Never Disclose — Until Broken Cyber Law is Fixed

greetings er next slide if you can uh so my name is rob dyke um my talk is entitled how to disclose um never disclose until broken cyber law is fixed so um let's do the obligatory a little bit about me next slide thank you uh so um this is me robdike.com github etc uh long time open sorcerer um worked in the nhs for a while the app you can see in the background there is called open eobs which is something that we made um an open source nursing observation system pretty proud of that um patient safety and open source not normally things that people thought would go together but we made one next slide please thank you i also did this

thing uh we were talking earlier about smart cards uh which reminded me uh i made an operating system for the nhs oh wasn't that hard and put a nice skin on ubuntu and that's what we made uh made that in response to the wannacry uh events which i've heard spoken about as well already this afternoon um that was good fun and uh next slide please these days i'm chief platform engineer at camp gemini and when i'm not hacking at work i'm hacking at home as a bit of an amateur health apps researcher something there in the background i've found some open firebase urls we've all done it haven't we we've all left it open but

i found those by accident reported those and that report went extremely well but i'm here today to talk to you about some broken cyber law about how what happens when it goes extremely badly let's move on one thank you so and another one so how it started i'm going to tell you a little story next slide please about what happened when i discovered some public code on github that had all the bad things that you shouldn't put on the internet on the internet uh i found this quite by accident i was i wasn't using a particular tool uh wasn't doing those mass scanning where people search for um api keys or um or buckets or anything i

found it quite by accident first of all i didn't actually really believe that what i found was um was real about verifying um what i'd found uh i managed to identify the owner of the repository um and uh managed to verify the authenticity of some of the contents of that next slide please and after doing all this this investigation i was able to ascertain that an organization set up by nhs england uh to support open source and open standards in the nhs in healthcare had accidentally leaked all of their secrets um in uh for their for one of their line of business applications straight on github next slide so this was obviously uh this is obviously

a bad thing um and because i knew the organization i thought i would write this up as a disclosure help them out write it up uh with information about the repos um the aware where the secrets were hidden in the code um i also did some investigation into the framework they were using uh which had some as you can see there's some sqli and some rce vulnerabilities uh there and i thought i'd written up a really nice uh report and uh send it over to them there's a little example of it there um not the real one i'll get in a lot of trouble if i post the real report on the internet uh next slide please

so i thought just sending this over would be simple um send them the report they said thank you they took the broken application off the internet and they took the code repost private brilliant uh obviously if you've had your usernames and passwords and api keys on the internet for two years uh you can consider that they are compromised uh a little bit taking them down from the internet it's a little bit like closing the stable door after the horses bolted uh but it was um it was good to see how swiftly they responded to um the report coming into their um to their info address um next slide please thank you so and i thought nothing of it

until about a week later i receive this in my mail uh the correspondence from aperture's lawyers tol um said that i had committed various offenses under the computer misuse act 1980 1990 possibly committed offences on um for stealing intellectual property may have committed offences under the database regulations that exist um because of brexit and they demanded some undertakings uh which was a bit of a surprise because i wasn't really expecting this after being thanked by the organization for helping them out with this one uh next slide please so i wrote a bit of a full some response initially um along the lines of your clients put it on the internet i've just helped them out a little bit by

telling them that they've done a bad thing but i figured that because the lawyers were quite instead were quite firm in this correspondence i had to respond unequivocally so i gave them some confirmations back um it's a normal thing right we do a disclosure we get letters from lawyers you'd hope not um but i gave them those five undertakings and i thought that's quite clear but it turns out that it wasn't quite clear next slide please

they were not happy um the lawyer had latched on to this one word the word compromised i mean i'm in a room of of um i'm not in the room i'm in a room of sec professionals i mean if i was to say to you your usernames and passwords are on github should that be considered yes that should be considered compromised not that i had compromised it but the application and the anything around it anything that uses those api keys should be considered compromised next slide and within an hour of receiving that email i receive another bit of correspondence um that says that i was boasting of my unlawful extraction of the data and have

threatened to access the systems again um this was because i tweeted that tweet on the previous slide and then the horse was bolted away it was getting a little bit preposterous quite quickly the lawyers were really on um were really on me with this uh really coming on hard with this unlawful activity bit and i was starting to get quite worried at this point next slide please input because it's because there's this last bit here please advise how we may serve your solicitor so i'm getting worried now i don't fancy having an injunction served on me i don't fancy uh being um taken to court for helping someone out so i figured that i could no longer bluster

through this by googling how to respond to lawyers letters and i had to ask for some help next slide so i did um i reached out to on infosec twitter and asked for help i said i need to find a cyber savvy lawyer that can help me um respond to this because i don't know what i'm doing uh thankfully infosec twitter family is awesome and friendly and welcoming to newbies like me and were overnight i'd been put in touch with three competent cyber experienced lawyers including someone who works for um google uh doing their representations um eff got in touch they helped out um and pointed me in the right direction um some of you may be aware of open rights

group and the noto id campaigns in the uk they got involved they helped me out quite extensively um but this thing these things these things had a cost and when i received the estimate from the lawyers i knew that i wasn't going to be able to support this entirely myself so i did throw up a gofundme for initially a few thousand pounds because i thought one letter by reply and they'll go away uh yeah that's that's not what happened in the end so we'll carry on uh next slide please the letters from the lawyers kept on coming to my solicitors that i had appointed um i was being asked for undertakings initially that they would that they had received

then they wanted a statement of truth um which my lawyer had no idea what it was um but uh we offered um again the undertakings that have been given uh [Music] and they gave me one final chance to do it all of this high-stakes language all the time um if you if you aren't doing it then we're going to take legal action and it's going to get very bad for you very quickly next slide please so after a couple of days we with my solicitors this is just a first statement um but the confirmation of facts that i produced with my solicitors ran to something like 11 pages of clearly stepping through what i had found

how um what i had done with it when i found it uh who i had advised about it or all of these um all of these sorts of things and then it started to get even sillier as you can see here they were asking me to destroy documents that i produced or things that which i thought was a bit preposterous because i had done some work with them on open source projects in the past and now i'm getting pressure to delete materials that i have been told that aperta have revoked my open source license to use them uh but it was it was getting deeply technical and deeply into these um uh definitions all the time despite and

every time we offered a confirmation they wanted something new confirmed next slide please and then it went quiet for a few days and then i received an email from a detective constable specialist cyber investigator at northumberland police it appeared that aperta had reported my disclosure to them as a cyber crime and was about to be investigated for um whether or not i had um committed an offense under the computer misuse act i'll go into some detail a little bit later on as to what possible offences i could have but yeah um i elected to not speak to the police see i asked my solicitors to have the conversation first and for a couple of weeks the

lawyers and the police officer went back and forth and before confirming that there was no case to answer and this was a civil matter that had been referred to the police seemingly for um vexatious or malicious purposes thank goodness um because you don't really want to do a good samaritan thing and end up with a criminal record next slide please

this got written up quite extensively this uh this experience that i was having and i thought i'd um paste some of the links to the articles here for people to look at later because this um this whole incident um began to shine a light on the problems that independent security researchers face um when working in the uk and it coincided with the 30-year anniversary of the computer misuse act uh that's right we have legislation for cyber crime on the statute book that's older than google at 23 years so um with the computer misuse act um being considered not fit for purpose there was a campaign going on um they got picked up by um these orgs and um

and written about the best thing to watch if you have time i can't show this for reasons that will become clear but the best thing to watch is the video because the video um put some third-party verification on my claims i had claimed that these that there was a repo with information on the internet and um sick codes and the sakura samurai people found the repository in the internet archive way back machine downloaded it and verified the contents um yeah thank goodness for that because i was beginning to feel that i was not being believed next slide please which is just an overflow of my css boo uh can i have the next next slide please

thank you so as i said um i can't really talk too much about the deep contents of the repository because after the police had closed their um investigation a perta came forward with some documents that indicated they were going to take me to the high court and secure an injunction that would prevent me from disclosing what i had found this you remember being the materials i've already said i won't disclose that i've already said i have deleted and yeah it was preposterous really but to receive the threat of a high court injunction and to have the looming costs of nearly 60 or 70 000 pounds to turn up to court and defend myself i couldn't

i couldn't stomach that so i entered into an undertaking with aperta in lieu of going to the high court and i am not allowed to talk about what i obtained not that i obtained anything but uh i'm not allowed to talk about it so do watch the video because it's hilarious uh next slide please so i wanted to now maybe talk a little bit about why that is so awful how can it be that i can go from doing a good faith public samaritan act hey friend you've left your passwords on display on the internet you might want to change that and how to get how you get from that through to huge expense and potentially even

more and fear of a criminal record next slide because when the when cyber law in the uk goes wrong uh these are the sorts of things that can happen there was there was over 500 emails back and forth between my lawyer and their lawyer always clarifying points and every one of those has a cost right lawyers don't work for free they don't work on open source projects for a reason no matter how many times i gave an undertaking it didn't seem to get right so this is probably one of those debugging sort of things maybe it was a laura's code problem but trying to get a satisfactory undertaking agreed took a long time thus ever

increasing the costs 25000 the uk was um is where i've got to in these costs thanks to the awesomeness of infosec twitter uh about 15 000 pounds of that has been covered including uh very early on in the whole experience a sizable contribution from um a well-known corporate uh that seemingly don't like it when security researchers who are trying to improve the security of the github community um they don't like it when they get picked on so so know that know that github has got your back kids when it comes to these sorts of things on the plus side i did make a lot of new friends uh and i've spoken with a lot of people

about um how cyber law um could be improved in the uk so making some friends was great getting the legal support was brilliant um but having to have a couple of weeks off sick with stress i mean i couldn't focus on my work um couldn't focus on a lot of things because it was seriously some stressful time particularly when it looked like i was heading to the high court 177 pages of materials were prepared by aperta to um for their injunction it seems that they printed out every tweet i've ever sent and all of every github repo that i've ever made but um they were serious 127 pages of legal document does not get made for free

so if my costs were 25 000 i'd hate to think what their costs were thank you um next slide please so if that if that's the sort of pressure that you can be under when it goes bad and the sort of costs you can be up again um let's have a few minutes now to talk about what needs fixing and how we might go about in cyber law next slide so as i said the computer misuse act is 30 years old it's um it's quite it is not really fit for internet age uh there has been a campaign in the uk led by um an industry alliance including tech uk um ncc group rapid7 and a couple of

other of um well-known security brands that have been working lobbying parliament to review the act and make in order to um make it fit for make it fit for internet time next slide in particular these are the three things that i think are broken

people who act in good faith um or people who are acting in the public interest are not protected by the computer misuse act so if you are a cyber researcher looking into health apps such as the covid19 app that when that was published if you had downloaded that apk file and had a look inside it you would be falling foul of the computer misuse act um for um unauthorized tampering with a system he even though you had no intention of breaking it or stealing from it or in any way trying to compromise it um in the in the black hatting kind of sense uh you are not protected uh although there has been guidance issued

to courts and to the crown prosecution service around clarifying intent did you intend to break in to steal something or were you trying to be a helpful kid that's not on the statue book there is no obligation for public interest or good faith um considerations to be made so this is a bad thing if you are doing cyber research either as an independent or indeed as a corporate in the uk it can also be weaponized to intimidate the complaint made to the police is a good example of that uh i got off lightly with the police complaint there have been other cases in the united kingdom recently where a community group campaigning against a property developer

and a development of the local area the campaigner group found on the internet an open google drive with some docs in it that gave their internal the property developers internal view of the project which how should we say was somewhat different from the public view the campaigners used this document in order to um strengthen their objections to the local authorities but the campaigner received a visit from the police who raided his home and confiscated his machine because he was um the google drive um the organization had persuaded the police that it was a private computer system and because he did not have authorization he had stolen those documents so he found these documents by accident

the the property developer then weaponized the police to intimidate them and to um uh try and silence uh silence the critics there have been other examples as well but that was i think that's a really um that one plus myself i think they show how um [Music] how there is a need for the police to have better tools at their disposal when investigating cybercrime uh it's also financially ruinous so i spoken about my costs and appertus costs um but let's think about it what that means on the other side um it means that if you've got money you can win in cyber law uh another case from earlier this year um a law firm secured an injunction

against persons unknown to say that to prevent them from uh publishing data that have been exfiltrated in a ransomware attack now you can only get that sort of justice if you can afford it and if you've got deep pockets in the same way that i was having problems with um with my own costs it seems if you've got um an insurance company or if you have um um a really decent um legal fees budget you can buy whatever law you and whatever action you want under uk cyber law uh next slide please so that's what's wrong these are the offences that are currently listed under the computer misuse act and these are the um you can see that these are perhaps not

really um internet internet savvy so causing a computer to perform any function with the intent to secure access um that you're not authorized to uh i think we can understand what that is but also um these things can also happen by um by accident uh you can log in and uh to a system and have rights that you may not know that you're not supposed to have see there's all of this um there are lots of um sorry i'll yeah i'll come in again on a bit um this um causing a computer to perform a function in um is a challenge for security researchers because when we use tools like um nmap or burp suite or um other scanning

tools uh you are at risk of um falling foul of that clause um because you are interrogating a system um with um air without authorization there is another offense there so if you commit um if you're doing something under offense one which is uh perhaps a reconnaissance piece then you are using that to commit further offenses so this is compromising a system and then um using it to defraud people i think i think that's you know that's that one's probably okay is a bit of cyber law we can understand that i compromise the system in order to embed some malware mage cart um yeah those sorts of things uh so comp i'm committing fraud um after i've

compromised the system but it's this it's this one here it's this third one that um is um is really a problem uh so it's it's good insofar as it can cover things like denial of service attacks or malware and things like that uh but again it can also cover um good faith independent um public interest researchers uh you can very quickly find yourself falling foul of um these three affairs one of the third of these offenses as an independent security researcher next slide so the knowing that it is broken um the uk government opened um an rfc which was great um i had the opportunity the opportunity to respond because uh um i figured that my

experiences uh really should not happen to another person uh anything that we could do and i thought i could do in order to shape the um an amended computer misuse act to incorporate protections for cyber researchers and to prevent um the um the criminalization of developers that make either um proof of concepts or release uh tools for discovery on um on github i thought that i would respond to those um the actual response and the pool for a response has now closed and we're waiting for the government to um publish the list of responses

in addition to the computer misuse act uh next slide please um in addition to some of the missing slide in addition to reform of the computer misuse act uh i think another thing that needs fixing in particular is um the guidance that the ncs ncsc have issued on um security incident response uh instead of it being guidance for public sector organizations um i'd like to i think that that needs to become a mandatory um sort of operating procedure um some public sector organizations in the nhs do ex in the nhs in particular do extremely well with their cyber um cyber response they where they have public code they have a security.md and they invite both um

public bug bounty program participants and independent researchers to get in touch with incidents um and because the final site appears to be missing i don't have my pissy little quote on the end which is a bit of an annoyance so um those are the um those are the two things um that i was um that i wanted to talk about with what needs fixing i thank you for listening