Paid Advertising
web application security lab

Fortify Documentary

You may have already read about this on Jeremiah’s site but the rumors about me being in a documentary are true. It’s a short one (only 20 something minutes, I think) but nevertheless. You can see a preview of it here. It’s trying to describe how serious the dangers of internet insecurity is to global economy. I thought it was really well done actually.

One thing I thought was hilariously ironic was a quote by Howard Schmitt (ex cyber security czar for the United States, who replaced Richard Clarke), “We should never ever ever be so arrogant to think that we’re not a potential victim or our data has not been compromised or that there’s not some adversary out there that’s just as smart if not smarter than we are who won’t be able to compromise that data.” Then the camera flashes back to me as he’s finishing his sentence. The irony being that I’ve actually briefly worked with Howard before. This industry is just too small sometimes! So there’s some funny editing work in there to point to me as the bad guy, but I’m not offended. Someone has to be the antagonist. Fortify is showing the documentary in three places around the world (SF, NY and London). It was fun!

8 Responses to “Fortify Documentary”

  1. cyberlocksmith Says:

    So have you seen the entire movie yet? or just the trailer like the rest of us?

    just curious.

    also, does this qualify as your 10, er 20, minutes of fame? are you going to get an agent now? =)

  2. RSnake Says:

    I _think_ I’ve seen the whole movie, but I’m not 100% sure. The version I got was months ago so I’m not sure if that was the final cut or just a sample or what. So your guess is as good as mine…

    I think this is more like my 50 seconds of fame cut up into 10 second increments. ;)

  3. sirdarckcat Says:

    wow, do u had permission of aol, or you can show PoCs without legal issues?

    I was thinking on showing a PoC (alert(document.cookie)) at digg, on a little presentation I gived, but I wasnt sure if that was legal or not :/

    Awesome :P

  4. RSnake Says:

    @sirdarckcat - No, I had no one’s permission, but I didn’t actually hack them, I just showed that they were vulnerable by hacking myself and left it at that. The point wasn’t that they were vulnerable, it’s that everyone’s vulnerable. That’s also when I found the TJMaxx XSS. I’m not sure how well that comes across in the movie, but that was the original point of that discussion.

  5. Emma Says:

    This is interesting and I found this post at a pretty good time since I’m cram-studying for a law exam tomorrow (covering: Computer Misuse Act, Cybercrime convention and Transborder Data Flow).

    Since I’m feeling super hot and on-key with the European law, how does the law of your own country (the us?) affect your travels for security flaws? Here (UK) it’s my understanding that searching for security flaws isn’t legal because you’re doing it knowingly.

  6. RSnake Says:

    @Emma - I’m no lawyer but the laws I think we are talking about fall under these basic premises:

    “the truth shall set you free” - meaning 50% of the law is intent. If my intent is only to show and discuss the vulnerability rather than exploit it for any sort of monetary gain, then I’m in the clear.

    The second is “nullum crimen, nulla poena sine praevia lege poenali” which is long hand for “ex post facto” meaning you cannot be convicted of something that is not a crime, even if someone creates a law for what you’ve done after the fact. Currently there are no laws that say it’s illegal to hack yourself.

    There might be a possible exception with DMCA, which is more a civil law than a criminal law anyway and wouldn’t apply here, because we have no access to sources or binaries.

    This is an interesting anecdote. A large security company had a vulnerability on their site, that I talked about. They contacted a friend of theirs that worked for the secret service, with the intent of putting me in jail. The secret service said that they couldn’t find anything I had done that they could convict me for as the attack in question (XSS) did not negatively impact them in any way (only the people who clicked on the link, which was intentionally benign). I later found this out from that exact same secret service guy.

    Again, I’m no lawyer, but it would seem to me that this is evidence enough that what I’m doing is not only ethically okay (since I’m not doing anything to intentionally hurt anyone - in fact the exact opposite as I’m trying to help people’s understanding of the issue) but it’s also either completely okay or at least legally ambiguous enough where it’s not an issue for people in the United States at the moment.

    Samy (from the Samy worm) proved that using XSS to build worms, however, is not okay. While the impact wasn’t to steal money, it did cause downtime (no different than a denial of service in some regards). So that is the only case law I’m aware of that specifically talks about XSS.

  7. Emma Says:

    Thank you for your reply, RSnake. I was reading through the Computer Misuse Act (1990); (without ammendments from the Police and Justice Act (2006)) which, according to my wonderful 1-week-lawyerish-experience interpretation, is out to protect the computer systems… I had been wondering if, though your intent is fair (I think) and great for educational purposes, you were walking on a thin line or not.

    I’m at that rampage-about-new-found-knowledge stage of learning :D

  8. Bipin 3~ Upadhyay Says:

    Even I am no law expert, however, cyberlaw is becoming another area of interest for me. Following the recent Orkut XSS worm, I tried to analyze the legal impacts that such worms could make with respect to IT Act 2000 (Indian CyberLaw, roughly).

    @Rsnake: Absolutely no intentions of spamming. :)