Hide and go seek, not hide and go tweak

31 Jul 2013 David Dittrich active-response-continuum ethics humanitarian-law improper-ruse law-of-war tallinn-manual
On July 31, 2013, Jason Geffner of CrowdStrike discussed a new tool called “Tortilla” that allows incident responders and computer security researchers to hide behind the Tor network as they poke and prod malicious software infrastructure. Were I there, I would have asked Jason this question: What things should I not do while using Tortilla, and why shouldn’t I do them? I know Jason and respect his technical skills, but if he and CrowdStrike don’t have a good answer, that will say a lot about our field’s collective ability to reason about actions along the Active Response Continuum.

A new infosec era? Or a new infosec error?

11 Mar 2013 David Dittrich botnet ethics takedown
On March 4, 2013, a contest was held at the Nullcon conference in Goa, India, to see who could take over a botnet. The Times of India reported that the prize money was provided by an Indian government official and was awarded to the Garage4Hackers team. The co-founder of the Nullcon conference, Antriksh Shah, said “At Nullcon Goa 2013, for the first time in the world the government has come forward and announced a bounty prize of Rs 35,000 to whoever provides critical information on the command and control servers of a malware recently found in one of the government installations in India,” and then tweeted, “Dawn of new infosec era.

The Ethics of Social Honeypots

29 Dec 2012 David Dittrich botnets ethics honeypots irb social-honeypots social-networks the-menlo-report
For the last few years, I have been participating in a Department of Homeland Security sponsored effort to develop principles and applications for the evaluation of information and communication technology (ICT) research. If you are not familiar with the Menlo Report, you can find a description in Michael Bailey, David Dittrich, Erin Kenneally, and Douglas Maughan. The Menlo Report. Security & Privacy, IEEE, 10(2):71–75, March/April 2012. I and two of my Menlo colleagues – Wendy Vischer and Erin Kenneally – recently taught a didactic course at the PRIM&R Advancing Ethical Research conference in San Diego.

No, Executing Offensive Actions Against Our Adversaries Really Does Have High Risk (Deal With It)

10 Dec 2012 David Dittrich active-defense active-response-continuum counter-attack crowdstrike ethics hack-back
This is a response to a CSO Online blog post by Jeff Bardin ("Caution: Not Executing Offensive Actions Against Our Adversaries is High Risk," November 2012.), which is a rebuttal to a blog post by Jody Westby on Forbes online (“Caution: Active Response to Cyber Attacks Has High Risk.”) Mr. Bardin is obviously playing on words in the title and I seriously doubt he believes that it is higher risk to not take aggressive actions than is to do so.

FAQ on Kelihos.B/Hlux.B sinkholing

01 Apr 2012 David Dittrich code-of-conduct ethics kelihos kelihos-b-hlux-b
On March 31, 2012, the Honeynet Project published a draft Code of Conduct and a statement about Ethics in Computer Security Research: Kelihos.B/Hlux.B botnet takedown. The initial draft of the Code of Conduct was drawn from concepts described in the The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research that was published in the United States Federal Register on December 28, 2011 for public comment. The Code of Conduct was refined through discussion within the Legal and Ethics Committee and volunteer Honeynet Project members to help make it workable within the structure of the Honeynet Project membership for evaluating the ethics of future research activities.

Ethics in Computer Security Research: Kelihos.B/Hlux.B botnet takedown

31 Mar 2012 Christian Seifert code-of-conduct ethics kelihos kelihos-b-hlux-b
Earlier, we posted about our operation on the Kelihos.B/Hlux.B botnet takedown that was conducted with by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project. On initial view, the operation seems very clear cut: the bad guys are running a botnet that is doing havoc on the Internet; on the other side, are the good guys that have found a way to disable the botnet. The situation is much more nuanced.

Thoughts on the Microsoft's "Operation b71" (Zeus botnet civil legal action)

28 Mar 2012 David Dittrich botnet ethics legal takedown
On Sunday, March 25, Microsoft announced that for the fourth time, they had gone to a federal court and successfully obtained an ex parte temporary restraining order (TRO) to seize domain names from botnet operators. For the second time, the court has also ordered U.S. Marshals to accompany Microsoft and others to serve search warrants and seize evidence that can be used in future civil or criminal actions. Critics of earlier such actions who decried them as “vigilantism”, said this was an incomplete takedown of the entire population of Zeus botnets, or had little impact on delivery of spam after a takedown, do not understand some subtle points about these actions.