ETHICS VILLAGE - Ethics for Security Practitioners

Video thumbnail (Frame 0) Video thumbnail (Frame 1800) Video thumbnail (Frame 4648) Video thumbnail (Frame 15783) Video thumbnail (Frame 26918) Video thumbnail (Frame 41571) Video thumbnail (Frame 43529) Video thumbnail (Frame 52464) Video thumbnail (Frame 61399) Video thumbnail (Frame 74453) Video thumbnail (Frame 76705)
Video in TIB AV-Portal: ETHICS VILLAGE - Ethics for Security Practitioners

Formal Metadata

ETHICS VILLAGE - Ethics for Security Practitioners
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
While at the first glance infosec might seem to be a mainly technical domain you might encounter ethical dilemmas very soon once you start working in the field (namely when you do offensive stuff). In this talk I'll provide an introduction how to tackle such situations in a structured way and on the basis of common approaches and values.
Word Circle Bit Mereology Metropolitan area network
Group action Decision theory Multiplication sign Mereology Perspective (visual) Computer programming Neuroinformatik Mathematics Bit rate Different (Kate Ryan album) Ontology Software framework Information security Vulnerability (computing) File format Reflection (mathematics) Moment (mathematics) Bit Type theory Arithmetic mean Internet service provider Sinc function Resultant Spacetime Slide rule Identifiability Vapor barrier Observational study Image resolution Rule of inference Number Twitter 2 (number) Frequency Goodness of fit Causality Energy level Utility software Task (computing) Domain name Prisoner's dilemma Physical law Basis <Mathematik> Line (geometry) Software Personal digital assistant Charge carrier Formal grammar Statement (computer science) Game theory Table (information)
Group action Context awareness Ferry Corsten Code Multiplication sign Decision theory Insertion loss Mereology Perspective (visual) Computer configuration Different (Kate Ryan album) Analogy Software framework Endliche Modelltheorie Position operator Physical system Vulnerability (computing) Mapping Sampling (statistics) Data storage device Sound effect Bit Degree (graph theory) Type theory Data mining Category of being Process (computing) Telecommunication Order (biology) Self-organization Right angle Cycle (graph theory) Point (geometry) Web page Observational study Real number Patch (Unix) Code Power (physics) Number Revision control Broadcasting (networking) Goodness of fit Latent heat Causality Internetworking Term (mathematics) Nichtlineares Gleichungssystem Traffic reporting Task (computing) Domain name Time zone Dependent and independent variables Information Chemical equation Prisoner's dilemma Projective plane Content (media) Frame problem Software Personal digital assistant Formal grammar Video game Object (grammar) Table (information) Communications protocol Window
Point (geometry) Building Observational study Real number Multiplication sign Execution unit 1 (number) Parameter (computer programming) Software-defined radio Computer font Perspective (visual) 2 (number) Latent heat Different (Kate Ryan album) Nichtlineares Gleichungssystem Information security Physical system Vulnerability (computing) Dependent and independent variables Block (periodic table) Moment (mathematics) Sound effect Bit Measurement Category of being Type theory Data mining Arithmetic mean Software Personal digital assistant Universe (mathematics) Self-organization Wireless LAN Freeware Communications protocol Window
Point (geometry) Classical physics Group action Game controller Observational study State of matter Decision theory Equaliser (mathematics) Mereology Proper map Perspective (visual) Revision control Internetworking Autonomic computing Traffic reporting Information security Physical system Vulnerability (computing) Domain name Information Prisoner's dilemma Line (geometry) Type theory Category of being Process (computing) Angle Personal digital assistant Self-organization Table (information) Family
Slide rule Suite (music) Game controller Group action Perfect group Observational study Civil engineering Decision theory Multiplication sign 1 (number) Design by contract Translation (relic) Mereology Perspective (visual) Element (mathematics) Wave packet Revision control Goodness of fit Latent heat Internetworking Natural number Gastropod shell Boundary value problem Data structure Information security Vulnerability (computing) Physical system Domain name Information Prisoner's dilemma Physical law Projective plane Bit Line (geometry) Frame problem Hand fan Type theory Data management Process (computing) Personal digital assistant Phase transition Self-organization Video game Right angle Object (grammar) Window Local ring
Point (geometry) Slide rule Interface (computing) Multiplication sign Reflection (mathematics) Tournament (medieval) Projective plane Sound effect Set (mathematics) Chaos (cosmogony) Message passing Process (computing) Well-formed formula Personal digital assistant Right angle Intercept theorem
how're you doing so I'm Big Easy I'm part of DC two one seven and we're putting together the ethics village and when we were doing the CFP it was my privilege to read the CFP of this man and aurait who happens to be he has a conference in Germany and I did my first public talk at his conference in Germany
over a decade ago so it's my privilege to introduce an array from troopers in Germany and the circle is now complete I know because analyst is a first-time Def Con attendee and this is his first Def Con talk and we chose him to do the keynote to kick off the village so thank you for coming and very much No thank you for the warm words actually it's not only my first Def Con talk it's my first talk and ethics at all so I'm a bit so to say nervous but happy to see you so many of you just a quick intro Who I am
I have been an InfoSec in different roles since 97 I have a technical background which means I'm from largest game networking from carrier space I've given number of technical talks so it's that's my domain usually and one thing that could be of relevance for my talk today is that I run a company since many years and within that company we have an ethics committee which I installed and I will later lay out why I did that and this is one part as part of one of the case studies that say the purpose of today's talk is safe we followed that is to make clear that once say ethical questions ethical I you sir the European plural of dilemma which is the LaMotta so once a dilemma talk how to handle those to understand there is different ways on a maybe structural level to tackle them then to like provider I wouldn't say guideline but maybe some questions to us once you face a dilemma which say with steps off with reflection to go through and then to make clear all this is not easy it's not just this is not about as which had already laid out 15 minutes ago taking easy decisions that is soldiers that is the main main intent here to educate you a bit but also to make you think in a certain in a critical way about dilemma dilemma that you might
face so where is ethics relevant for InfoSec practitioners pretty much everywhere there is spaces which are going to be discussed later on in more detail on ability disclosure exploit change there's some debate already going on but other than that whenever there is an intersection between InfoSec and humans ethical questions might come into play again I will have a number of case studies later on where this becomes more clear some disclaimers in advance I don't have a formal education and ethics actually I have a formal education in literature which you will see later on in my slides somewhat but and during my studies in the 90s I walked with computers and I work with networks this is how I got into this but from a formal perspective French and German literature is my background second disclaimer ethics is not something which you should discuss on Twitter right right that's it and that's not the right format actually for the type of questions we are going to discuss today and the last one there is there was a guy who I to mention here been Zevenbergen I offer him a lot of the things I talked about today he said Princeton at the moment so if you want to look up his walk and that would be say going further and what I do here and in this talk from say definition perspective what is ethics or what is actually the the part of ethics said I'm going to tackle that is practical ethics this is a play formal definition which I took from from the work of of Ben which he started at the Oxford internet Institute the tasks of practical ethics is to identify moral problems so it's about problems about dilemma table to clarify and then to clarify say what is one of the way is affected what to reflect on how possible actions could look like disclose a vulnerability with friend from the close disclosing disclose it why are certain shamless identified the causes of action and then choose one which ideally reflects best say the values and the decisions so in short it's about doing the right thing based on a certain type of reasoning and again it's about dilemma time if it was about easy situations if the things that we are going to discuss today or which are being discussed in in ethics in general could be solved easily then we wouldn't all wouldn't need this ethics domain it would be sufficient to have laws or to have stuff like Ten Commandments if that would be sufficient to steer human life and decision taking then I could stop here but it's about La Motta dilemma that means it's not easy this is I'm very keen on stressing this many times in and the talk this is not about the easy path and taking easy decisions as you will see from a formal perspective just to give you an idea of how to tackle say certain types of questions I will a very quickly lay out free free approaches of the of the within the ethics wall which is a which is a huge one there was many schools of thoughts there was many approaches there's different frameworks there was different types of terminology I'm going just to tackle very quickly three of those as those might be important for the for the discussion later on the first one is so-called consequentialism there was one flavor of that which is you t little ism in short it's about say the end justify the means so the approach of a consequentialist would be okay here's some possible actions that I could take path of action let me identify what has the highest benefit whatever its benefit might be or this many me how this benefit could be identified and then choose the path that provides the highest benefit that could be one possible approach ilysm is in the end of the day you can justify all types of actions with that you can come up with oh I have to like torture people or I have to shoot down the plane because in the end of the day this is better for everybody or taking things into account doing this has overall for society a higher benefit and another course of action that is actually the main problem if this one let me already state that in a technical domain which has a high as highly represented at Def Con there is always a temptation for say consequentialist line of reasoning we are used to solve problems detective programs to rate problems by the barrier by the result in a consequentialist utility rest tackles things from a research perspective to illustrate the problem of consequentialism nutshell say if in 15th century South America it hasn't rained for a number of weeks a possible course of action was well we should come up with a sacrifice because that's good for everybody when it rains ok young persons might not agree with that statement but well this is a very consequentialist line of reasoning then there is a completely different line of thought school of thought that is called the ontology the ontology usually works on the basis of very strict rules like do not torture period that would be a just approach to a specific question the problem here is this might actually lead to situations which can can have very bad consequences say you followed the approach of do not lie and in what for to Germany you you hit some people in your in your in your house and the Gestapo turns up and ask you ok so anybody hidden in your house and you follow that do not lie approach that
could have very bad consequences so there is some problems with this one as well but those which has gained quite some ground in there in the last say decade especially in the information technology domain which is called principle ISM which tries to identify ok what is a common well use - for society or for groups of people and then I've work along those values and say there is a well-known flavor of principle ISM works around okay there was a well you autonomy then we should take into account when discussing ethical questions what's the exit benefit for of cost of actions let's talk about do not cause harm do not be evil what would be a typical of a principled approach and justice like when be fair in weighing options there is a say in the information in the information in the IT domain there was a well-known say document the so called manual report guiding principles for information communication research in the information and communication domain authored by Dave Dietrich and looking at the table of content you already get an idea what this say ethical framework is about so respect persons forget their informed consent try to identify who benefits from a from an action balance this with possible risks and in the end of the day try to be fair when looking at the options this is an IT flavor of principle isn't so now once we want to do this a bit more in real life in general it's a good approach and this is one that I want to to lay out to you to once you face a dilemma very simple said okay try to understand that I'll am I try to write it down try to identify what what actually once we have a feeling well and I should maybe shouldn't do this or you sweat your hat well okay in general I disclosure but in this case well maybe it might not be the right course of action try to write it down get effects again this will be I have some case studies this will be very important later on try to identify who's involved and what are the stakeholders of a decision and what are the values affected then evaluate and this is also overlooked evaluate alternative options evaluate okay what if I didn't do this or were there any other approaches to get the same to gain the same insight saying once you perform research projects involving stuff like what scanning or so is there any other ways to find out a specific thing you're interested in many people don't do that actually and the last one I will skip this for a second oh no I will not skip the last one this one of those from my perspective my experience very good approach to when you go through options like I could act like this so I could do another thing is to ask yourself if I did the following would it reflect me as a person I would like to be I mean you could say can I say look into the mirror but this is a bit a bit more formal approach my personal value system is an action which I perform aligned with my personal value system obviously you have a feeling for that already when you come up with doesn't feel right but still in the end of the day ask yourself is just consistent to what degrees is consistent with how I want to be and I want to act as a sample leader and of course evaluate in hindsight again this very often doesn't happen so this is a bit the very generic thing how to tackle fact is the causes of action choose one and we either ate at some point of time there were some additional things before we get into the actual case studies I would like to provide as an advice be aware there in that in many questions in many situations there might be a power imbalance or knowledge imbalance especially when people like from a technical domain decide on well I should do the following because that's good for everybody how do you know it's good for everybody how do you know that everybody else is sharing you perspective that you may be as a as a person from the Silicon Valley here perhaps so you might know more or you might be in a more privileged position than not as you perceiving Lee speak for try to keep this in mind try to ask yourself in a specific situation is there a knowledge of power imbalance the six-month order this the next one keep in mind that the Internet is a say social technical system which was designed by a specific or many parts of the internet very signed by a specific group of people and so things happening in the internet might reflect certain understandings and certain well your sisters maybe try to avoid or always keep in mind your cause of action might act as a sample of what was for others there was a common there is a very well-known ethical say dilemma the so called kana botnet some of you might notice where I think it's an interim it's like eight years ago and what is was created to map the Internet and the guys who did this were actually arguing like oh this is good for everybody you have any a map of the Internet and they well they compromised systems for that which maybe you couldn't can come up with in reasoning perspective is the proper course of
action maybe not the thing just is this might set a precedent and keep this in mind I have been just to give a very quick example here it's as I mentioned I've got given a number of talks in in many conferences so I attend conferences as well not just today because my daughter's birthday is in this is one of the reasons but at TCC here I was in in a talk where a guy discussed how to compromise like the airport the airline codes like he wasn't making fun of people well those guys are so dumb to put the tickets on Instagram and once you get the you get a code you could lock in or you could use them eyes whatever I'm not a big fan of say this type of making fun of people anyway but there was different styles of speakers and Wi-Fi mine right for example but the thing is in in that talk my my at the time 13 year old son was sitting next to me and the first thing he did when getting back to the hotel room was like going to Instagram looking at our for tickets and hey the guy offstage did this so I can do this too well you get the idea think about if cause of action that you jump into could be a precedent in one way or another for somebody else and this was mentioned during the ask your friend session as well I suggest to be very careful with analogies between the physical and to digital world like well if we do this this is like my experience is very often analogy says do not really help or apply be careful with that one last thing be honest with your agenda obviously we are all humans and it's perfectly valid to have an agenda but well put it into the equation once it's about gaining your say famous speaker or getting money that's all these might be legitimate reasons and objectives of human action but be honest and put it on the table very often say in the in the academic internet research world for many years has been very popular to to write papers based on numbers like we scan the internet for ipv6 or open ports on that specific protocol and then we performed some some action to find out - to find out which version of a protocol is used and this is a good contribution to scientific research if you look closer it turns out I mean the the academic world some they have their own incentives and their own ways like publications and being quotations and all this this is a specific ecosystem when you look closer many of the things that have been have been and there might not have been necessary there might have been other ways of gaining the same type of information it was just well it's many yes it was a bit on walk to write papers of that specific type so everybody did it oh I scanned the internet and I was entitled to do so as I'm a scientific researcher and obviously it hurts to once you face a dilemma to discuss it with somebody it was not of your domain it's not of the technical domain actually in my case um I'm not an overly say religious person at I live in a small town and there was a death oh you say preacher I think I got a guy from the child with his position in the church he's he's 80 I very much respect him and it already happened several times when I headed ulema I just went to visit him and discuss it with him as he has a very different and experienced perspective on the world so that's it from the theoretical part now let's get a bit into the meat the case studies with one loss of warning before ethical dilemma to get through those is not an easy task if you have an answer like you that you face a problem and you have an answer after five minutes you might have been doing it wrong you might have not have all the facts you might have not considered say the values in the cycles affected or you might not have say been being self aware of your agenda case studies all the case studies I'm going to discuss have mostly they have happened in real life in our organization so I've been facing those and at some some point and in life let's talk about the first one the organization which I which I founded in which to some degree obviously represent here we do a lot of vulnerability research both in customer engagements and in like as part of our company DNA and there was a situation where we have identified vulnerabilities in an alarm system in a type of alarm system which was sold in Germany electronic shops like in the u.s. that would be Best Buy or RadioShack it doesn't exist any longer isn't it but in these types of stores you can get an alarm system for your house or for your property and we found out for commonly solid model it wasn't it wasn't exactly rocket science were from software find radio to actually correct the codes of communication which at the first glance doesn't seem so problematic from an ethical perspective but if you think closer about this would you disclose this we have at UW in general we follow a mostly very conservative and since 10 years what at the time was called responsible disclosure I'm happy to see the tear the time back there was a whole debate if the term responsible is appropriate or not but I'm not going to stick into this the idea is like how did you find time frame in formal window and after a specific time frame you just close the things and you hope for that the window has some fixed the problem in the interim the petrels available in this patch can can be rolled out the thing is this disclosure approach might not walk in this specific case very well getting the facts laid out at the first step that's not too difficult in this case we know the model we could identify okay with who had a stakeholders affected well anybody using this who else is involved well that's okay I guess a user's perspective the witness perspective it wasn't really possible to identify the window as this was kind of oh em stuff sold again in popular electronic stores but the facts are very easy the values like okay so the harm was as benefit equation and who's affected this one becomes very interesting very quickly as looking from a traditional disclosure perspective there was some assumptions in this disclosure process which are Morrow abilities is close to the window when it produces a patch the patch can be rolled out and actually the people affected by the page you know that the patch is available and they can actually apply the patch that's the basic idea behind this like since 15 years when rainforest Poppaea wrote down the the first policy laying out your responsible disclosure idea there are some assumptions in that when there can be identified when the producer will produce a patch affected users care to hold of that and can apply it and many of those assumptions if not all which I mentioned do not apply here we couldn't really identify the window some Southeast Asia and some country stuff was produced and it was sold with different labels on it throughout Europe so how to identify the vendor well the suffer zone so it was manufactured somewhere but that was already difficult but even if there was a patch how would it you just know the patch was available and even if they knew like there was a public broadcasting oh the following type of systems has a problem please show up in your electronics or if you are a fact
that they will provide you an upright how would that upgrade be beyond the system so was traditional disclosure would have not worked here and what made the thing very interesting was see like harm and benefit equation as this effects well people's property so even if we had say the font you will see in a second but if if we had performed traditional disclosure and after like 90 or maybe prolong that a bit make it hundred eighty days published the thing what if say some people would have known that not have applied the patch and into the proper he was was broken into there would be harm cost real harm in a real world there is one thing and maybe they would have showed up in before in front of our company building with the Fox like since you guys published this you have helped the bad guys to break into my house so the stakeholders and the values affected this makes this a very interesting and kind of complicated case I will skip
this so you might ask what did we do we try to identify by some channels and some wise the window this didn't easily we refrained from publishing a thing we had a free serious blogpost on like ok how to how to analyze wireless protocols with SDR and then here is say a case study but it was plant we have a third one unlike ok let's take the case study revealed to following and we never published that one we made the draft in the in the block for a while and then it was removed in a nutshell we did nothing which from a hindsight perspective that's highly unsatisfactory what we should have done but this is like five years ago we should have gone through fool?s art nowadays that would be that the best possible action from from my perspective but at the time and and at some point we really like lost interested we didn't follow up on this it was like it's still in our I think that the thing is still sold but we if we went public with this we would have to a problem still exists and we were not willing to put time into this but there was an outcome which from today's perspective I'm not happy with that one second case study let's imagine you and this is a very typical type of engagements we have that large organizations bring us in like okay we plant a few the following devices whatever that else might be in this case network security device can you have a closer look on this before we deploy this so there was a device and we stumbled across something which well you could consider this a back door back door which looking closer you might get an idea like okay there is a specific actors behind this back door so how to handle this one question was brought up in the similar question was brought up in the in the earlier session let's take a structured approach which I proposed at the first glance okay this might look like a while ability disclosure which looking closer it is not or maybe it is that's already an interesting question it's a whiner ability it's a Becca vulnerability from the it depends on your perspective actually from the one who puts it in there it's it's not a vulnerability as if the plant feature kind of from the ones not a being aware of that or from the non 5:5 countries well it might be considered the vulnerability probably yes the friend of mine who leads threat intelligence unit in a German highly specialized shop he uses to say one country's whitelist is another country's blacklist and there are so much stuff in that what does this mean for handling this case I mean Germany is not a 5s country so we are from a the customer engagement yeah the organisation who made us look at the thing it's probably not what I want so this brings up some interesting questions and there is what made it the case of this type of cases much more complicated than they might already be then there is the thing a whole different alien in that moment type of value system is brought in as say confronting the entities responsible for the back door that would be immediately well we need this for national security this is needed to we to get hold of the bad guys in Syria or wherever which might be might be aloof on what it might also just be used for industrial espionage whatever the thing is there was a whole different value system brought into the discussion which by the way applies as well once there was there was a lot of especially in the UK a lot of reasoning of measures surveillance measures which from probably a perspective many people in the room we would consider unethical but there's always like oh this is this is meant to prevent a specific type of crimes against children and with that argument you kill everything which some I mean I have treated sweet Trillian myself I'm not against fighting crimes against children I just want to make you aware that this brings a whole universe of say questions to a technical technology I think debate and one has to be very very clear and aware of what is in the mingling of these wondrous systems actually produces again let's take a look the structured approach who are the effective stakeholders then again this is an interesting question some from a very simple equation there is some say
probably a stakeholder see the entity who put the back door in it there might be thinking about it there might be which are not five eyes which is again another group of stakeholders this races and you might come up with the line of reasoning well this is about the internet security if those devices are deployed in the Internet and the bad guys come whoever the bad guys are could compromise those this is bad for everybody's security in the internet but and this is why I asked the question earlier when there was this Oh would you report if say a nation state actor compromised in an NGO the immediate answer of most of us were probably yes as human and I'm not judging anything here I just want to make you aware of things as human that the majority of people here in the room are US citizens what if well this is about a matter of national security for the US would you answer be the same so we have a conflict and this is a kind of classical conflict and I call this a conflict of scope where scope means okay what is good for you or bad for the internet maybe might be different once you look at it from a more narrow perspective something that could be good for my country and be bad for you Internet as a whole whoever that is and these types of scoping and conflicts based on scoping we will face we will see there's this of course often there is no easy solution to this ask too many questions to think just yes you have to be aware of this you must sit down and be as part of your reasoning and your decision taking process it's just to make this clear I'm not judging any type of outcome of your decision taking process I just want to help you to have a structured decision taking process if that if the end of that one comes out well I'm a US citizen well I'm sitting in my but a German citizen family for whoever and that's it that's why I decide or I think the proper course of action is to following one that's perfect perfectly legitimate you just have to be aware well maybe when I take this decision it's different it's another broader scope of stakeholders is affected in a detrimental way maybe so and then there is this thing what I mentioned while you talk about from the principle is approach talk about autonomy talk about being beneficial talk about justice the autonomy angle that's an interesting one for a back door how does say having a back door or not disclosing it affect the autonomy of all the organizations which might be affected if like by keeping your mouth closed you foster the practice that systems can be compromised by nation state actor which is maybe not in the interest of I don't know how many exactly how many countries are there in the world that's a 212 or so minus five two hundred seven countries might be affected in a way that is different from those from five countries and 207 countries might be affected in a way that violates their autonomic decision-taking like informed consent think about a meal or a report there is just a there's the thing informed consent what about informed consent for the for the people who use this device which has a back table built into it so this was a was a quite interesting one and it serves as a nice example or not so nice example as a very Italian example why this principle isn't thing do not harm be good to everybody treat everybody fairly and in an equal way and respect the autonomy of human beings all this is nice pretty much everybody in the room is probably willing to well check yes that's good but well the wall is more complex you will see conflicts and you will see dilemma tar which principle isn't alone can Kent can solve and this is that the main weak point of principle isn't it's abroad usually but for actual decision taking in the excel situations might not be too helpful this is my experience so you might ask obviously what we did well this was a speculative case study it didn't really happen and I can neither confirm nor deny that this thing ever happened so I kind of skipped that one I mean I'm in in favor of disclosing a thing but if you do think about countries affected and well get a good lawyer that's what I would and in that case suggest but again this was wholly speculative next one domain controller case study customer shows up asked us like okay we have we have a
team which is specialized in ID and windows security and they got a request from customer can you help us with analyzing the lots of a domain controller for specific say behavior and we are like sure we could do this there's this well we have the expertise to do so could you please describe it in a bit more detail what what you need from our sides well you know we have that guy Frank and Frank he see a leader of the local activist movement and Frank we think that Frank is leaking information well okay and so what to and and and unity you need to find out that Frank is needy leaking information we were like wait a second this is not only a technical question can you tell us a bit more yeah hey you guys must help us getting Frank suit I mean it was not that drastic but thinking about it the more questions that we asked them what it was like it became dubious what do you want what is he what is the objective of the activity you want us to to bring us info this was brought to the Ethics Committee and again say a line of structured approach was kind of followed get a fence well that's not easy in that case so well it's okay yes there's lots lots to look at the customer couldn't really specify which type of activity to look for but this could have been solved in a technical way or another but there was some some elements who remained unclear which didn't really help like well-informed ethical decision taking the next one is well look at the way this affected the first one is always autonomy you could ask well what about Frank's autonomy when we perform this activity but the thing is Frank is has has a contract with the organization which by the nature of the contract and this is a fully legitimate there's laws and there's laws of contracts and there's lots of lots of walk restricts his autonomy and and in some way and so the IRA said there's a frame which restricts and you can easily like surpass this based on ethical reasoning well you Clues there there might be situations where law and ethics come but when those situations occur be very clear about your own agenda and you should accept that laws are there for a reason and in most countries laws are based on common reasoning in some sense I'm not against like civil obedience or anything of the or that it's just life some at times more complex than your personal perspective or Frank's personal perspective in that case beneficence that again is an interesting one as say there's types of actions you could could do the job or we can all frame from do I mean doing a job who's affected by this I say if the activity is performed oh I only have three minutes left then I will speed up a bit that is that is unfortunate can I get an extra five then I can manage thank you thank you oh I was I apologize turn them given I am giving this the first time apparently I spent too much time after the first part the thing is there is like human person was this organization which again is when it comes to who benefits was us who who gets harmed it's a very common conflict like things that are good for any individual for one human might not be good or vice versa and in general humans tend to favor humans which is the whole theme some of you know who might notice Casa de papel there's a group of humans which you have some favor for and they in some way and a specific kind of fight against or exploit a broader system and this serves as a perfect example of mania who's affected like innovation humans as opposed to an organization and in general humans tend to favor humans which is human but one has to be aware of this it might not lead to the right outcomes in our to dare to the best possible from an ethical line of reasoning outcomes in specific situations not at this one I can I can already tell you what we did the ethics committee declined to suggest that declining the job and the Ethics Committee it's called recommendations but those are expected to be followed by everyone in the company including management so we didn't do the job but very quickly on this say things might not be good for a larger group there is a whole thing on on internet scanning and I can tell you on this one it's it's a kind of the same dilemma there was people who have you like well we scan the internet for IOT devices and vulnerabilities and that's good for everybody so there was some a group of people technically skilled so from a specific user off very often make occasion right well what and and they decide on what's good for everybody out there you can probably already get the inherent problems I'm two people showed me five minutes I I got that I see you I'm losing I'm losing time when I react on this I won't father yeah I know I was quickly go for this thank you this internet scanning usually you violate the principle of autonomy have those people who see vices you scan and you might turn out like pots or whatever with that giving you informed consent from the men you probably have not you can already spot I'm not a fan of this at all at again W you have to you have to cross very high say boundaries to get a project approved which thus internet scanning in in some way and when I was in the the technically very sound SATCOM talk yesterday at blackhat we did the scanning and we found devices which at the time of the scanning we're thirty thousand feet high we Xbox shells I was scratching my hat away wait a second did you have informed consent of the people in playing at a time that you may be crashed a twenty-year-old wash navi-x walks by scanning it from the ground probably not these guys were these slides will be published but just to give you a quick idea the scoping thing it's important the scoping might be problematic very quickly I only mentioned this we declined the project very quickly to more case studies this one was interesting as well there actually is the first one on the timescale so this led to the creation of the Ethics Committee we got a request can you perform a training on telco technologies and we have yes and then exit and while we is doing the setup phase it was like well can you do it in
a way with Russian I call it translation in a real-time Russian translation and we were like well that's maybe people will learn a bit less but well if you pay for this we
can do this and then it turned out we only want to look a whole week at interception capabilities and some way in some interfaces and that was why okay why why do they want this again just brings up many interesting questions who are the effective stakeholders what is this goal whatever him what is about autonomy and front consent again we have this country versus other countries all causes the own population thing and we don't even know it's perfectly legitimate but it sounded not so legitimate the thing is we did the job as we had already committed but this led to D to the creation of the Ethics Committee to relieve individuals the guy who did it he wasn't happy about this at all we told him hey we evolve committed so do it but in the future we will have an Committee which decides on this I have another one I can't tackle this one it's an interesting one as well you can probably get the main points from the slides which really published conclusions there's a thing I would like to to make clear here this one
conclusions understand that ethics affect a lot of things you do and understand there is like these formula projects and go through those get effects get values get a stakeholders identify what could be done one way or another this is not an easy task and with this I will conclude I already told you I'm I have a literature background there is a whole genre of medieval literature with the court of artists and so and they're usually that the hero which in that case is pretty much always male which is I'm going to use he the hero sets out to Quest's at some point the hero has to decide right or left and the first stage usually pretty much always a hero chooses right as this is the easier way the hero arrives at court he might even win the tonne at the first tournament he might even get the the King promises you can you can marry my daughter concept of autonomy is violated but didn't so much exist at the time but then chaos kicks in and he loses everything he starts again at the same point right or left takes a left path that's more tedious that's more takes more time more reflection more walk but that's the one that leads you to to the to the Grail and this is the message I want to give you when it comes to ethics takes time takes effort but it's worth it thank you [Applause]