davedittrich

What ethical guidelines (i.e., specific ethical principles, not "I'm an ethical hacker") do you follow in deciding what to do with the information you derive from reverse and re-engineering malware, and how do you decide when you will/won't cross a line (e.g., taking over a botnet, collecting intelligence to analyze from inside someone else's computer, or taking down malware infrastructure using uncooperative means?)

Why should the public trust what you do?

Oops. Left out part of the path, but you found a copy! https://staff.washington.edu/dittrich/papers/ieee-snp-ethics-2011.pdf

Great answer. Thanks!

I don't mean this to argue with you, or attack you, but I asked if you could provide some specific ethical guidelines for malware researchers to follow and I don't see any in your answer. The law is not the same as ethical guidelines, and just saying "our blogs follows pretty rigid ethical guidelines" and then not saying what those guidelines are side-steps the question.

I ask this question, not to put you on the spot, but to help anyone reading this IAmA who is trying to learn something that they can follow to know that countering malicious actions requires not just technical skills, but knowing how to use them responsibly. I am very happy you mention you limit what you publish to avoid helping the bad guys (and gals!) get better. But sometimes "shutting down" malware infrastructure (you don't define what it means to "shut down" something, besides just blacklisting) helps spur bad guys (or gals!) into improving their malware.

And if the lack of an answer illustrates there is no consensus on what "ethics" are, or how to talk about them, hopefully this dialog makes it clear that part of what readers need to do beyond just learning how to disassemble malware and exploit vulnerabilities in C&C servers is to learn where the ethical AND legal limits are and be able to make good decisions that they can clearly justify. Your list of things that someone should learn in response to p3aceout -- and I agree with all of them -- does not include learning about ethics (or the law, which you say is your guide). I'll offer this as a place to start: https://staff.washington.edu/papers/ieee-snp-ethics-2011.pdf

Just talking about "fighting malware" does not provide guidance on what someone should/shouldn't do, or when some action will cause more harm than good. For example, there is a group out there who believes "malware must die" and uses imagery and language suggestive of a religious battle (to the death, in the real world model on which they base their message), but no guidance on what is acceptable to do in the name of the "crusade." Good intentions, and wanting to "fight" the good fight, are not enough to prevent harming innocent people by going too far with the desire to "kill" malware, which is going to get us all in trouble.