The information security world is constantly buffeted by the struggle between whitehats, blackhats, antisec, greenhats, anarchists, statists and dozens of other self-identified interest groups. While much of this internecine conflict is easily dismissed as "InfoSec Drama", the noise of interpersonal grudges often obscures a legitimate and important debate: what is the definition of "security" to whom do we provide it?
The last several years have made this external argument and internal ethical debate much more difficult to individuals gainfully employed in InfoSec, thanks to politically motivated prosecutions, domestic surveillance by democratic societies, and even the direct targeting of large companies by their home nations. What rules should guide us in deciding what jobs to take, what services to provide, and our actions in the public sphere?
This talk does not have the answers, but hopefully can help the overall community ask the right questions. We will begin with the speaker's personal experience working for Aaron Swartz's defense and on several high-profile civil cases. We will then discuss recent events in offensive cyber-warfare and the new dilemmas this poses for defenders. Finally, the speaker will present one possible framework for ethical decision making in such a complicated time, and will unveil an effort to affect change in the White Hat community.