Ethical questions for security experts

Alex Stamos's Defcon 21 presentation The White Hat’s Dilemma is a compelling and fascinating look at the ethical issues associated with information security work in the era of mass surveillance, cyberwar, and high-tech extortion and crime.

It gets especially interesting when it delves into hypotheticals for security experts, like:

You find a critical remote exploit in a very widespread product. Do you:

A) Publicly announce the flaw immediately

B) Build a whole Black Hat talk around it

C) Perform responsible disclosure with deadlines

D) Use it to sell “consulting” to the vendor

E) Weaponize and sell directly to your government

F) Weaponize and sell to a trader

G) Use it yourself for fun and/or profit

The White Hat’s Dilemma (via O'Reilly Radar)

Notable Replies

  1. Why is "First, Do No Harm" listed third?

  2. it's a stack...

  3. H) Do nothing, tell nobody. Accept that it will likely be exploited by others.

  4. It's nice to see this conversation is happening, but I suspect it will be in vain. Electronic security is the kind of thing it only takes one black hat to ruin. There are a lot of black hats, many of them working for our governments. If 99% of engineers agree to play nice, the other one will eat their lunch.

    The only solution is "peace through strength." Strong crypto, strong anti-malware, etc. I guess Norton won't ever remove the NSA's back doors, but PGP and TOR seem like they still work, and their creators haven't been jailed yet. A good strong open-source malware killer would be a blow for liberty - and therefore an act of treason. A nice start would be a free tool to remove the crap that got in via TOR last week - but the programmer would be a hunted ciminal.

  5. bkad says:

    I disagree, if the goal is make people think about ethics. (If the goal is to prevent people from ever doing unethical things, you're right that is unrealistic not only because of human weakness but because we do not all agree on what ethical behaviors include.)

    I think it is a really good idea to encourage people to think about ethics, and to imagine in advance how they would respond to various situations. Boing Boing may have a high percentage of readers who are already thinking about ethics (it's an activist blog), but that approach to life is far from universal. When I was in school/grad-school I thought of professional ethics mostly as something other people had to worry about. My rationale was that as a physical science major my work was inherently ethically neutral (science is neither good nor evil) and that since we didn't have human subjects or provide goods or services to humans we didn't have much to worry about. Sure, doctors and business majors had to worry, but not us scientists, I thought.

    I think it's easy when you spend most of your time working with THINGS instead of PEOPLE to forget that people nonetheless can be affected. Also, at least for me, it is helpful to remember that even though I am not a business 'decision maker', I am nonetheless empowered to be more or less ethical.

    Now, I claim to know where I stand. I work in defense and long ago made a mental list of what I would and would not be willing to do (e.g., I won't design firearms, bombs, or other offensive weapons) and how close I'm willing to be to people who do these things. But if asked, would I be tough enough to choose unemployment? That's where some of the imagining and the mental roleplay is useful, so that I have a plan in advance, and failing that, at least more honesty.

Continue the discussion

8 more replies