Hacking conference organizer DEF CON Communications said it plans to roll out a global anonymous bug submission platform based on the SecureDrop communications tool. During a session at DEF CON in Las Vegas last week, conference founder Jeff Moss said the goal was to launch the yet-to-be-named program within the next 12 months. The plan is part of coordinated efforts with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The anonymous bug submission program is meant to encourage ethical hackers to submit high-level bugs anonymously that might otherwise trigger a barrage of questions or might put researchers in legal hot water. The system will be built on open-source technology from the Freedom of the Press Foundation’s SecureDrop server and is designed to be a cyber tipline of sorts.
“There is a lot of apprehension among researchers wanting to report vulnerabilities to the government. So we asked ourselves is there a way to create a process for hackers and researchers to report vulnerabilities into the US CERT to help do some good?” Moss said.
He spoke during a session where he was joined by a panel of experts ranging from hacker Marc Rogers (a.k.a. Cyberjunky), Chris Krebs (DHS cybersecurity official), Jennifer Granick (surveillance and cybersecurity counsel with the ACLU) and others.
Panelists said SecureDrop servers facilitated by the DEF CON organization would be a global initiative. Servers would likely be spread geographically around the world. DEF CON would act a trusted middleman, giving the hacker the opportunity to “do the right thing” if they found or stumbled on an extremely sensitive bug that was too volatile to submit via regular channels. DEF CON representatives would then submit the bug to the US Computer Emergency Readiness Team (US-CERT).
“Our preference is vulnerabilities are disclosed to the vendor,” said Krebs who serves as director of DHS’ CISA. “I understand that doesn’t always work. Sometimes it’s the [vendor] community that isn’t mature enough or maybe it is the vendor. So, sometimes you need an arbitrator.”
He estimated that in a low single-digit number of cases, researchers are highly reluctant to submit a bug through the normal vendor or CERT channels.
“People in the hacker community occasionally reach out to me and say, ‘Hey, I know this thing. And I don’t want to explain how I know this. I’m afraid of the repercussions, but somebody should do something about this,'” said panelist Pablo Breuer, director of U.S. Special Operations Command at the Donovan Group.
Plenty of questions still need to be sorted out. Some of those are how to make the anonymity feature bulletproof even if a court serves a subpoena to gain physical access to the service’s servers.
“We realize there are a lot of open questions,” Rogers said speaking directly to the DEF CON audience of researchers. “And that’s why you guys can feed into this. The only way we are going to make this work is if the community is behind it and helps shape it.”
Part of the logistics in putting the DEF CON SecureDrop anonymous bug submission program together would be creating a separate data center in new locations.
“We are thinking very much about functionality. What happens if the box is taken? Then obviously, if the box is taken we have technological concerns about the contents escaping,” Granick said. She added, “if someone does either subpoena or hack their way into the box we need to make sure that they’re not going to be able to see anything, without any opportunity for us to get into court to challenge it.”
She underscored the sensitive nature of the potential data stored on the server — from the vulnerability itself to names of co-workers and company whistleblowers — making it an attractive target for governments and hackers alike.
Those anonymity requirements led DEF CON and CISA to turn to SecureDrop, in use by a number of organizations such as the New York Times that use the technology for anonymous news tips.
The signal to noise ratio is pretty horrendous, said panelist Runa Sandvik, director of information security for the newsroom at the New York Times. But she said, “Having the system is far more valuable than if we didn’t have it.” She said the good that comes out of having SecureDrop outweighs the bad of having to manage a lot of the unhelpful information the system collects.
The technology behind SecureDrop was originally developed by the late Aaron Swartz, Kevin Poulsen and James Dolan. It was created to be a vehicle for whistleblowers. The Freedom of the Press Foundation took over development of the platform in 2013, according to the SecureDrop FAQ.
“SecureDrop is designed to use two physical servers: a public-facing server that stores messages and documents, and a second that performs security monitoring of the first. The code on the public-facing server is a Python web application that accepts messages and documents from the web and GPG-encrypts them for secure storage. This site is only made available as a Tor Hidden Service, which requires sources to use Tor, thus hiding their identity from both the SecureDrop server and many types of network attackers,” according to the FAQ.
In DEF CON’s implementation of SecureDrop, DEF CON operates the servers that the Tor network connects to. “The magic happens before the connection to the CERT. We never see, and cannot discern the IP address (of a submitter). CERT never discerns the IPs of the exit node. And there is the back and forth of two separate Tors running,” Moss said.
“There is no way we are going to engineer trust, but there’s a lot of things we can do to reduce the risk,” Moss said.
The panel discussed the vetting process of the SecureDrop and said that there are still a few technical and legal issues to resolve before it’s ready.
Meanwhile the audience of security professionals supported the project concept, while expressing concern over some of the technical anonymizing aspects of the program.
“I’ll tell you, honestly, one of my plans is if there is a little engineering to do to this project, it’s to make sure that DEF CON can honestly answer a subpoena request and say, ‘No, we don’t have the keys. We can’t tell you what’s on the server,'” said Moss.
When asked, by a show of hands, who thought the program was a good idea, a clear majority of session attendees expressed support. When Moss asked whether the plan sounded like a “catastrophic disaster and a threat to DEF CON,” one or two attendees out of hundreds attending the session raised their hand.
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.
