the anti-shazzzam

A tumble blog of sec, design, observations and content-shares.
May 04
Permalink

Implied security researcher ("hacker") ethical rules

Particular ethical standards for social groups emerge from experience, and the security community has developed an implied and discreet ethical system. Pondering this behavior, I realized that although there are occasional outliers, it has proven to be unofficially regulated and mostly effective. Below are a few rules, mostly involving interpersonal conduct, I have noticed over the years:

  1. Do not release 0day that was accidentally pasted into a SILC/IRC channel. Quick edit is evil, and a few of us (*cough*) have had the right mouse button get away from us and accidentally paste a day’s work into a channel. We squeek and hope that people in that channel decide to keep it to themselves. We signed that NDA, we do not want a lawsuit.
  2. Do not steal research. If someone said something that sparks your own research tangent, indulge like a horse at a salt lick. But if someone casually drops a reference to their current research idea or project, do not feverishly research and release it before they do.
  3. The page-up button is our friend. Scroll-back exists. Chat is logged. Do not expect people to welcome you back with open arms if you exhibit poor behavior. Don’t be a dick.
  4. Research ideas are the bread and butter of potential future revenue and recognition. Keep research to yourself until it is mostly infallible and is developed enough to be digested by the public. If the research is not tangible enough, expect that it will be further developed by someone else, or ripped apart by opposing research. Joanna Rutkowska is a prime example of how not to promote your research. People probably would not have wanted to shred her so badly if she had presented herself a little bit differently.
  5. Do not talk about other’s research before they do. Chances are that a friend of yours has told you what they are working on. Let them decide when they want to start the buzz.
  6. Give credit. It is probably not a good idea to post to your work distribution list a word-for-word the answer to a question that was asked in a channel. Some of the people who provided you with the answer probably work with you. If the product of your labor depends on another’s help, give them credit.
  7. Thank the people who help you. They probably took time out of their very busy day with no personal benefit, just to help you succeed. Make their day by letting them know how positively beneficial they are.
  8. Cite your sources! If you are expanding on someone else’s research, state it in your paper, blog, or slide deck. If your idea came from somewhere else, state it.
  9. Review other’s research. All researchers need a sanity check and an extra pair of eyes to go over their work before it is released.
  10. Make yourself available. The entire community (not to mention the entire security sphere) benefits by people acting as resources for other’s improvement.
  11. Choose your conduct wisely. People remember. Shady behavior is noted quickly. A lot of security researchers rely on each other as trusted sources. If you behave badly, your story will live forever.
  12. Preserve anonymity. Unless explicitly stated, do not expose another’s identity, associations, or opinions without their permission.
RSS   Archives