Security researchers participate in conferences such as DefCon to demonstrate the vulnerabilities of products or present new security tools. For example, DefCon is one of the world's largest hacker conventions, held annually in Las Vegas, Nevada and tens of researchers showcase their work at this conference. Last year in DefCon 2020, researchers presented their recent research on hacking phones, cars, satellite communications, traffic lights, smart home devices, printers, and popular software services, among many others. However, some of these talks require ethical reflection on the harms of these disclosures.  We present two examples here to compare and consider from an ethical viewpoint. A. At DefCon 2020, two researchers (Wesley Neelen and Rik van Duijn) at Netherlands-based applied security research company Zolder, showed how they hacked a traffic light management system that is connected to a smartphone app. They talked about how a hacker could remotely control traffic lights . The affected product is used in over 10 municipalities in the Netherlands.  Assume that Wesley and Rik informed these 10 municipalities regarding these issues in the Netherlands, however, only one of them (e.g., Utrecht) took the right action to minimize these risks. Please watch the following YouTube link to get more information about this research talk. https://www.youtube.com/watch?v=L9UUD3a7xP4 B. At DefCon 2017, two researchers (Josh Schwartz and John Cramb) of Salesforce (i.e., members of the Red Team) aimed to reveal MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction, aimed at reducing the time and energy spent on reconfiguration and rewriting malware. The tool does not launch attacks or exploit systems, but it allows red teamers to control the system once access has been granted. MEATPISTOL was pitched as taking the boring work out of pen-testing to make red teams, including at Salesforce, more efficient and effective. Also, they aimed to make it open-source tool so that other security researchers can improve it. However, an executive at Salesforce told them not to release it as open source because it could be used by hackers for other purposes. Just an hour before they were expected on stage, a Salesforce executive sent a text message to Josh and John for not to give this talk . However, the message was not seen until after the talk had ended. On stage, Schwartz told attendees that he would fight to get the tool published. The two researchers were fired as soon as they got off stage by a senior Salesforce executive. Several security researchers criticized Salesforce following the firing, and the community has since forwarded these two researchers a number of job offers. You can watch their talk from the following link. https://www.youtube.com/watch?v=dbIdo9ilEIY  Answer the following questions based on these two case studies: Question 1 Stakeholders and Potential Harms/Benefits (1%) .

1. Security researchers participate in conferences such as DefCon
to demonstrate the vulnerabilities of products or present new
security tools. For example, DefCon is one of the world's
largest hacker conventions, held annually in Las Vegas, Nevada
and tens of researchers showcase their work at this conference.
Last year in DefCon 2020, researchers presented their recent
research on hacking phones, cars, satellite communications,
traffic lights, smart home devices, printers, and popular
software services, among many others. However, some of these
talks require ethical reflection on the harms of these
disclosures.
We present two examples here to compare and consider from an
ethical viewpoint.
A. At DefCon 2020, two researchers (Wesley Neelen and Rik
van Duijn) at Netherlands-based applied security research
company Zolder, showed how they hacked a traffic light
management system that is connected to a smartphone app. They
talked about how a hacker could
remotely control traffic lights
. The affected product is used in over 10 municipalities in the
Netherlands.
Assume that Wesley and Rik informed these 10 municipalities
regarding these issues in the Netherlands, however, only one of
them (e.g., Utrecht) took the right action to minimize these
risks. Please watch the following YouTube link to get more
information about this research talk.
https://www.youtube.com/watch?v=L9UUD3a7xP4

2. B. At DefCon 2017, two researchers (Josh Schwartz and John
Cramb) of Salesforce (i.e., members of the Red Team) aimed to
reveal MEATPISTOL, a modular malware framework for
implant creation, infrastructure automation, and shell
interaction, aimed at reducing the time and energy spent on
reconfiguration and rewriting malware. The tool does not launch
attacks or exploit systems, but it allows red teamers to control
the system once access has been granted. MEATPISTOL was
pitched as taking the boring work out of pen-testing to make red
teams, including at Salesforce, more efficient and effective.
Also, they aimed to make it open-source tool so that other
security researchers can improve it. However, an executive at
Salesforce told them not to release it as open source because it
could be used by hackers for other purposes. Just an hour before
they were expected on stage, a Salesforce executive sent a text
message to Josh and John for
not to give this talk
. However, the message was not seen until after the talk had
ended. On stage, Schwartz told attendees that he would fight to
get the tool published. The two researchers were fired as soon
as they got off stage by a senior Salesforce executive. Several
security researchers criticized Salesforce following the firing,
and the community has since forwarded these two researchers a
number of job offers. You can watch their talk from the
following link.
https://www.youtube.com/watch?v=dbIdo9ilEIY
Answer the following questions based on these two case
studies:
Question 1 Stakeholders and Potential Harms/Benefits
(1%)
:

3. 1.a. Who are the stakeholders whose interests Zolder
researchers (Wesley and Rik) needed to consider in giving their
DefCon presentation, and what potential harms/benefits to those
various stakeholders did they need to consider and weigh?
1.b. Who are the stakeholders whose interests Salesforce
researchers (Josh and John) needed to consider in giving their
DefCon presentation, and what potential harms/benefits to those
various stakeholders did they need to consider and weigh?
Question 2
()
Ethical Considerations
:
2.a. Do you think the 2020 Wesley & Rik presentation was
ethical, all things considered? Why or why not?
2.b. Do you think the 2017 Josh & John presentation (including
its planned code release) was ethical, all things considered?
Why or why not? Was Salesforce right to block the open-source
code release attempt and stop their public talk?
Task 3 Similarities and Differences
:
What are the most important ethical similarities and differences
between two case studies?
Task 4
(
Professional Reputations
:
Assume that you are looking to hire a security researcher for
your team. Would you prefer the researchers of Zolder or

4. Salesforce? What ethical considerations would need to be
evaluated in your decision?
Task 5
(
Legal Issues
:
What are the relevant laws in Qatar and GCC related to cyber
security and what implications would the laws be on the
presented cases?