Cybersecurity Ethics

Know what you are doing.  Good intentions are necessary, but not sufficient.

If you don't know what you are doing, at least make absolutely sure the experiment can't escape the lab.

Beware of side effects.  If you anger a botnet controller, chances are your whole house, if not your whole block, is getting DDoSed.

Never assume that someone more mature, better trained, and better paid than you did anything right.  If you assume this long enough, someone will die, or at least lose their life savings.


When you find out exactly how true this is, do a responsible disclosure.  If you are afraid of your own exposure, use a safe proxy person/group to help you do a responsible disclosure.

Safety Tips:

  1. Know how to give yourself an air of legitimacy: you may need it unexpectedly.
  2. Know the law, and don't break the ones that matter.  Nobody cares if you have a high-flow showerhead.  Everybody cares if you plant strobing GIFs on the web forum for the National Epilepsy Foundation.
  3. Don't pick fights.  Best case, you are kicking some sad person who can barely send email, and you're a pathetic lowlife.  Worst case, 25 refrigerators will show up at your house, you will be billed, and it will ruin your credit.  Also, good luck opening the door with 25 refrigerators blocking it.  Then it gets worse.


Never trust skiddies.




This presentation is based on a talk by Susan Sons at the

2021 Wonderlabs Cybersecurity Workshop.


Susan can be reached by email at or on Twitter as @hedgemage .  You can find more info about her work at .


That talk is licensed CC-by-sa and available at .

Ethics For Infosec Beginners

By Susan Sons

Ethics For Infosec Beginners

Slides from my ethics presentation at Wonderlabs cybercamp 2021

  • 373