Ignorantia Juris Non Excusat — Understanding the Impact of the Law on the SA Hacker Community

good morning everybody Welcome to H welcome to what is going to be an interesting presentation and um I'm either going to upset some people or I'm going to upset a lot of people um there there's no kind of Middle Ground as far as this is concerned um I'm going to be talking about the impact that the current legal situation has in South Africa on the South African hacker cyber security Community but I'm also going to talk about some of the things that are potentially coming down the future as well that are a little bit scary um in terms of uh what we've got to deal with so the Latin term because you can't talk Law Without Latin is ignor Urus non-

excus it which basically means ignorance of the law is no excuse um now as a former cop that's kind of an important thing but I also don't want you to see me as a formal cop that wants to spoil everybody's fun um I'm just going to give you some reality checks about how the world works and the kind of impact that it can have on and on my clicky decides it doesn't want to work okay so um a little bit about me um I'm Jason Jordon okay the Geeks in the room should get that one um uh I've been doing forensics for a long time um I'm a massive nerd like a huge huge huge geek

um yeah I suppose I suppose I'm one of the the o kind of digital Friendzy guys here in South Africa which makes me feel like a really old fart um uh but yeah it's it's fun I love what I do I love catching bad guys I love going to court love testifying um and I've kind of fit into this world in kind of an interesting way um yes while I have been in ly forel for most of my career yes why do digital forensics work um I started from an IT perspective um in fact B and B sitting over there kind of with we were in the same standard to together the school we kind of G through

the same thing you know uh the early ZX spectrums and commodor 64s and Vic 20s and so on and so on so that's how we kind of got into got into our computers I'm glad to see that some of our age demographic is represented here by that statement um but but effectively you know when I was learning computers we kind of learned by breaking things we learned by hacking we that's how we did it you know back in those days that was the um so so when I have when I have these discussions I don't want you guys just to look at me as like oh y there's that Jason guy he's you know like a forensic

guy and he just it's all about law and screwing it up for every you know all of us and making our lives difficult um I want to really just look at the reality of the situation and how do we improve things so this talk actually has its inspiration ironically from this year's bsides in jobber so Charlie and I were in jobber uh we were been sitting catching up you know always catch good catching up with my friends and this is the nice thing about bides I get to hang out with my friends um and there was a a young guy that gave a brilliant talk absolutely brilliant talk but effectively he stood up on on the podium and confess to a

crime and inside my brain I'm going shut the f up shut the f up shut the f up like you just you're just making a confession on video effectively to Breaking the Law now now obviously the guy that gave the presentation that wasn't his intention he wanted to do reasonable disclosure but the reality was it was like holy crap um this this is actually kind of bad so so I stewed on this around because you know the last thing I want is for people in our community to inadvertently fall a foul of the law for doing kind of what comes naturally to us um then how many of you guys on the infos WhatsApp group okay a

couple of you okay awesome so you should you should recognize the logo from the group we were having a chat somebody raised something on the infos WhatsApp group about lockpicking um oh my word uh um if I if I you do lockpicking am I going to get into trouble with the law because in terms of the private security industry regulatory act um I've got to be a license to to do locksmithing we kind of that had the discussion as well so so it was like Hey Okay cool maybe this is something to talk about so put in the proposal for bides in Cape Town and it was accepted and of course I kind of follow her myself because it's the first

time I've actually been accepted at bides which is pretty cool um but yeah it was it was really you know that was the Genesis of this talk of looking at some of the legal issues and and how do we actually address these as a security Community how do we how do we do what we love how do we do what makes the world a better place without inadvertently falling a file of the law so I'm going to talk about a lot of legal practic scenarios we're going to find ourselves in now first disclaimer I am not a lawyer that's probably a good thing um I'm not a lawyer but I have studied law extensively so uh I've studied law up

until Master's level um I've done criminal law at Master's level I've done law of evidence at Master's level uh for my sins I helped contribute to the cyber crime act in South Africa um this the parts that you don't like I'm just going to say somebody else on the project he did those any ones you do like I'll just claim ownership of those because I'm kind of egotistical like that um no I'm not really but but that that process was kind of important because the deputy Ministry of Justice actually brought people from the security community in to help craft that legislation um I've also written a couple of legal textbooks on information security law so even though I'm not a

lawyer I think I have a fairly good grasp of the legal Concepts which affect us at a practical level so so I want to just start opening up with a bit of a story and I want you to think about the consequence the concept you sitting in your Lounge by yourself watching I don't know you're watching the latest episode of skeleton group and everybody's watched the first episode don't spoil it for me yet I haven't watched it cuz I'm a big Star Wars nerd um but you're watching your your favorite Disney program on uh on Disney plus your favorite Star Wars program or whatever floats you boat and um it's late at night and suddenly you hear something

wriggling on on outside windows something like like somebody's trying to open a window and you don't hear it once you hear it a few times at different windows and suddenly you you see the door you know the door handle on your front door starting to to move so now yet we're in South Africa right if that if if that happens to us what's our first reaction I tell you what my first reaction is I'm I'm racking a freaking round into my glock and I'm ready to shoot somebody through the door like that's what I'm ready to do so so imagine I'm like okay now I'm I'm going to be a bit more cautious I'm not going to do the Oscar

Pistorius thing CU apparently you get into [ __ ] if you do things like shooting people through doors so so so I I kind of withdraw I find a nice defensible position and suddenly the door opens I hear a lock you know lock being picked and the door open and in walk somebody and the moment that person walks into my house you know what I'm like cheers Bobby done one single round I carry shock so I know one single round is going to do it um and that's it end of story now take the physical out of it and look at the digital um how often do we in the security Community full La term

um independently test systems without permission but but we we independently test sys now now again the reason I put that out and I started with a physical analogy is that in the physical world if somebody decides they want to test my home security without my permission and they somehow get into my house I'm going to shoot them dead okay and that's sounds very dramatic but we all here in South Africa it's like I'm not just going to throw dirty words at them and things like that um I'm going to I'm going to try and defend my home but in the cyber world we kind of do that a lot without even thinking about the ramifications you know now let's just

let's just say worst case scenario my [ __ ] shot okay but I'm actually not a [ __ ] shot but let's just imagine I was a [ __ ] shot and I I I shoot the guy and instead of killing him I wound him and he goes to hospital and I charge him for house breaking and his defense when he goes to quarters but your worship I didn't actually intend to break in the house and steal anything I was just testing the security did you have permission to test the security why would I need permission to test the security I I I test Security in lots of houses around the neighborhood the judge is going to laugh

at you he's going to throw you into a deep dark hole and you may start questioning your sexuality um after said said process um but but the reality is that's that's kind of how it works in the physical world so when we look at the cyber world what is the impact what's the difference that takes place here so so I want to talk about this concept of the road to H being paved with good intentions yes it is paved with good intentions but also bad intentions now again as a youngster I did what nowadays would actually be criminal um there wasn't law that I broke back in the day and I'm pretty sure most of us of my generation have

done that um but if we did it today it would be constituted as a criminal offense now why did we do it I didn't break into systems as a kid because I was malicious I was curious I wanted to see how the world worked I wanted to figure things out the this Brave New Frontier that would allow me to essentially I don't know just explore the the whole concept of the hacker ethic you know I kind of grew up with that um that whole concept kind of which is probably ironically why forensics fits so well for me because in forensics we Break Stuff a lot of times uh to figure out how they work but how many people in the security

Community do what we do out of curiosity not out of malice not out of intention that we want to um deliberately break into something but we're curious curiosity is a good tradeit it's a good tradeit for a hacker it's a good tradeit for a pentest it's a good tradeit for a forensic investigator it's a good trade for a cyber security professional but we have to we have to understand that sometimes our own curiosity can get us into trouble um you know the concept of curiosity killed the cat curiosity can also kill the hacker curiosity can also kill the security each not physically I mean it's not like some Network that I've hacked into is going to send up Hitman to come and take

me out um unless maybe I hit North Korea or something which is which is a different scenar scenario I mean there are certain countries in the world I'm not allowed to actually travel to because of stuff um uh but but this is just how the world works so so we often do things out of curiosity here's another thing that we often do again and I think this is a lot of us that are in the security space do this we do things based on the concept of the greater good in other words we actually believe in trying to make the world a better place a more secure place a place that effectively we would like to see our

children grow up into you know in a in a much more um uh secure environment so so we end up using our skills for good and again you see this quite often where um a person will effectively hack in to a network um independently testing the network and then do a responsible disclosure to the the owner of that Network to say yeah these are the vulnerabilities that we identified I mean that's a good thing but it's still technically problematic in terms of how you go about it because what if you do this free security work and the owner says screw you I'm going to the police then what so so we do things for the greater good okay then we have the

Cowboys I don't know at some point in my career I think I was one of these Cowboys who I didn't think the rules actually appli to me I was like this Rogue Gunslinger you know like like I had my code I had a a code of ethics but the my code of ethics didn't necessarily align with the rules of the country and and again a lot of people in the security industry are like this most of us are very independent thinkers we don't like to be told what to do I mean don't tell me as a hacker what I can and can't do with software I'm going to freaking figure this thing out myself and make it do my

bidding um it's part of our mindset it's part of our culture but this can cause problems especially when you have somebody that that fla the rules a lot more than say somebody that's doing it for the greater good but we do have a fourth category and this is these are the guys I really have a problem with and and I'm very I'm very very very tough to see that there's lots of ladies in the room so that's really really awesome um so when I talk about guys it's like the Royal Wii I know I should use the the what's the pronoun these days them they that confuses the crap out of me so I'm just going to go

with the generic guys um and these are what I like to refer to as the bad apples these are the people who essentially will hack into an environment free security testing but the purpose of of that testing is hey I've seen how vulnerable your netwrix or you should hire me to fix your problems or maybe you should pay me a service fee for what I've done or maybe you should hire my company to come and do this now there are companies in South Africa that do just that um one day the law will catch up to them and again I know that's a horrible thing to just sit with to leave a bit of a

bitter taste in one's mouth but but it's people like this that actually make our industry somewhat less integral um you know our ethics kind of get compromised and we all get tarred with the same brush but all of these sort of motivations are not necessarily criminal so in other words all of the things that I've spoken about now is not somebody a organized cber group cyber crime group attacking networks for the purpose of um causing Financial loss or stealing information or or doing destructive cyber attacks like we seeing in certain cyber warfare situations it's all people who are doing security stuff without necessarily having a Criminal Intent but we need to really have a grasp of what the legal situation is and

talk about the criminal law now now when it comes to the criminal law in general there's two concepts that we need to understand one is is the act unlawful and unlawfulness basically means does it violate a law so if the law says th sh hop on one left foot for 5 seconds every day and and I'm not going to try that because I'm clumsy enough fall over and break my neck um but if if the law says that and you don't do it technically you're breaking the law your actions become unlawful now there are situations where unlawfulness can be eliminated one of those is what we call consent so if I'm engaged okay I'm not a pentester but if

I'm engaged to do pent testing work and the client engages me to test their systems they are consenting for me to actually do that work um when I do digital forensics and I do Acquisitions and Analysis I'm doing that under consent that that permission has been provided to me so even though my actions might technically violate a statute they no longer are unlawful because I've actually made the actions lawful there are a few others um self-defense is one of them uh although please don't try use that argument with hacking back back if somebody's currently hacking you because attribution is still a problem as far as that's concerned um and you also don't want to be hacking back to countries

like Russia whose military Doctrine says that they are allowed to respond to hack attacks with Kinetic weapons um you know the last thing I want is some Russian Mig dropping a bomb on my freaking house because I've been hacking some Russian sister back in self-defense although if I go with what's happening in the Ukraine at the moment Russia probably couldn't hit the broadside of a bond so so I think I'd probably be okay um so that is the issue of unlawfulness the second issue that I have to deal with is something called intent now I could say that as a cyber security researcher when I access somebody's system I didn't have the intent to commit a crime here's where

the problem comes in the issue around intent is not whether I intended to commit a crime the issue is did I intend to commit the acts that happened so so that is the big issue if I had the intention to commit the ACT I've satisfied the the reason for intention and and this is why um ironically um and the issue is quite deep but if you look at the the Oscar Pistorius trial that was the issue of intention his argument was well I didn't really intend to shoot the you I didn't intend to kill the person behind the door and the court said you had to anticipate that somebody would be behind the door and if you shot them they may

die at something which which we call kishio sinquin in okay sorry I'm a bit of a legal nerd as well but it's basically the the consequences of your actions um and and that's one of those issues it and my intention is is determined subjectively by a court based on my actions not what my actual intentions are in my head so those are two things I want you to just buar in mind when we actually talk about the current criminal law situation in South Africa when it comes to security researchers so so a couple of years ago uh South Africa passed the Cyber Crimes Act which was involved in now first things first I want to give a huge shout

out to the security community in South Africa there were a lot of issues in this act that the state Security Agency tried to push through and it was the security community in South Africa that actually stood up to this and said no we are not going to let this happen and those sections were actually removed from the legislation um even things around the wording of the offenses dealing with hacker tools and things we force the changes so so big thumbs up to the South African cyber security Community we played a role in making the ACT actually workable for us and for it to actually do its purpose of of dealing with bad guys but there are some

sections in the act that potentially we fall a foul of when we actually do our work so one of the first ones section two is basically the act of unlawful access If I gain access to a computer system unlawfully that is a criminal offense so so in other words um the youngster who is talking at bsides in joerg who effectively got access to the SQL Server back end of this particular organization through a vulnerability he actually committed the criminal offense he didn't have permission he had the intention of doing the action even though he didn't have the intention to commit a crime and and this is what happened now I want you to think about that for a

point for for a point for point in time he did the right thing he did a responsible disclosure the company didn't do anything about it they they ignored him they they basically left the vulnerability in place but what if that company had been hardos and again we see this all around the world at the moment the company says hold on you've come to us and said you've basically broke it into our system we didn't give you permission to do this so now we're going to we're going to go to the authorities and have you prosecuted the authorities have no choice but to prosecute so I just want that to sink in for a moment that that guy did something

again for the greater good but technically broke the law so so this is a challenge and and I've had a lot of people in the security community over the years in South Africa reach out to me and say hey Jason we found a vulnerability in this system um how do I go and report it without actually basically letting people know that I've broken into their systems to find the vulnerability and and I've done a bit of a a bit of a creative approach uh again coming back to my my my law enforcement days I will contact my friends in law enforcement say by the way I have a source who told me about this thing

because I'm kind of trusted in the community so people are like okay Jason we don't want you to expose your your sources in the The Evil dark hacker underground you know because we're all evil dark people right um but we get away with it that TW but but what if there's not a Jason to act as that Shield between that person doing the disclosure and the authorities or the company concerned um another effects unlawful interception of data so uh let's think of a scenario where um okay not Network traffic because that's that's a r violation but but effectively maybe I'm doing uh I'm looking at data that's coming back so in other words a web server sends back a

request um using let's to say soap API or rest API and I intercept that data because I now want a crafter apply to get back into that environment that's interception of data that's a criminal effects um uh unlawful respects in respect to a software or Hardware tool this is what I like to refer to as the hacking tool section which we which we have effectively neutered um basically it comes down to the point of view is that if if you are in possession of tools capable of committing a cyber crime um it's a criminal effect but you have to possess it for the intention of committing the crime okay this is a uh when we actually presented this section

in Parliament before the Parliamentary portfolio committee and I had all these politicians sitting around the table I basically went to each one of them that had their laptops out and said so so you guys say we should have this in its unaltered form just mere possession of the tool is the F I'm like okay you've got that's a Windows machine what version of power you running on let me just check okay you got power shell version three back in those days um okay I could do ab CDE e with po shell that makes windows a hacking tool they're like what the hell and and this was this was getting the rationale across that they would they could finally see and

understand that that just normal computers could be used as hacking tools because again they've grown up in this world where you know hacking has to rely on something evil being introduced into the system the concept of living off the land binaries and that just completely escapes the politicians so so but this is still an issue now um what this comes down to is that if let's just say the guy that inspired this talk let's just say he had used I know probably didn't let's say he'd used metas sploit or mimy cats or whatever just pick your favorite maybe use Cobalt strike who knows um if he was found in possession of that tool technically it would be a violation of

this of this um act now how can we defend our defend ourselves against this if you are engaged in legitimate security research you can justify the possession of these tools but then how do we determine like legitimate security research well one of the first things being part of this community helps with establishing your legitimacy um I mean look I'm I'm here for the free coffee um and you know the swag um a joke I'm I'm here for my friends I'm here to learn I'm here to share I'm part of this community being part of this community helps with that kind of Defense engaged with things like ox coffee up in joerg or bides in joerg or

the hack South Discord channel uh Grant has got the I Square Cape Town chapter up and running engage with that um engage with the bodies that do security research it helps you at least with that so so if you ever kind of fall a foul of that at least you've got an explanation but you shouldn't have the explanation after you've got caught and say oh by the way I have these tools cuz I was doing legitimate security research so so what security research have you done oh no I've never actually done anything before this is the first time after I got caught probably not a good idea uh section four is basically unlawful interference with computer or a data

program um classic example here uh buffer overflow taxs I know they're not very popular these days hardly anybody teaches them they got to come back in fashion just let's make peace with that um the moment I push extra code into that system I'm interfering with the functionality of a program if I do code injection to gain access that is interfering with the program I've effectively committed a criminal offense um if I interfere with computer data storage medium or computer system if I start messing around with network settings so say for example um uh as part of my pen test my free unauthorized um pen test um I gain access to a system and I invertedly

delete data on a drive I've committed that offense the the next one is a big one for us especially in the security Community it's the unlaw lawful acquisition possession provision receipt or use of a password access code or similar date or service now luckily the camera can't see all of you they can the camera sees me but how many of us are in possession of breach data containing passwords no we we' never do that right we' never do that technically all of us are breaking the law technically again the issue in this section this is also something that we argued in Parliament is that I need to be in possession of these things for the

intention of using it to commit one of the other offenses so so so the fact that I have password hash databases that I use as part of testing passwords when I'm doing a security audit for example um that's okay because I have permission to effectively do that so I'm not committing the offense but if I'm just like hey I'm really curious about this thing I'm just going to have all these pars of my system and you hear this knock on the door uh usually followed by a boot door being kicked in uh probably not the best uh scenario to then start coming up with excuses now there's another criminal statute which does also impact on us from a security perspective

and this is in terms the the r legislation the regulation of interception of communication and provision of communication related information act and this is probably one of the longest pieces of legislation names in South Africa it's a mouthful which is why they summarized the t r um but there is a section then in section 49 that says uh any person who unlawfully intercepts any communication commits an offense if I'm War driving and I'm identifying wireless access points and I then start sniffing Network traffic I start sniffing packets in motion yes I know we got to deal with encryption and all those kind of things but if I'm doing that I'm intercepting Communications I'm broken the

law look I regularly break the law when I'm bored sitting at airports um around the world um because you know when you when you're stuck waiting 8 Hour layer you got nothing better to do with time there's only so much Netflix you can watch in 8 hours before you get totally bored but the simple reality is is as simple acts like that could potentially um constitute a criminal offense so these criminal offenses in terms of the Cyber Crimes Act in the r legislation lead to criminal prosecutions okay um the companies involved or that are affected by the work we do could reach out to the authorities and say hey we're really upset that this guy or this girl

actually got into our systems yeah you know and and we want them prosecuted and again the authorities would have no choice but to do it so the defense to that is twofold one you're either doing it as part of a professional engagement so you make sure that you get um permission or look at companies that do have like a bug Bounty program responsible disclosure program they have effectively tacitly given you permission to do certain things through that documentation if you T an organization that doesn't have one of those two things in place where they give consent or they do have a responsible disclosure or bug Bounty program the risk is on you so just accept that that that is a risk

you have to face now the second thing that we have to worry about is not just the you know going to prison and meeting Papa you because Papa um you know we we we we don't have to worry about that we also have to worry about civil law where somebody's actually going to sue us um they they want to sue us into Oblivion um and there's there's three basic issues that we can look at in civil law which would come down to this one is delict so in other words delict is basically when I commit an unlawful act a criminal act but instead of going to the authorities to prosecute I go to my lawyers and I

sue and I claim damages so I do a security a free security test on a company and uh they turn around in legal papers and say well you know uh Jason's actions cause this and this and this and we had to get external consultants in to come and resolve the issues and and and and and and and and suddenly we want to claim damages of 5 million rent huh like like all I did was find that you had a vulnerability on your web server and you know put in some you know uh extra code and you'll see you didn't have proper um validation on your on your inputs um 5 million Rand that seems a bit steep

but again remember you've got organizations that have the budgets to actually go after you the the concept in law is called a slap suit strategic litigation against public participation and and unfortunately I've been on the end of a slap suit myself where organizations have actually tried to shut me up by trying to sue me um and it costs money to defend yourself even though you you will be successful if you've done everything right that is always a risk that you have have uh on you the second thing is defamation let's just say I I go the whole responsible disclosure route and um the person that I'm doing the responsible disclosure for doesn't actually do anything about

it so I think you know what I'm going to do the ethical thing I'm going to go to the media I'm going to contact it web or or something on those lines and I'm going to talk to a journalist about this problem and all of a sudden firstly I do something stupid I actually get named in the journalist article if you ever have to go talk to a journalist about something like that do it under the condition of anonity anony an that word um do it under the condition of them not knowing who you are um because if they know who you are that company could turn around and see you for defamation like you have damaged my

reputation and as a result of this I'm going to see you you know how often I see this litigation play out in in the United States like hugely people friends of mine who have done responsible disclosures the companies have done nothing they've gone to the media about it and the companies have then sued them for hundreds of millions of dollars they don't win the suit invariably but the person has to spend money to defend themselves because if you don't spend money to defend yourselves a default J agement gets awarded against you so you're damned if you do damned if you don't so so that is a problem the other thing as well comes down to

contractual things how many people here actually read the end user license agreement of software that you use okay at least at least I know everybody in the room is honest um you usually I have some bright hor that puts the head up and says Y no no I do it's like you're a li bastard um cuz none of us read these things but but go read the fine print on those things um there are clauses in there that if you try to reverse engineer software or find vulnerability in software that you actually have a license for you are in breach of contract and they can Su you for it so so yeah

so so in South African law they quite legal now okay okay I say quite legal technically if you look at something like the consumer protection act which would actually govern I mean if I'm a company and I um I'm going to pick on a vendor um okay I'm GNA I'm going to pick on things okay because I know herun herun is awesome um I've got nothing bad to say about herun but let's just say I I have a a gripe with things and I decide like oh I'm going to I'm going to sue things because I don't know or things decides they're going to sue me for something um that contract that enduser license agreement governs the thing now

now technically in terms of the consumer protection act you're supposed to explain the terms and conditions of a contract to a person it never happens let's be honest it it never actually happens um but that in itself doesn't necessarily render the contract void because the the there's there's a common law issue and there's a statutory law issue in in civil contract so for example um I could Lodge a complaint with the consumer tribunal and I could go all that route but that might not invalidate the contract it might mean I can give the terms back but the other Provisions in the contract like the Thou shalt not reverse engineer the software might might fly and we don't

have any cases that have litigated that in South Africa um if if if you know like I said things um you know harun's company I've got so much respect for because of the work that they do but but in the grand scheme of things as far as Mega cyber security companies are concerned they not a crowd strike or they not a um I'm trying to think of another the big one um but anyway we just going with crowd strike um herun is probably not going to spend hundreds of millions of dollars to litigates me he probably doesn't have inhouse teams of lawyers uh doing all the litigation but if I did that to crowd strike I guarantee you I'm going to you

know I'm going to go need to have a proctologist exam to get rid of the lawyers um that that are that are sort of descending on me so so those are some of the issues that we need to deal with the last thing I want to talk about before I talk about the future is regulatory law um there are laws in South Africa that potentially regulate cyber security um uh in in the uh private security reg private security industry regulatory Authority Act if you look at the definition of security technically cyber security falls under it now I don't know how many people of you are aware of this it was about a year or two ago uh P actually did a

research project where they are arguing that cyber security should be regulated by them and that is the recommendation to Parliament now that scares the crap out of me to think that I'm going to be regulated by the same people that regulate the security guards that stand outside shopping malls it's it scares me it really does scare me but but for example There's issues in pcer which kind of would impact on us now is the issue of lockpicking so so if I as part of my pen test and doing physical penetration testing work and I'm doing lockpicking I technically need to be registered in terms of P to do that and if I offer that service as part of my pen test I

actually commit a crime so so that is that is kind of scary so what does the future hold for us and this is really what I mean hold on your hats things are about to get rough just when we thought it was safe to go back into the wilderness um the state Security Agency dusts off the cyber security part of the previous cyber cyber crime and cyber security bll and is now trying to push it back through the process um this has not the bull has not been made available to the public yet technically it's still technically a restricted document some of us who have been involved in the processes have had sight to this and this bull scares me

because one of the things that this bill does is going to actually regulate the cyber security industry in South Africa in other words if you want to provide cyber security services of any sort you will have to register with a body to be set up by government you will have to comply with the rules as set up by government if you are a software security vendor herun will have to go through this they will have to register with the government for a license to be able to provide their software in South Africa and if they don't do it it becomes a criminal offense this bull scares the living crap out of me and and the reason I bring

this up in this discussion is that while all of the things that I've spoken about now are realities that we have to deal with now which we can actually address by having permission having um all the consents and things along those lines in place this bll is going to require us as a the community when it comes out for public participation to literally make a conscious decision whether this works for the country or not I know that's kind of a downer to end the end the session on but but but you know South Africa has a strong history of activism about unjust things that impede on our freedoms and and our civil rights um this is one of these

Bulls which has a good intention I don't I wouldn't say it's got bad intentions but it is a bill that we need to as a security Community have a serious look at because I'm not so sure if I want some pencil pushing pencil pushing okay okay that that that that was a pure Freudian slip a pure Freudian slip um but I'm not sure if I want some p pencil pushing bureaucrat sitting in Petoria determining what kind of training and skill set I need to have as a digital friends EX practition and that person might have might know nothing about the situation um I don't want some pencil Pusher in Petoria saying that if you want to be a

pentester in South Africa the only acceptable route is to be a c um okay sorry that's a I'm an inside joke on that one um uh but these are the things we need to do so so that is me uh that is my session thank you very very much for everybody for attending I don't know if we've got time for questions not okay so so to to to um save time no questions if anyone's got any questions see me a little bit later on in the session and uh thank you everybody thanks for for participating there's all my contact details feel feel free to reach out to me um anyway have fun cool enjoy besides

everybody across the attack surface scattered products and siloed views create blind spots that feel Unstoppable the deadliest risks are in these gaps where attackers move in it's time to unify fragmented snapshots into one allseeing view of risk and unleash a platform born with one intention isolate and eradicate your priority exposures from it infrastructure to Cloud environments to critical infrastructure and everywhere in between this is tenable your exposure ends here