Introduction to Practical Ethics for Security Practitioners

What would you do once:

  • you find vulnerabilities in an alarm system sold from local electronics stores as an OEM product (so you can’t even identify the vendor) and which is widely used in your neighborhood.

  • you find a backdoor in a network device which might be actively used by an intelligence agency of a 5-eyes country.

  • you’re asked to perform a training on telco technologies and during the setup it turns out that the participants want to perform it with simultaneous translation into Russian and they are solely interested in lawful interception interfaces & surveillance capabilities.

  • you’re asked to help with analyzing the logs of a domain controller, with particular focus on one employee, for reasons that remain, say: unclear & dubious to you.

  • you haven’t had a lucrative engagement for some months and there’s this guy asking you to write some PoC code for a vulnerability of a smartphone OS. His business card tells you he’s from a state agency in a country which get’s “significant coverage” in Amnesty International’s Human Rights report.

While at the first glance infosec might seem to be a mainly technical domain you might encounter ethical dilemmas very soon once you start working in the field (namely when you do offensive stuff). In this talk I’ll provide an introduction how to tackle such situations in a structured way and on the basis of common approaches and values. The talk is not about providing final answers to the above scenarios. It is however about equipping the audience with a suitable set of questions to ask once you find yourself in such a situation. In short it’s about being prepared. For this purpose I will discuss a number of case studies which we (a group of security researchers) experienced over many years, together with a description what we did and, maybe more importantly, what we would have done differently from today’s perspective.

About the Speaker