Marc Rogers: Success of Anonymous Bug Submission Program ‘Takes A Village’

Marc Rogers discusses the logistics behind a recently-proposed anonymous bug submission program, meant to encourage ethical hackers to submit high-level bugs anonymously.

A global anonymous bug submission platform, announced at DEF CON in August, aims to help encourage ethical hackers to submit high-level bugs anonymously that might otherwise trigger a barrage of questions or put researchers in legal hot water.

DEF CON conference founder Jeff Moss said the goal was to launch the yet-to-be-named program within the next 12 months, which will be part of coordinated efforts with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

But it will take more than DEF CON and the feds to build the the platform, said Marc Rogers, VP of cybersecurity strategy for Okta and Head of Security Operations for DEF CON, on this week’s Threatpost Podcast.

The hacker community will play a vital role in developing and engaging with the new program, he said: “The community needs to be driving it, because ultimately, the community has to trust this with their lives, they have to be willing to trust it with their careers, with their liberty, and if we can’t foster that level of trust, it’s not going to attract the kind of material that we wanted to attract.”

To listen to the full podcast interview, see below or download here.

Below is a lightly-edited transcript of the podcast.

Lindsey O’Donnell: Welcome back to the Threatpost podcast. You’ve got Lindsey O’Donnell here with Threatpost. And I am joined today by Marc Rogers, who is the VP of cybersecurity strategy for Okta, as well as the head of security operations for DEF CON. Marc, thanks so much for joining us today. How are you doing?

Marc Rogers: My pleasure. I’m doing great.

LO: Good, good. So, you know, I wanted to talk today about the new bug submission program that was announced this year at DEF CON. And that’s really exciting. But before we get into that, can we just take a step back and have you introduce yourself and your background in the security space? I know you’ve done a lot between your role with Mr. Robot and finding vulnerabilities and the architecture of Tesla Model S. Can you break that down?

MR: Yeah, sure. So I’m a security researcher, and white-hat hacker. So I have my day job and I have the stuff I do outside of my day job. So my day job, I’m working on evangelism and thought leadership for Okta, and looking at driving kind of Okta’s awareness in the marketplace, but also looking at trying to add some commonsense to the security industry a little bit.

On the other side, as a researcher, I like to look at different pieces of technology. I like to try and understand how things can be broken or made to do things they weren’t designed to do. And I’ve been doing that for quite a few years now. I started out I guess in the late 80s, and I’ve been hacking on stuff pretty much ever since. And the things that people are probably aware of things like Google Glass, TouchID on the iPhone, the Tesla Model S, which was probably one of my most fun hacks, and it’s not often you get to drive a Tesla car with your iPhone. Then, more recently, I’ve done things like consulting on the TV show Mr. Robot, where I worked with a team of experts to add some sort of reality and realism to the hacking scene as its portrayed on TV, because we’ve all seen the shows where someone puts up some kind of magical graphic and then says, “and then they hacked in through the firewall.”

Those shows drive me nuts. I throw things at the TV whenever they come on, because it’s just so fake. But the reality is it doesn’t have to be fake. And this is what we set out to do with Mr. Robot and I think it actually came off quite well. We’ve got some  pretty good realistic hacks that worked well with the plot line, and I’m starting to see other shows copying the same model, which for me is awesome. It’s like mission accomplished.

LO: Right I love that. Coming from the cybersecurity space and watching Mr. Robot, I was definitely appreciating that level of detail and reality there. So definitely love that.

MR: And then lastly, my role in DEF CON which I’ve been doing in one shape or another for well, 21 years now, which is so crazy. My attendance at DEF CON is old enough to drink. I’m currently in charge of the SOC team, which is the team of red shirts you see running around the conference, making sure that everything is going well, making sure that everyone’s safe, dealing with crowd-control issues, and also dealing with attendee safety and handling any incidents that crop up. As you can imagine, it’s a job that keeps me on my toes. We had quite a lot of people show up for DEF CON this past year, four hotels to look after. And more weird and random things that can you can possibly imagine happening every few minutes.

LO: Right, well DEF CON is definitely always a crazy time. And, in particular this year, it was a really, really fun show, lots going on there. So your role at DEF CON brings me to what I wanted to talk about today, which is at DEF CON, you guys announced that you plan to roll out a global anonymous bug submission platform that is based on the SecureDrop communications tool. I thought this was a really cool idea, and I’d love to hear about it. And I would love to learn more about what the project is and what your role is. Can you shed some light on that?

MR: Sure. So I got brought into the project by some colleagues of mine at the HackerSpace, down in Tampa, which is a collaborative space where a lot of different folks from a lot of different spaces, including the Navy… get together to look at how can we solve some interesting problems. And one of the problems that they wanted to solve was, how can we create an environment where it’s safe for whistleblowers and hackers to bring forward material that would be valuable to triage but where people would potentially be quite reluctant to bring it forward normally. Either they’re reluctant because they may get prosecuted, or they may be reluctant because there’s potential penalties in handling this material.

And so we looked at whether there were any solutions out there that could be leveraged to do something similar, and what would it be necessary to gain that sort of trust within the hacker community and move forward. And I have to admit, I don’t think the problem is completely solved yet. I think this is a journey and the announcement of DEF CON was our first steps on that path. And we essentially opened up what we were doing to the community to get feedback to say, “this is how we’re planning on approaching it. What do you guys think? What are the issues that you see with this? And how do you think we should tackle them?” Because, the only way you can foster trust is to do this as transparent as possible, and to get people’s hands on it as quickly as possible.

And that’s one of the reasons why we chose the platform SecureDrop to base this on, because SecureDrop is — for those that aren’t aware — is an anonymous whistleblower platform, originally developed by Aaron Swartz, now maintained by the Freedom of the Press, and used by a number of major news organizations throughout the world. It is designed to allow sources to securely communicate with journalists and and other interested parties as safely as possible. Now, while that was their goal, and we think our goal is similar, there are some clear differences, one of those differences being the kind of material that’s going through the platform that we’re hoping to build could be very, very sensitive and very attractive to other parties to go after.

So some of their approach, we’re not sure is going to work. Like, for example, having any kind of persistence to allow communication potentially becomes a threat vector that someone could attack. And so we figured we’d accelerate what we’re doing by taking this existing platform that we know has already got good trust and a strong following in the community, and then adapt it and try and look at the problems that we’re solving but that are different to the ones that SecureDrop was solving, and see how we can adapt that platform to become more like what we needed. And then obviously, the most important part was to open it up and get the community’s involvement in shaping this.

LO: I want to talk in a second more about SecureDrop and that platform, but just taking a step back for a second, when it comes to trying to have that idea of encouraging ethical hackers to submit these high level bugs anonymously, that otherwise might trigger questions or put them in legal hot water, was there any kind of event that triggered that? Where did that come from?

MR: I don’t think there was any kind of major precipitating event, though obviously, all of the major whistle-blower cases that have happened in the last few years do color up the direction this was going. I think it’s more that the whole industry and community, and relations between the community and our fellows in the military organizations, in government, etc., are normalizing to the point where they’re realizing that we are a good source of information, that we can potentially help and that there are special ways in which they’re going to have to engage with us if they want to get that help.

So I think all of that has been a long journey, which, honestly, if you want to pick a triggering event, I’d say the L0pht testifying in front of the Senate was probably the precipitating event. And we have been in DEF CON for decades have watched as it’s gone from a time where any government official or three letter agency that showed up at DEF CON was considered hostile and we should disguise our names and we should hide from them to the fact now, they’re just amongst us and, and even to the point where, after the Snowden revelations and some of the backlash when Jeff Moss, our founder, asked all feds to take a break, that was respectfully obeyed.

If you’d asked me 20 years ago whether or not I’d ever think of the director of the NSA testifying in front of hackers at DEF CON, and I would have probably laughed at you. But here we are. And I think it’s that maturity in the relationship that’s driven the way things are evolving. And it’s opened up these doors and I think it’s in all of our interest to see how best to capitalize on these open doors. We all want to make sure that our nations are safer. We all believe that whistle-blowers do a phenomenal job. Bringing light is incredibly important. I firmly believe that sunlight is the best disinfectant. And so sometimes when you have these people who are brave enough to step forward and talk about wrongs that are going on inside dark parts of policy or wrongs that are going on inside organizations, or even signs that there are major security issues that are being exploited, that are being overlooked. Giving them the opportunity to bring that knowledge forward is vital to our defense going forward.

LO: You know, you mentioned this a little bit earlier but in terms of SecureDrop, can you talk a little bit more about what that is, and how that will help bolster the level of anonymity that’s necessary for the program. I know that a big challenge that you guys might be facing is that level of keeping things anonymous and making sure that it’s bulletproof even if some court serves a subpoena or something like that, so can you talk a little bit more about SecureDrop and that level of the platform?

MR: Yeah, so obviously, just to be clear, what we’re building is an adaption on SecureDrop. So they’re going to be some fairly substantial differences between the original SecureDrop design and what we end up rolling out. And not all of those, I think, have been fully identified because that’s part of the consultation. We want feedback from people to identify threats and risks that we might not have thought of.

So, SecureDrop itself was designed by Aaron Swartz and Kevin Paulson. And the idea was to create a very easy-to-use, highly reliable platform that journalists and sources who may not be specifically, highly skilled in terms of technology could use with a minimum number of risks from not knowing how some special switch works or how to do something in a highly technical way, could securely communicate between each other in a way that A, promoted the ability to be anonymous; B, handled the material in a secure fashion; and C was relatively easy to maintain. And the architecture they came up with was a three-piece architecture with a secure viewing station, which is essentially what’s used to decrypt and view documents, etc.; an application server hosted somewhere; and a monitoring server. And this is sort of all tied together using Tor as a communications network to provide an anonymous method submission. And there are certain pieces of advice like, they encouraged sources to use amnesiac operating systems …so that they don’t produce a ton of forensic material as they’re accessing the platform. Because, as we’ve seen, in recent times, the threat isn’t just the network, it’s now the endpoints as the network becomes more secure, hostile entities and hostile nation states go after the endpoints. And so you need to make sure those are robust as well. But it’s designed so that through Tor, you can submit these materials in anonymous fashion, have them handled, encrypted, managed with secure keys, and then passed along to the receiving party. Who is the only other party that then can decrypt them, look at them, do stuff with them, but then also to provide a communications channel back so they could have a relatively anonymous dialogue. That’s actually one of the things that we’re looking at changing because in the stuff that we’re looking at, any kind of ongoing interaction introduces like a high level of risk to this. We don’t want a scenario where somebody could potentially take over the platform or monitor the networks around the platform, then use that to do some kind of network analysis or whatever to work out who is submitting documents. Because that would then just blow the whole purpose of this.

So this is sort of evolving to be more of a one-shot version of SecureDrop where people can submit things anonymously, have them anonymously transported to the right receiving party, who then triages is the material, but done in such a way that there is no information held anywhere, there is no material that could be forensically examined, held anywhere, to provide insights as to who’s submitting this material.

LO: So in what you guys are looking at for this, who would be the receiving party and who would be the middleman there?

MR: The middleman is the biggest open question. And I think for the initial work that we’re doing, Jeff has very kindly to have volunteered the DEF CON organization to help bridge that gap. And I myself and sort of still viewing this as a challenging problem to solve, because whoever hosts that platform potentially controls one of the weak points on it, which is if you can control all of the stuff going in and all the stuff going out, you can potentially do things to uncloak some of the people were involved. So that’s one aspect that we still have to consider.

The receiving parties are essentially whoever would be appropriate to receive the material that’s been submitted through. And so, you know, that could be a CERT team somewhere, that could be an agency that’s responsible for handling it, or that could be a law-enforcement group. The trick is to come up with the right channels to send this stuff through. I know that’s being heavily worked on, because there’s a lot of questions, you know, how do you classify the material properly so that it gets sent through. And by classify I don’t mean like at a secret level, I mean, actually understand what you’ve got. And, how do you analyze that and then decide if it should go to this team and they should go this team. All of those questions are being actively worked on.

This current phase is designed to work essentially within America, because that’s where we’re building it. I would love if in the future, we could come up with a way to make this work globally, so that we can engage with CERT teams in lots of different countries and pass material to the right place. Because this problem is a global problem. It’s not just an American problem.

LO: Right absolutely. I’m curious too were there any other sort of questions or challenges that you guys are currently trying to work through and flesh out in bringing something like this to life?

MR: Yeah, so one of the other big questions is, how do you get people to trust the platform, SecureDrop itself is has a relatively good following and it’s proven itself to be a very good tool, but we are modifying it. That changes some of that trust. And that also introduces questions as to what did you do? Have you introduced flaws into it? Is it is it robust enough? And so that’s why our intention, as part of this engagement with DEF CON is, ultimately we’re going to be opening this up to the DEF CON community and to the hackers to say, “Come and tear this apart, be as cruel as you can, I want you to rip this into pieces and find all the flaws and then we’ll go and fix them.”

And once we fix them, we’ll go through that again. And we’ll go through that as many times as necessary to A get rid of any of the stuff that we might not have thought about. Because, I’m sure we’ve been pretty good in picking up low hanging fruit, but there are people out there who’ve got some pretty unique ideas on decloaking and on tracking material and on attacking cryptosystems. And so I want their skill brought to bear on this to identify where is it weak and where does it need to be improved, At the same time it’s about building trust, the more people have a hands on experience with the code and with the architecture, the more faith they’re going to have that this is exactly what it says on the tin. It doesn’t have any hidden monitoring system in it, that it’s honest, and that it’s been designed in a common sense fashion, with good security that they can trust. Because ultimately, that’s the final, proving point is, “Will people trust this enough with their liberty, with their professional careers, to submit material?” Because if they don’t trust it enough to do that, then we will have failed in our mission.

LO: Yeah. I have a question to speaking of DEF CON. I feel as though the DEF CON conference and the community that you guys were speaking to is the perfect place to launch this. Have you guys received any feedback after your disclosure and announcement of this platform at DEF CON either from DEF CON participants or otherwise?

MR: I don’t know what materials the rest of the team has received. I know there has been a lot of ongoing dialogue. And I’ve been a bit of a human ping-pong ball bouncing around other events, post DEF CON. But I have personally received feedback from attendees about this. And the general feedback which we got during the actual announcement, and afterwards, which was really gratifying, was that the vast majority of people in the community saw this as a valuable exercise. They agreed that we needed to move forward with this. And they thought the idea of collaborating with folks on the government side of the fence was not a bad thing, and that this needed to happen. So all of that was really positive. I haven’t received any technical feedback yet. But as I said, I’ve got two parts to my mission here. One is, it’s kind of like finalizing the ultimate technical platform, but the other part is fostering trust. And that feedback is a great kind of movement in the trust direction.

LO: I know in terms of timeline at DEF CON Jeff Moss had mentioned that the goal was to launch this program within the next 12 months. Is that still the goal at this point?

MR: We actually have some code and stuff already put together. So it’s, it’s finishing out the final touches and working out processes and things. I would say one of the gaping deadlines on this is we want it ready for the next DEF CON. We’ve started this ball rolling, we’ve got people talking about this. If we take our foot off the gas, then people will start to forget about it, and you’ll lose some of that momentum and you’ll lose some of that trust that you’ve been building. And it’s critical that we get the community strongly engaged on this and willing to tear it apart once it’s ready. So I think hitting the goal of next DEF CON is ideal for that because that’s the next time when the whole community is going to be together. And that’s a good time for us to get people excited about tearing this apart and looking at it, maybe we can make a contest out of it or something. But if we hit that, then we can keep rolling. And I imagine my views are slightly different from some of the other folks on the team. But I feel that we’re probably going to have to go through a couple of iterations of this before we build enough trust in the actual platform itself, and before we’ve found all of the potential flaws in our approach.

LO: Well, I’m sure that DEF CON attendees next year, if you do get it rolled out by then are going to be very excited to learn more. And I know that there’s going to be a lot of eyes on this over the next year. So everyone’s going to be really excited about that. Marc, was there anything else that you wanted to mention about this project before we wrap up?

MR: I want people out there this to say this sounds like a good thing. And if people have any kind of concerns about it, please bring them forward because we want to consider every aspect on this. And please be involved when the technology comes out and engaged in and looking at it. Because, it takes a village to build something like this. The community needs to be driving it, because ultimately, the community has to trust this with their lives, they have to be willing to trust it with their careers, with their liberty, and if we can’t foster that level of trust, it’s not going to attract the kind of material that we wanted to attract.

LO: Well, I’m very excited to see the end platform here. But Mark, thanks again for coming on to talk more about this new program. And what we’re going to be expecting over the next 12 months.

MR: My pleasure. Great.

LO: And once again, this is Lindsey O’Donnell with Threatpost. Great conversation today with Marc Rogers. Catch us next week on the Threatpost Podcast.


Suggested articles