- Regulation and cyber-security 1
- Helpful Hackers, How the Dutch do Responsible Disclosure, by Chris van’t Hof
- DropBox: Protecting Security Researchers
- US Department of Justice: A Framework for a Vulnerability Disclosure Program
- Software Vulnerability Disclosure in Europe
- “Hacking” - forbrydelse eller digitalt selvforsvar?
- What is responsible disclosure? & Elements of Danish law
- Responsible disclosure, in the past and today
- Vulnerability disclosure policies
- Typical issues with VDPs & US DoJ Framework
- Exercise: write your own VDP
According to Wikipedia:
In computer security, responsible disclosure (also known as coordinated vulnerability disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended.
- Disclosure: the vulnerability is disclosed to the public
- Embargo period: the disclosure happens after a period of time that allows the vulnerability to be fixed
- Coordinated: the hacker and the relevant organization work together to fix the vulnerability
It-gigant anmeldte Esben for hacking
It-hul i pladsanvisningen har givet adgang til cpr-numre og navne i 12 år
(from https://www.cybertraining.dk/regulation_1/)
- Actus reus: the criminal act
- Mens rea: the mental condition of guilt
- Impunity: e.g. self-defence, consent
- Crime is the act described by a statute
- Attempted crime “shall be punished as an attempt when the offence is not completed”
- Withdrawal from attempt when the perpetrator voluntarily prevents the crime’s completion
- Complicity the punishment applies to accomplices as well
- Withdrawal from complicity when the accomplices stop the perpetrator from completing the crime
- direct intention: committing an offence with purpose or knowledge
- high probability: no direct intention, but the perpetrator saw the effect of their conduct as a highly probable consequence of the act
- eventuality: the person sees the occurrence of the crime as a possible outcome but would have acted even if he had seen it as certain
- the person has not acted with the appropriate care and consideration for others
Acts committed in self-defence are exempt from punishment if they were necessary to resist or ward off a present or imminent wrongful assault and do not manifestly exceed the limits of what is reasonable in view of the danger from the assault, the assailant himself and the importance of the interest assaulted.
The Danish Criminal Code section 13(1)
- Consent from the victim can lead to impunity:
For instance, consent from the owner of an IT system to a person to hack the system in order to search for security vulnerabilities will not be punishable according to the statute of ‘hacking’ in the Danish Criminal Code.
No specific definition of cybercrime has been established, so what is exactly cybercrime?
Two types of cybercrime: - where data systems are attacked, e.g. hacking or DDoS - where other kinds of crimes are facilitated by digital means or communication platforms, e.g. fraud or threats
We focus on the hacking provision (§ 263) and data fraud (§ 279)
Additional provisions:
- Threats (§ 266)
- Unjustified coercion (§ 260)
- Blackmail (§ 281)
- Child sexual abuse material (§ 235)
- Acts of indecency (§ 232)
- Defamation (§ 267-271)
…and others (see material)
#+b A fine or imprisonment for a term not exceeding one year and six months is imposed on any person who gains unauthorized access to any data or programs of another person intended for use in a data system.
Fraud covers all tricks one person plays on another, to obtain an unlawful gain
A person is guilty of fraud if, by wrongfully creating, confirming or exploiting a mistake to obtain an unlawful gain for himself or others, he induces another person to perform or fail to perform an act and thereby inflicts a property loss on such other person or someone to whom the performance or failure becomes essential.
Fraud is punishable with up to 8 years in prison
Traditionally fraud only covered actions where humans were being deceived. Data fraud covers those circumstances where the data system is deceived.
A person is guilty of data fraud if he wrongfully edits, adds or deletes data or programs for electronic data processing or otherwise wrongfully attempts to influence the output of such data processing to obtain an unlawful gain for himself or others.
Note that data fraud is completed when data are entered into the system and there is no requirement that the victim incurs a loss.
- Actus reus: Has Esben committed acts covered by the hacking provision (§ 263) or data fraud (§ 279)
- Mens rea: What is Esben’s mental condition? Intention/high probability/eventuality/negligence
- Impunity: Has Esben acted in self-defence or under consent?
- Bug bounty programmes are not a new thing: in 1994 Netscape offered to pay 1000 USD for vulnerabilities found in Navigator 2.0 > Given enough eyeballs, all bugs are shallow — Linus’ law
- Bug bounty programmes make find bugs faster, and /cheaper/
No industry or profession has experienced an evolution quite like hacking. It started in the darkest underbelly of the internet, where hackers roamed the online world in search of vulnerabilities.
It later grew into a respectable hobby, something that talented people could do on the side. Now it’s a professional calling: hackers, pentesters, and security researchers are trusted and respected, and they provide a valuable service for us all.
#+caption: image.png [[file:img/finisterre.jpg]]
#+caption: image.png [[file:img/rewired.png]]
#+caption: image.png –[[file:img/doj-vdp.png]]
#+caption: image.png [[file:img/cvd-europe-map.png]]
#+caption: image.png [[file:img/1-responsible-disclosure_files/image.png]]