
The IT security culture, hackers vs. industry consortia - BuuQu9hu
http://laforge.gnumonks.org/blog/20161206-it_security_culture_telecoms/
======
lmeyerov
Coming from research land, both academic security and beyond, this seems like
a misunderstanding of how the broader CS research community achieves "standing
on the shoulders of giants".

1\. The impetus in the academic research community is to disseminate, not
hide. Likewise, most research is not considered a one-off but a progression. I
highly encourage looking at writings by CS research leaders like Simon Peyton
Jones and David Patterson on their approach to having shaped large areas of
computer science for the last 30+ years. Reasons include improving your own
understanding, improving how you present it to others, and getting others
engaged.

2\. There is a personal bean counting aspect that some researchers are stuck
with that limits where they do the first conference publication. They care due
to particulars of the promotion process, e.g., tenure, which is in turn
subject to publishing rules for academic conference & journal papers around
minimal publish units. None of that applies here.

HOWEVER, the author is clever here! As the point is to disseminate & improve,
by taking an unusual position and writing about that, they've achieved the
goal.

And final caveat: the non-academic security researchers are among the few that
(a) has individuals making up and following personal ethics and ignoring
internal review board (IRB) etc. regulations that scientists are required to
follow and (b) are fearful/surprised of getting their results buried, most of
the time (but not always) IMO as a result of that.

------
delinka
"How could they?"

Sounds like a Responsible Disclosure kind of thing to me. However, they didn't
just ask for the research, they requested additional work in the form of a
presentation. That's labor for which there should be compensation. Further, a
contract with this potential client that explicitly prevents the client from
blocking other presentations and publications; perhaps even barring this
client from speaking publicly about the research and what you've found any
time before your public presentation. They need to cover the legal expenses
for the researcher as well.

So you give them a price to get this advance presentation. Maybe you offer an
olive branch (and maybe you label it "responsible disclosure") that they might
also have access to the research itself before publication.

Or maybe you tell them to stick it and go public on your own schedule and
throw this industry group under the bus. But that seems like destroying the
canyon wall before any bridges could even be built (let alone burning bridges
that may have already existed...)

------
tptacek
I guess I sort of understand the urge to refuse requests to privately present
research findings to companies, but the moral math they're using doesn't
really hold up for me. Sure, sharing knowledge and helping people learn is a
great reason to give a talk. But if your talk pokes holes people didn't know
about in some important technology, then _getting those holes closed_ is
another reason, and those private presentations are going to make that happen
faster.

I think it's totally reasonable to demand compensation for private
presentations (else, why not just have the company attend the CCC talk?).

I think if you've got Stallman-esque purity, it's reasonable to refuse on
principle: you don't want to do anything to help un-free software.

But I don't see any such coherent reasoning here.

~~~
ChuckMcM
Reading between the lines of the original (and I realize I'm being very
generous) was perhaps a fear that once they knew the content they would take
some action to prevent it from being discussed at CCC. You can't get a
judicial figure to agree to an injunction based on "we think this will be
damaging to us but we're not sure" but you can get one based on "this is what
the guy is going to talk about and we're going to be damaged in this way..."

~~~
delinka
"...take some action to prevent it from being discussed"

This is where the researcher needs legal advice and a contract with the
client. Sure, do the private presentation, but make sure you have a contract
that says the interaction with corporate staff in no way prevents the
researcher from presenting the findings publicly.

~~~
ChuckMcM
I certainly agree, but it the private presentation offer was predicated on
understanding the risk so they could start an injunction process if necessary,
then they wouldn't agree to a stipulation that they _wouldn 't_ file an
injunction. That would defeat the purpose.

That said, it might be a nice way to test the waters with them to understand
their actual agenda. IF you said, "Sure I'll come and give you a talk but you
need to all sign and say you will take no action to prevent my talk from
happening in the future in public." And if they refuse to sign such a
stipulation then you have your answer on their motives.

Note that if that is in fact what they were trying to do, and you "gave away"
that you knew what they were trying to do, it might just force them into
action anyway even without a lot of evidence that the talk would harm them.

~~~
Nomentatus
That or they wanted to privately short a lot of stocks...

Note that their promise not to push for an injunction holds little meaning,
since if a transcript or recording was passed on to some corporation not so
pledged, that corporation could still press for the injunction. The way to be
discreet is to be discreet.

------
nickpsecurity
Wow. I just read a great example of why good things won't happen in the
cellular industry. The people doing research supposedly wanting things to be
better were offered a chance to present the problems and/or proposals to the
industry. They told them to screw off then wrote a blog post encouraging
everyone else to do the same. The industry, esp its leadership, certainly
created the problems. Some in industry in middle and on bottom do what they
can to fix some of them. Him saying no is an example of the hacker part of the
problem where they are about digging up and talking about problems but not
taking action that might remedy them.

Note: These hackers don't represent hackers in general. Many if not most bug
hunters are more than happy to tell the suppliers what they found. I'm only
focusing my comment on those with opinion similar to author.

The only concern I'd have is they try to prevent the CCC talk with legal
action after the presentation scares them shitless. I don't know what the odds
of that are for telecoms or CCC talks. I know companies occasionally try to
block a damaging talk in the States. I'd ask for a contract from participants
saying they wouldn't block the talk or sue me over discussing any flaws I
found in my work. If they refuse, I'd offer to deliver them a presentation in
video through email or posted to that conference's web site _after CCC_.
Alternatively, show up at next years conference at their expense to deliver an
even better talk.

------
droopybuns
>>I could hardly believe it. How could they?

Via email, im assuming.

>>Who am I?

One of the authors of osmocombb and OpenBSC, two tools that have enabled
foundational research into vulnerabilities in mobile networks.

>>Am I spending sleepless nights and non-existing spare time into security
research of cellular modems to give a free presentation to corporate guys at a
closed industry meeting?

I doubt anyone has that expectation. Harald has created a penalty for asking
if there are disclosures that need to be addressed.

>>The same kind of industries that create the problems in the first place,

Has open source eliminated security vulnerabilities in software?

>>and who don't get their act together in building secure devices that respect
people's privacy?

Is the situation getting worse, staying the same or getting better over time?
I can confidently argue better.

>>Certainly not. I spend sleepless nights of hacking because I want to share
the results with my friends. To share it with people who have the same
passion, whom I respect and trust. To help my fellow hackers to understand
technology one step more.

That reasoning is what it is I guess. I don't agree with the clique approach,
but I respect him for being so blatant about it.

Good for the GSMA. Change at scale is hard. It takes time. Some of these
coference presentations help motivate change(stagefright comes to mind)...
Lead time helps the workerbees get executive alignment to invest in fixes. It
is better for everyone that they at least tried to get some information for
marshalling a response. Not all presentations are as serious as their title or
abstract suggest. I guess we learned where Harald's priorities lie.

~~~
justinclift
To be fair, it's far from unknown for the "marshalling a response" to include
legal intimidation.

Not giving a presentation ahead of time could be viewed as reducing the chance
of suppression.

~~~
droopybuns
I understand your point, but he didn't make that argument.

He's been around long enough to know this issue as well. I think it is fair to
infer the risk of legal entanglement did not influence his decision by the
fact that he didn't bring it up.

The way I read his blog post, his main point seems to be about behavior that
reflects being a part of a scene or culture that embodies certain passion and
values.

------
sebcat
A video of the CCC talk referred to in the post:
[https://media.ccc.de/v/33c3-8151-dissecting_modern_3g_4g_cel...](https://media.ccc.de/v/33c3-8151-dissecting_modern_3g_4g_cellular_modems)

------
caseysoftware
I've done this in other areas (not security) and it's worked out well.

Some quick tips:

* get everything in writing;

* make sure there's not a clause, agreement, etc that prevents you from presenting it elsewhere;

* make sure to clearly say what they're allowed/not allowed to do with the presentation - record? share slides internally? publicly share everything?

* clearly document that you continue to own everything 100% - (slides, code, etc);

* get compensation - I'd suggest travel, two hotel nights, per diem for meals, and at least one daily fee on top (travel+presenting is possibly 1.5-2 days);

* make sure you understand what any non-disclosures cover and for how long.

------
draw_down
I don't understand why the company couldn't just attend the already-scheduled
public presentation? Like the author, I would be suspicious of the company's
motives for requesting the earlier, private presentation. Not much upside,
plenty of downside.

------
jackgavigan
Is responsible disclosure not a thing anymore?

------
dguido
Why are you giving the talk in public if you don't even want to communicate
the findings to the people most affected by it?

