all see - yeah so this is what many people think especially in the tech community about about marketers we're scary holding the troll bar I'm doing
something wrong we're just gonna deal with that like this we're just not gonna waste any more time you know we're we're scary allegedly we create a lot of chaos etc but the reality is that to build an industry you need marketing you need sales you need all those things that necessarily you know folks here aren't necessarily interested in doing but they might be employed by folks that need those very mechanisms to move their companies forward the reason so the reason I'm doing this talk right now I've been in security marketing now for almost 20 years I've seen a lot of stuff go well I've seen a lot of stuff go really bad I've made mistakes myself and I am extremely passionate about making my people to being marketing and business leaders behave more responsibly it's not about how you disclose but be more responsible in the way that they run business and make business decisions when it comes to disclosure so they're not jeopardizing the user they're not jeopardizing the community they're not discrediting research and that's some forts with a lot of different organizations that I've been at on their coordinated disclosure policies linked to Katy and so that's why I'm here today I think there's a lot of opportunity for marketers and business leaders and the Technical Community to work together for a more ethical approach to business so whether you work for a manufacturer where you might be putting something out that just to solve a commercial consumer audience or whether you work for a security vendor and you're looking on the defender side and you're responsible reporting things out or keeping things protected then I help right now thank you so really simplified and we could probably argue or fight all day about the nuances around these but just some questions to think about as I head into this talk what do manufacturers do they try to make stuff that doesn't harm now we all know we're all here at DEFCON because we know that is not that's not always the case but I doubt anyone's ever creating something for a child that they want to be malicious I hope at least maybe I'm just not Eve or ethical what a security vendors do sells stuff intended to reduce harm that's I know that's a big well of crazy because yeah but in general theory that is what their goal is most of the time what are researchers engineers practitioners that's usually a word that I just land on work to reduce harm now the different ways that we do it the different named ways that they go about it whether they're offensive researchers or the reverse engineering etc we could get into the ethics of all of that but we're not going to go there now but what a market is often do create risk we create risk and sensationalize we try to do what's best our job is to amplify the message build a narrative and amplify the message for our company the problem is that too many marketers in our industry are not taking the time to understand what the companies are intending to do and even the marketers that are maybe on risk or on calms teams for larger manufacturers that are responsible for reporting when there's some kind of disclosure that's necessary are thinking more about how much noise can we make with this not how do we get this out in a way that doesn't hurt anyone it doesn't reduce harm and they need to get there I'm very passionate about that I mentioned that already and there are some good folks out there obviously but it you know this is going to tie into why we also need the research community to help us and how on top of that the research community needs to be empowered by us to advocate if you work in an organization for instance that doesn't have someone on the business leadership team or the marketing team that gives a about ethics how do you go to them and how do you appeal to their senses and what's going to scare them into what's going to happen to the business in terms of if they if they keep violating coordinate disclosure yes so Christophe just asked if the the marketing behavior is bleeding over from logo disclosure essentially every time there's a new vulnerable on I'm actually going to talk about the patient zero of that in a couple minutes so bear with me so ii know thank you again ha that wasn't even a set up so everybody so i assume everybody knows what this is exactly so this was as talking to my friend earlier called patient zero for the worst logo disclosure and and what scent marketing teams on a tear thinking that this is a good idea so we all know about heartbleed we all know that open SSL called it a heartbeat flaw code nomicon now part of synopsis I believe one had their marketing person was like we're gonna register that domain we're gonna hire someone to do a logo we're gonna do that because we want to help educate and inform that's called branding and that was a quote from a CMO she's full yeah unethical right there we just want to help educate and inform but it created so much chaos because what would happen is this stupid heart showed up everywhere and then people started making assumptions so many response teams are in all kinds of different teams actually were thrown into a tizzy it got on the radar because it was all over every business channel news site CEOs CFOs etc recalling their their CISOs for calling their ski regimes screaming and yelling about this thing and distracting them from actually doing something to protect their users we can't have this anymore and I know that there are some companies I know that there are some teams some research teams that I love and work very closely with that still do branded disclosure I don't even as a marketer I don't support that I think it tracks from the seriousness of the situation and I think it just creates a lot of noise that gets in the way of good people trying to do their jobs excellent thank you so what I just said I would like to put a lot of that stuff I can't do this just myself I need other business leaders other marketing leaders I need folks in the tech community just think about some of the business side of stuff we all know that marketing sucks I mean I love it but we know there's a I do a podcast with a few people every con and there's a joke about how often I use the hashtag fire your marketers because there's just it's just a bunch of fluff and a bunch of noise a lot of time but it can be good and this is not to talk to you guys about how to do good marketing because you probably all run out of the room that's not your path but what we need to do is work together to get rid of that old approach to disclosure when it comes to not necessarily again disclosing the bones and how to disclose them but when they come on the radar of business and marketing leaders what do we do with them how do we make sure that there's a process there's an approach that doesn't break more so this is something I'm very big on if you I'm gonna paraphrase what's on here if you work in the security industry whether you are marketing you're in finance any other back-office HR and you don't care about the endgame the mission of securing people get out there are plenty of other things you can market right flow bees are those still around so I mean get out you need security needs to be everyone's responsibility now it's a little different when you get into those larger organizations those manufacturing firms I was talking about where not everybody at a you know huge I don't know video game company is going to care about security but if you are on a team within that company and part of your job is to work with the security engineering team etc and you're like this is just a job I don't care about security you should probably find something else to do because it's important that we understand what we're doing in the impact of what we're doing and really if I may say so and I will because I'm holding this microphone it's kind of a marketing 101 thing if you don't understand your audience and the impact of what you're saying you shouldn't be saying it so maybe you should go work with Flowbee I don't know so that's kind of weather starts so this
is this is what what I really want to focus on today hi this is my as a CMO I'm extremely artistic as you can tell but this is my disclosure decision tree and someday I will hire maybe the same graphic artists that are please kidding to make it prettier but this isn't my thought process and this is how I operate when I'm working with the researchers and the security teams in my companies and even when I work with our researchers with other companies on coordinated disclosure so why Rex would been one example of that where we had to work together on the coordination there so he applied this methodology so there's a vuln was it shared with the company that is vulnerable or has a vulnerable product no stop don't do it good example of this one recent CTS labs versus AMD you guys remember that or CTS just went ahead and disclosed everything and made a whole bunch of noise and sure there were actually vulnerabilities but created a lot of nonsense that was unnecessary and then also the way that the CEO that kept saying well I'm not a marketing person but I'm gonna tell you why you're wrong and I'm like maybe you should hire a marketing person in this case but just don't do it if you haven't disclosed to the organization that has then he needs to fix obviously there are exceptions here this is not black and white that is not one of them stop at least stop and think about it if it's a malware of vulnerability if it'll tip off a cyber criminal so if you're one of those companies that likes to break news that you have a ransomware vaccine and you want to share with the whole world that you figured out that there's a flaw and this ransomware what do you think the first person is that's gonna realize that's going to take this information and fix their stuff director the author
right don't run out with it don't do it like that work with the community that you're in work with your research teams coordinate all that stuff don't don't just put it out there I've seen that so much and then I get really angry when I see the journalists writing about it too because they should know better but we'll save that there for a therapy session at some point so if it's shared with the company yeah consider it okay you agree timeline bla bla bla we all know how disclosure works I won't get into that is it coordinated are you on agreement of when how who needs to be notified what needs to be done first what is the timeline an agreement on the timeline are you in agreement on how you communicate it who communicates it is it something that needs to be has to be shared with customers always share we to cut their customers first right don't make a media surface before your clients are taken care of so if knots not coordinated stop if it is keep going then you ask the tough the question is this actually going to help people if we put it out there broadly is this just creating something that we're hoping is going to drive traffic to a website or is going to make us look like the biggest baddest security company in the world if it's not educational if it's something that's just like hey we found this thing I don't know what to do about it you're screwed buddy don't do it stop right if it is there's value there's people something that people can learn if you're going to do an emergency as I'm sound like a marketer but that's who I am emergency webinar or something like that on what you need to know about this immediately we spend up a lot then there's something that you can do there that actually helps people then go for it message not scary or spun otherwise known as Fudd fear uncertainty doubt right just don't do it you don't ever skip if you have to I've said this a lot I'll say it again if you have to scare someone into buying your it's not good it's not a good product you shouldn't have to scare anyone into using your technology or using your your stuff so there's no reason to go out there and scare users a recent example of this where it wasn't necessarily scary or spun it was more stupid was bit fight its familiar with that story there unhackable crypto wallet there were all kinds of issues with that I won't get into the whole technology side of that because that is not my wheelhouse I'll let you guys all research and debate that but never calls something unhackable is whether you offer a bounty or not you're just inviting an army of people to rip you apart you look ridiculous and the other part of it is sure to us in this community where we're aware and we know that that's a bad thing to do and we're gonna question it and you guys are gonna rip that stuff apart that's one thing but they're also marketing that to people that know nothing about security and won't question it and I know if you guys saw the whole thing about the hologram stickers like we have hologram stickers
now and if there we go thank you
we have hologram stickers now and if you already have a device we'll send you a sticker to put on your eyes to show that it's secure what so there's the whole message was wrong on that for so many reason that wasn't really disclosure that was just bad marketing but it's been annoying me so much that I had to share it with you all this one I can't step over cuz I'll get in trouble the reefs are the researchers credited there's so many companies are like oh you know this is great thank you for this discovery you know it really looks better for the company if we put it out in the CEOs name or such-and-such name or such a such company research team and do not allow that it's your work you're the one putting your ass on the line you're OPSEC your time all of that stand up for that and I'll go a little bit into checking time just simply started late a little bit more to how you might be able to do that researchers are credited yes researchers not credited no I ran into a situation not at my current company but a previous company where we were coordinating something with another company and they were adamant about not putting the researchers names on it and we pulled back our support from disclosure they decided to do one on their own it was a flop they get ripped apart comms person got fired it's in that other company so it's a good lesson learned and they deserved it quite frankly so what is this chick babbling about this is obviously and those of you that aren't you know especially those of you that aren't on the business or marketing side which is probably most of you I appreciate you sitting through this and actually taking an interest in this it's coming kind of out of left field it's very rare for someone in my position to be like you know what my people need to do a better job and we need your help to do a better job and all of that so she wanted to take a breather for a second before we can get into what are some ideas and I've talked about what we shouldn't do I've talked to give you examples of what's gone wrong I've talked about the flow chart which is kind of dipping into what we should do but now I want to talk about how we actually create this like disclosure utopia that I'm talking about thank you so this is just an idea I have so a lot of major news organizations have standards desks basically the folks on the standards desks are Ombudsman or Ombuds women and they are responsible for looking at articles looking at content news stories before they go out to ensure that there's that everything's solid its fact-checked it's a story that needs to go out it's a story that's not just go out and create chaos right it's not something that's going to put anyone in further danger it's not something that's gonna get them sued there's all kinds of other things on there but what if we had the concept of a standards desk for any team that was responsible for working with the researchers on disclosure and again this is really focusing this piece is really focusing on those vendors that are working with other companies more than independent researchers and so on that's a different topic but what if we could do that what if every company had some kind of standards initiative or standards desks Desp when they were looking at how to take this stuff out similar to the flow chart I just showed it slide thank you so how it should work this is very similar to what we do at our company and one of the things I love about it is that everybody buys into it it's very natural or a very security focused company for threat intelligence firm that's obviously you're important and so never use you know your analysts your researchers your engineers as a Content repository don't just take their stuff oh wow I just saw this we see a lot of intelligence reports roll through and it would be very easy for us one last long I'm sure for us to take those reports and just publish them as blogs one there's a lot of information in there that would need to be sanitized to protect tradecraft protect sources to protect a customer and so on so we don't do that but a lot of companies do that they'll look and say like oh so-and-so did a paper on this I'm not gonna talk to them about this because they work for our company and therefore it's ours and I can do what I want with it hey that's not okay so you need to collaborate and that's another way to ingratiate yourself and if you're on the research or engineer on the practitioner side like you said you have every right to request and demand that that not happen in my team case we work really closely with our intelligence and research teams so when we see those reports and we like you who's shiny I want to market this first we do read through for our own get should go checks then we work directly with our head of intelligence and I'm like art is there anything in here is there any reason why we shouldn't do this first thing he always asks me is what's the point what do you want to do with this do you want me then so I'll tell them whatever my harebrained idea is and if it's safe and if we can sanitize if we can if it makes sense then we'll go ahead and put that out that's just one example challenge
everyone I talked about this a little bit everybody in the organization everybody needs to be responsible for security outcomes if you are we have this conversation the other day - around enforcing everyone to care about or be responsible or accountable for security if you work at a company where there are business part business units they're going to be executives that are in charge of those business units a lot of times they're officers of the company which means they have a fiduciary responsibility to protect the company and that means protecting the company on every level so they should be held equally accountable for educating their teams and also making the right decisions like running any new tools that they buy that especially a might have data in it through their security teams to make sure that they're you know they're okay to use double check with multiple folks to ensure that there's no FUD proper attribution to the analysts or the researcher ops X never compromised sources are protected and tradecraft is protected though that's the way it really should work at least in my view the world and it works pretty well I think thank you still why why should I care about this we can go to the next one there's a lot of stuff that you know there's a lot of stuff that the more technical teams can do to help with this initiative most of the time it's a marketing sucks why do they do this oh did you see this thing that this marketing team did start explaining why create a culture shift talk to your you know colleagues employers so for instance view if you were looking at this and you're like yeah might I work with these people or maybe I don't work for a vendor right now but I know someone or whoever and they think I think they really need to see this or I think they need to understand this talk to your manager or talk to that person or talk to that colleague in the next week or so like just have a conversation hey I saw this top at Def Con this crazy lady with chickens and demons and stuff was talking about how wait a second it's not all on us and we're put in bad positions we need to educate them on how to better treat our research and any disclosures that we need to do start with that bring that up in a conversation it's not a very common one which is probably why I'm here giving that this talk if they don't have coordinated disclosure policy build one take the initiative if that's it that's a position that you could be in or are in or push someone to do it we are not a security company is not a good answer we hear that sometimes just because you're not a security company doesn't mean that you shouldn't have some kind of disclosure policy as long as you're selling if you're selling something that could potentially cause harm if anything bad happen to it require credit for your work I've already been on that a bunch call it the marketers but like I said earlier focus on sharing how to do better like hey this is what happened because we made this decision not you did it again you suck you know this is what happened because we did this if they don't have an Ono response again that goes back to should they be working in security that's probably not for you to tell them or decide I don't advocate that but helping to educate I think there's a big divide that everyone can benefit from if we got much smaller and I think starting to actually communicate and recognize that we really are on the same teams just different people have different experiences and understandings what we're trying to do and it's all of our jobs to help each other so we can go to the next slide so my animations not going to work now that's okay so we don't want to create risk and sensationalize anymore and again like I said I keep saying business leaders as well sometimes CEOs are the ones that are having and marketing teams because they said no we have to do this now they need to be educated as well now it might be easy for me to say as a CMO to be like I'll just tell my CEO know not everybody is in that position and that's where some of the collaboration and education can help because you know other folks that aren't maybe a senior organization or Melfi as I am might not you know be able to to have those conversations as openly next slide thank you so I would love this to be our state where we actually reduce harm through the ways we work with our research teams to disclose by providing better education by ensuring that we're not scaring the end-users we're not scaring anyone who's consuming the information and that we're not just you know putting up logos and and like theme songs as chris said just to try to to get more attention I'd love that to be in the state I realize that is very far off from where we are now but I think we can
get there and then everybody's happy right it's not that simple and obviously this is just kind of a primer just a discussion for this village but you know I think there are there's so many more opportunities that we have as whether you're a hacker or whether you are a analyst whether you're an engineer or a marketer business leader salesperson etc to actually understand in this industry to understand what the other folks are doing and and how we might be hurting each other at times Marge Lee my side of the fence and in order for that to change we just need people to speak up and say hey stop messing with us you're actually hurting people more so that's all I got and I'm happy to take care we on time I kind of rushed through since I was late good any questions yes thank you so the question is have I compared the super basic yet fantastical disclosure decision tree against other frameworks like sei etc for disclosure I have looked at those absolutely and in look building this out I really thought about it more from their perspective not of disclosing actually doing the disclosure of the vulnerably chor something more about how to maintain discipline and structure on the business side so they're not pushing the research team to do something that they shouldn't do I don't that make sense or not so it's they aligned but they're going to be much different steps and different thought processes at least on that we're in the world I live in at least so yeah any other questions yes yes right right but the challenge I think is part of the delivery process Marketing is just a condom yeah pretty much I'm not even sure how to recap that question really but so if a salesperson were to give this talk how different would it look given the gap between marketing and sales and there are different perspectives because marketing is primarily a driver for sales to meet your number so how was that was that a good recap all right perfect marketing so you know it's interesting that you ask that marketing sales always have a love and hate relationship and there's there's going to be friction it needs to be healthy friction I tell my team all the time they're they're gonna blame us for everything and we're gonna blame them for everything and it's never gonna change and that's just how it works and accept it don't take it personally just keep being better than they are and but the and I do have some of these conversations with our head of sales who's great again there's still the healthy friction and we have like I think of a sales person were to give this they would say it really depends on who it is if they if they live and die by the number and they're like we've got to meet the number at any cost because I got to get my team paid and I got to keep them motivated and the board is gonna be breathing down my neck so I need to do this they'll be like this tree right get get rid no I don't know no I'm doing whatever I want and that's where I come in is like haha nothing goes out unless I say so but not every organization is like that there are other sales folks like ours I hope I'm pretty sure I've never seen this where I can say hey you know I know we really need get this out I know you really want to do this we need to train people going back to the comment actually earlier in the question he said a lot of times marketing develops messaging if an engineer has the same deck they'll skip through the marketing messaging go straight into the stuff no one should ever make an engineer do marketing messaging by the way that's not their job I don't know that's a bad marketer fire your marketer it's too heavy but so going back to that it's just having a logical conversation about
look there are short-term gains and they're long-term gains gains and if we miss this quarter because we decide to do something ethical it's gonna pay off longer in the business and if we explain this to the board in a way where we're protecting their long-term investment they're gonna understand so you just need to basically have people that are willing to speak up and not shy away from someone that's like trying to scare you with I need to make the number that okay cool any other questions yes sir okay so the question is is there any instant so if it's something created by an analyst etc that doesn't get go through the decision tree the market rate the mistakes have happened they are quickly rectified and then we put more process in place to ensure that doesn't happen again so we're sorry repeating the question so basically do mistakes happen to stuff go out when it shouldn't most of my team and in my current environment is pretty anyone that has any responsibility or any ability to get anything out without my approval or my eyes on it or one of the other senior members of the team's eyes on it are very well trained well versed haven't spent a lot of time the researchers have spent a lot of time in security teams etc but there's still things that that miss gut-check because you can never replace gut check so they're they're been situations before especially around the topics of physical security where something's gone out and the quality the content was really good but I've been like why the heck are these images in there we shouldn't be perpetuating these images take those out things like that where it's just a gut check thing and then they learn and they get as they go but there's lots of other content obviously it goes out from companies that don't necessarily need to go through this if you are working on an RFI or some kind of project directly for a client that's not going to come through marketing the clients not going to want that we don't want that either it's just before it goes out to a broad base or on the website or through media etc etc that's where you want to apply this and make sure that you're involving those decision-makers I think one more question and yes sir sorry can you repeat that I can't here's the door sure so the question is how does a code monkey quoting communicate with marketing or whomever more effectively when they see something that shouldn't be done because it sounds like from what you're saying that they don't listen or they or you say no and they run with it anyway or got it okay so it's just bad communication either sensationalize or it's it's belittled and it's not as effective as it could be so some advice there would be thinking you may already be doing this but just for like the broader room and anybody else might have this question I start by asking questions why do you want to do this this way why do you think it's important to put this out this way they might not even have an answer they might say well this is the way that we've done it in the template sadly and you can say why don't you think about this another way right yeah sounds familiar right so that's one way to go about it the other thing is - especially if it's something for instance that's customer-facing there's something NE disclosed to customers say look it is your responsibility to make sure that we communicate clearly to our customers and make sure that they understand because this is where you appeal to their pain point if they don't understand we don't properly inform them we don't help them the right way we're gonna turn these customers and it's gonna be because of bad marketing so you know marketers die I just said it myself any customers and it hurts because you're responsible for not help making that happen or helping not to make that happen so I think a lot of isn't delivery appealing to a lot of times I think what I've seen with code monkeys as you said coming to the marketing teams I said you can't do this because of this and I saw this and it's not they don't understand
what any of that means I don't understand what any of that means I just understand this conceptually which is what I'm here to do quite frankly but if you appeal that the things that are important to a marketer making the numbers good reputation telling the right story for the company not pissing people off not getting in trouble for getting in the way of a sale those are those are some ways that you can go about having those conversations and if you're talking to someone and they're not listening and it really is an issue escalate it go over their head so alright I think that's it so what am i doing with this I have a packet squirrel nuts for networks giveaway to whoever actually I'm gonna give it to you cuz that was a really good question I may give it a code monkey question right [Applause]