The application security industry is ripe for ethical violations. If a tester finds a serious but obscure vulnerability during a test, do they report it and collect their paycheck, or do they just forget about it during the readout call, and sell it on some vulnerability trading forum hidden service for fiddy large? I know everyone reading this is thinking "Well, I certainly wouldn't do the latter!" but what about all the people that aren't reading this? How about their bank account?
Lawyers have similar ethical challenges. In negotiating rooms for pretty much everything, deals are made. As in all deals, the person with the stronger position wins. Ethics are the only thing holding back a more powerful party from dominating a less powerful party. But they do hold it back, because the lawyer is looking for a solution that follows the law, and is fair. Fair to all involved. That's what the ethics of deal making look like.
Chris Krebs is a top information security professional, and a lawyer. He gets it from both sides. And when a infosec lawyer guy, who wants a fair AND a secure world, has to make a call, he does it with the best of his knowledge and ability. That is what professional ethics call for. In 2020, Chris made just such a call, when he declared the election "the most secure in American history" despite reams of lawsuits from the Trump administration claiming there were security flaws. Chris had reviewed the cases, and reviewed the security of the system, and reviewed the cross-cutting concerns, and then went to the community to find specialists to make certain of the validity of his analysis. That is what one does in the security industry when one needs to make a call.
On April 9th, Trump signed an executive order attempting to crush Krebs and everyone he has ever worked with. Other than the fact that this is an asshole thing to do, it is decidedly illegal. Nonetheless, of course, nobody in the federal government batted an eyelash. "That's OK," I thought, "the industry is going to tear him to shreds over this."
Except they didn't.
I am mind-blowingly pissed. No one should bow to a king, and CERTAINLY not an industry as powerful as the information security industry. But like the tariffs, and Nacht und Nebel, and water pressure, the combination of the denial of service attacks the lawbreaking is causing on our minds and the genuine lack of power the average citizen has against the Executive branch seems to prevent any real action as an individual. I though, stand with the EFF. Progressives shout from their ivory towers about the Power of the People. Remind them gently that we have given the government a monopoly on deadly force in this country, and that's what we are facing. My usual response to that is "But you are asking us to die." I'm not wrong.
So what do we do? Here is what I am going to do.
- Don't obey in advance.
- Throw sand in the gears.
- Work the system, such as it is.
Let's break it down.
Don't obey in advance.
The information security industry, faced with a clear, definable attack by a known enemy, said "Oh, OK." That is exactly not what I want to do. I am not the kind of person that takes on every single slight as a cause célèbre, but this is a different environment. I will speak up and out. I don't have a large megaphone, but I know people who do, and they sometimes pay attention to what I say.
I refuse to participate in doing anything to help the administration in any way. I don't care if it benefits me, if I can do the opposite without running afoul of the local law enforcement, that's the path for me. It is clear that Trump doesn't give a shit about security. Conveniently, that leads me to the next point:
Throw sand in the gears.
This gets into potentially shady shit, but there are legal ways to throw sand in the gears too. Mail everything at the last minute. Take everything offered, give nothing asked (unless the sheriff will show up). Protest, if that is your thing, but for goodness sake be safe. Fill forms with garbage, but don't automate or at least don't tell me. Use Signal, Tor, and when it is ready, Veilid. I won't do anything illegal, I don't look good in orange.
Work the system.
This is the weird one that a lot of hackers miss. I'm truly acting like a concerned citizen. I go to my township hall meeting. Calling my federal reps, even if they are crazy nutball woowoo pro-Trump. Writing letters. Start small - politics are local. Shoot a letter to your mayor. Your governor. Your Attorney General. I wrote a collection of Ohio based politicians and used my application security experience to explain why DOGE was illegal and dangerous. Teaching is recommended.
You'll never know when you will find someone who has a voice and can be that dissenting voice that starts the avalanche. Don't be crass, don't be loud, don't be an asshole, just express your concerns and ask what the action will be on their part. I actually got a nicely written letter from Attorney General Dave Yost, a long time conservative that I think is ripe for the whole "wait, this is bad, I should say something" path.
And I am not just talking about the government. Talk to people. Clients, friends, your foosball team. Jeff Atwood has a great post on this, Stay Gold, America. Read that next. This is about protecting your people. Treat it that way. If you knew about a food recall, you would talk about it. It's dangerous. Talk about this. It's dangerous.
Along those lines, I'm taking every freedom the government offers and holding on for dear life. I'm an amateur radio operator (KE8PCT). I have a concealed carry license. I'd get a pilot license if I could afford it. My martial art has a philosophy of "know how to use everything around you to get out of danger" and getting licensed to do those things has been a part of my world for a long time. Highly recommended activity.
Kristalnacht
There is a famous quote, perhaps you've read it. I'll quote it here in full.
First they came for the socialists, and I did not speak out—because I was not a socialist.
Then they came for the trade unionists, and I did not speak out—because I was not a trade unionist.
Then they came for the Jews, and I did not speak out—because I was not a Jew.
Then they came for me—and there was no one left to speak for me.
—Martin Niemöller
There has never been a time when we were closer to this than now. Being a white, male, cisgendered, middle class man ain't a shield any longer.
The best time to get involved was last century.
The second best time is today.
Atlas is ready to shrug.