Security professionals and researchers operate in a no man’s land between ethical websites and their shadier counterparts. In the dark alleys and back streets of the internet we are able to discover the tactics and trends that are informing the actions of the attackers we spend our days combating. But what if the very act of gathering intelligence for this battle were considered a crime by those you were trying to protect? Unfortunately, it is. Simply by doing the necessary research to competently perform your job, you risk being placed on a variety of government lists of potentially dangerous persons. Sometimes you may risk more than that. Events over the last few years have proven that the chances you will be arrested for doing your job are higher than we might like to think about.
This week there has been some controversy on the web regarding passwords. Despite this sudden spike in conversation on the topic, passwords have actually been a point of contention in the IT Security community for some time. The current controversy spawned from the actions of a security researcher by the name of Mark Burnett who writes a blog on Xato.com. Burnett risked incarceration to release 10 million passwords. He felt it would be helpful to the security community to release all of these passwords along with the usernames associated with them for the advancement of password research. The reason he was worried, and rightly so, was because of what happened to Barrett Brown.
In 2012 Brown was arrested, not for stealing passwords or even committing a legally actionable crime, but for linking to a data dump that was publically available. Granted, this dump was full of tens of thousands of stolen passwords that Anonymous had posted on the web, but they were publically available. Regardless of the fact that Brown was a journalist and not a criminal, the FBI arrested and prosecuted him. He was eventually sentenced to 63 months in jail and an $890,000 fine (according to this EFF article). Brown is still incarcerated at the time of this writing, though there is a large movement lobbying for his release.
This alarming precedent has frightened countless journalists and security researchers into avoiding writing about hacks or linking to data and has made them concerned for their own freedom. Because of this, Burnett felt it was necessary to preface his release with a lengthy explanation as to why the FBI should not arrest him. In my opinion, it is a disturbing day when researchers and journalists are afraid to be arrested for doing their jobs.
As has been leaked on sites, such as this document on leaksource.info, and talked about by EFF and the ACLU, government watch lists do not differentiate the bad guys from the good guys. I assume that I am on at least a couple of these lists for researching hacking techniques, reading sites like leaksource.info and wikileaks, and other perfectly legal activities I have participated in. I am particularly careful not to do anything illegal because I have a family and a job that I would like to keep. I don’t have any need or reason to break the law. In the security community, in order to do our jobs, we have to study and know what the bad guys are doing. This means we have to go to sites that are specifically watched by the government. It means we read publications that trigger watch list entries. Even having used TOR will put you on their lists.
I am glad there are still researchers and journalists out there who will release and report on these topics or we would be far behind the bad actors out there. I will continue to pursue my research, as part of my academic career, my job, and because it interests me. If that means some bored analyst in a huge government building is reading everything I write then I hope he was amused by the Hamlet parody quote last week (courtesy of my wife) and I wish him a Happy Valentine’s Day.
So, don’t give in to scare tactics that frighten you into neglecting to do the research vital to maintaining your status in the field. Keep up the good fight. If it means we have to be on the same lists as the bad guys to stay aware of their trends and tactics, I am fine with that. If it means that we have to be in the same prisons as them….well, then we really have a problem. Given the importance of advancing the research in the field of information security, it is imperative that we enact legal protections for those of us who are engaged in the battle to stay ahead of attackers by monitoring and discussing their tactics in a forum of our peers. The legal system must make it a priority to establish laws regarding the fair and legal use of available resources to further the knowledge of security professionals and researchers. It cannot continue to prevent valuable research from being performed by setting legal precedent without reference to the rights of free speech for the press or the rights of professionals in the field to use reasonable efforts to attain information vital to the protection of private information.