HOPE Eleven: When Vulnerability Disclosure Turns Ugly

Proposed Session


Sam and his students have been cold-calling companies and individuals for years, surprising them with warnings about their security problems. Most of them ignore these warnings, but a few (about 20%) actually fix them. He spoke about this "White-Hatting" at HOPE X, but shortly after that, the story changed.

And occasionally, the recipients go ballistic and shoot at the messenger. Sam will present a brief summary of previous disclosures, leading to the LSU Health HIPAA violation that resulted in the SC Magazine article "Professor hacks University Health Conway in demonstration for class". That article made a mess so big, it took a real lawyer, Alex Muentz, to clear it up.

Alex will then explain how he handled this, and offer informed advice on the laws around vuln disclosure, and how to use the media effectively. In addition, Alex will describe a few other cases where attempts at responsible disclosure went wrong, what had to be done to fix it and how the disclosure should have been done.

Speaker Bio(s)

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences.

He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. Certs include CISSP, CEH, WCNA & CCENT.

Alex Muentz is both an information security professional and lawyer. When he's not trying to explain law to hackers or infosec to clients, he teaches an undergraduate Computer Crime class at Temple University. He's spoken at Defcon, Shmoocon, HOPE and a few other conferences you may have heard of. He is a graduate of Northeastern University and Temple Law School.

Posted 2-3-16 by Sam Bowne