Slashdot Mirror
Ethical Lines of the Gray Hat
Facter writes "There is a great article on CNET about the ethical debate between white/gray/black-hat hackers - interesting to note is that it reports the "fading away" of the "gray" definition between white and black, due to the DMCA hindering anything in between.."
IMO, there are hackers, and there are security professionals. If you were a hacker and are now a security professional...great. If you continue to break the law, you should go to jail. Pretty simple, and none of this hat confusion.
"Herbivores eat well cause their food never, ever runs."
Gone forever are the days when hackers could roam through corporate systems, not really doing any damage, but just playing around.
*sniff*
Finisterre--who also goes by "dotslash"
Hey Taco, you better go after this copyright infringer! You can sick the DMCA... uhh or... the RIAA... uh or... well that's gotta be an acronym to help prosecute him.
You mean Cracker. While some of these people might be hackers I can't think too many of them are. Please I know everyone else uses the term hacker in this way. But can't we use the real term?
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
This must be from those AD&D novels where commoners thought that all magic users were evil regardless whether they used white, red or black robe .
What about the new legislation (forget the name) that makes 'hacking' a federal crime, and heavily punishable. I think I remember reading that you can get a life sentence for hacking? What the hell? And I can guarantee you that they're just WAITING for another Kevin to come around so they can make an example of him:
"See? Look what he did! He 'hacked' into someone's computer, and now he's someone's bitch for life."
"But he didn't do anything damaging."
"He was HACKING. That's BAD. He's gone for LIFE. Let that be a lesson."
The lesson is that curiousity is now punishable by life in prison. Great. Don't get me wrong, traipsing into someone's computer isn't exactly ethically RIGHT (I don't care HOW wide open they leave it), but it's certainly not criminally WRONG.
It seems to me that giving companies time to fix their holes is always a Good Thing (tm) but that a lack of public disclosure by a 3rd-party will only help obscure legitimate problems. People with the attitudes similar to that of Peter Lindstrom* demonstrate, to me at least, a lack of care towards users and their potentialy open/vulnerable systems. One of the easiest ways to get a slow company to fix something seems to be to talk about it in the press.
* quote: ("If you are gray, you are black," Lindstrom said. "It's not that I don't understand what they are trying to do, but it comes down to what you are actually doing.)
In Soviet Russia...michael would be rotting in Siberia!
Unfortunately, this fear overwhelms the suit's intelligence, which would tell the suit that in the long term, a climate where disclosing holes is discouraged merely limits access to the information to the so-called "black hats".
Obviously, an environment where most of the flaws and holes are only known by the less scrupulous because you'd lawsuit-threatened the scrupulous out of finding the holes and telling you about them just makes it that much easier for your programs to be hacked and your customer's data to be stolen - and then they definitely won't trust your product.
paintball
Amazing what power this new technology has in combination with the dmca. Linux may seriously become the next os/2 or minux. Sadly I am serious too. Linux will be a small nitch of hobbiest for macs and nothing else. I said something here 2 years ago. Never and I mean never underestimate Microsoft! Everyone who has, has been stomped on or crushed. Their bussiness model couldn't compete with oss so they are now using a legal model to squash us. Its perfect agaisnt individuals who do not have the finiancial power to defend themselves in court.
http://saveie6.com/
I prefer a red hat. I gives me the right to bash and kill as I please. Course then I must be the root of all evil. So, I must be in alliance with the black hatters.
They stuck me in an institution, said it was the only solution, to...protect me from the enemy, myself
These so-claimed whitehats happily search for vulnerabilities and post them to bugtraq, only to know that someone will code an exploit for it... IF you don't want to cause any damage, you only inform the vendor, not the entire community about it.
http://www.tru64unix.compaq.com/docs/
What's that got to do with Copyright protection?
Facter writes "There is a great article at CNet..." but I wasn't so impressed. This example of Kevin Finisterre isn't really that amazing. Finisterre's employee publically disclosed the vulnerability. You gotta expect to piss off HP when you do something like that. Look, I'm a fan of open-source software and I understand that publically disclosing software bugs is one way of motivating a lazy company to plug those holes but I'm not sure you can really defend this ethically. If you find a bug in Company A's software, then let A know about it. If A decides not to do anything about it (or if they are taking longer to plug the hole than you thought) I don't see how you are morally justified in leaking that info to the world.
Finisterre, who was not hired by HP, now says he'll think twice before voluntarily informing another company of any security holes he finds.
This is just silly. If he had just informed HP, there wouldn't have been a problem. However, his employee decided to inform the entire world and that's what triggered HP's retalliation. If Finisterre and his employees restrict themselves to informing the company, they should be okay.
The rest of the CNET article is okay. But starting off with such a stupid example really weakens the story. They could have started off this story with the Sklyarov example. That would make a stronger case for the idiocy of the DMCA.
GMD
watch this
... demand that companies handling our (we the "consumers") sensative
data be punished for not making security a top priority? Why is it other than blatant shortsightedness (inability to see beyond the self) that companies keep pushing for legislation that
crucifies anyone who points out blatant security flaws instead of commending those said messengers as catalysts for
improving the overall security? Let's not kid ourselves.
When TCP makes open computing illegal,
then unsanctioned programming will be a crime.
Those using 'hacker' to mean 'guru programmer'
will find that perception has become law.
Cracker, hacker, what's the difference when you work outside the law?
Sig for sale or rent. One previous user. Inquire within.
Which is the more unethical?
Telling users of a software set that it has holes, so that they may protect themselves? or not telling them, but just the producer of the code?
Why is stating a fact in public unethical? I personally think a company that does not disclose holes in it's software to their customers in a timely fashion are unethical.
Comment removed based on user account deletion
When TCP makes open computing illegal ...
;-)
Then, we could just use UDP -- problem solved. Yuk, yuk
Just because you found a hole, it doesn't mean that you are the ONLY one to find the hole. It's possible that any hole you find is an actively exploited hole.
While I'm not familiar with Kevin's case, I've been in a similar situation before. Bank A would not patch their holes in their banking websites. I notified them again and again. After months waiting, I went public. Problem was solved the NEXT DAY! It was simply a matter of getting the right people to make it a priority. I feel that this is completely morally justified and I don't think that the bug was exploited, and I don't think that USERS were harmed just because it was public. It may however have hurt Company A's reputation.
-- these are only opinions and they might not be mine.
Just because someone chooses to ignore the law (or claim ignorance) does not make what they are doing legal. However, there is a large divide between what is "legal" what is "moral" and what constraints should really exist.
For example, doing drugs is illegal but in reality is it immoral? or wrong? What if that drug were aspirin? caffienne? alcohol (remember we tried that once)? The laws should exist there to protect us from each other not to protect us from ourselves, in my opinion of course.
Personally I hate hackers because my f'ing Windows Box would get hacked regularly since I didn't have 2 hours a day to check on patches. I switched to Linux on the server side and haven't looked back. So my result was beneficial as a result of being hacked. However, if I could get my hands around the throat of the mofo's (1 in taiwan and one in italy) after working all weekend to repair the damage, believe me you couldn't get a drop of water down their throats because I'd be squeezing so hard.
In short, if you don't like the rules of your society either work to change the laws, ignore the laws (at your own risk), or move. Either way no matter where you go, stupid laws will follow (except Sealand, but they won't let you immigrate).
The whole conversation makes a lot more sense if you drop the hat references.. sure its easy to lump people into categorys of white, black, gray, etc hat. But in reality there are crooks, good guys and crooks who play good guys. It used to just be a hax0r description to use the hat verbage.. its unfortunate that its passed into mainstream security usage.. I personally have a hard time taking anyone seriously that describes themselves by the figurative color of their hat..
Disclosure of information should be protected by law. There are cases in which hackers find bugs in softwares they are using on their own systems. Like in this particular case, the professionals probably found bugs in the OS that was running on their own machine. Such information should be allowed to be disclosed publicly. Whether to contact the vendor before telling rest of the world is a matter of choice and let the hacker decide about it. Smarter vendors will keep an eye on Bugtraq and other such lists. Even more smarter vendors will test their products before selling but thats a different story altogether. Some vendors are arrogant enough to either take a long time to look into the issue or don't provide a patch at all. Public disclosure might put some pressure on them. It might also make the user of the software products aware of the problem and take necessary precautions if possible. Instead of suing the hackers who are doing a service to vendors for free, the vendors should be sued by the clients (but the EULA doesn't allow it in most cases). Its sad that efforts are made to stop the disclosure of information instead of securing the right to freedom of speech.
- Jalil Vaidya
Who runs around calling themselves "white hat" or "grey hat" or "black het" its just plain stupid to me. I suspect these terms were created for the purpose of so called "white hat" types differentiating themselves from "black hat" types.
Basically a ruse so they can be 'hip' (being hackers and all...) but still be acceptable to the corporate system.
The simply concept that legallity has ANYTHING to do with morality in the hacker world is absurd. I could list many things that are illegal, but of at least debtable moral stature, and possibly vice versa.
If you have somebody who's informed a company of their problem, waited for them to do something, and then finally anonymously or semi-anonymously posted the problem, then we have the "security" types that are looking out for all of us. Somebody who posts it as "hey look at me, I hacked XXX/YYY and somebody should fix it" is just looking for fame or possibly profit.
I think that if you can hack a system and then offer a viable fix/solution without the indicated repercussion of telling everyone in the world what the problem is, then you shouldn't be blacklisted as a "black hacker".
However, if you go off and tell everyone that so-and-so's software/network is insecure because they didn't pay you, then you're no better than an extortionist or a crook.
If you've bypassed security on a product that was hindering legitimate users, we have another really hard area to define. Anything that gets done to a company's product generally should be done with the grace of the producing company.
Perhaps one of the biggest problems is those who just jump out and post something on the internet without thinking of the ramifications to the owner/users of the product. If you post a security vulnerability and fix, you may be allowing a certain amount of people to fix the problem, but you're also letting all the hackers out there know where there's easy prey in those that don't see the fix soon enough.
In the same hand, if companies legally lambaste anyone who hacks and then offers a solution to their woes, it only makes things worse.
Corporations with insecure products/networks need to recognise that running for the lawyers isn't always the best solution, while those doing the hacking need to recognise that extortionist/fame mongering/otherwise damaging tactics aren't helping either.
If more companies can work with legitimate hackers in a productive way (as stated in the article, many have internal hackers), without inviting dozens of script-kiddies to poke at their servers, then perhaps one day the important people (we, the end-users) will find a day when we can legitimately use the products we pay for, in a meaninful manner, and without security woes.
It's not what you can do, it's how you do it that counts - phorm
Now let's say you notice that my HP server is likely to be compromised. But there's a law in place that says HP can sue you if you tell me, because that violates their cracker security, which consists in not letting people who might be malicious know that the rear door of an HP could be a tempting target.
Exactly why should HP deserve a legal protection that no sane person would give to Ford, when in both cases the customers are far better off with the knowledge?
"with their freedom lost all virtue lose" - Milton
I would have thought most of the white hats would give up, seeing how most people seem to wear dark black sunglasses when determining how white/gray/black a hat is....
Kjella
Live today, because you never know what tomorrow brings
really? ok.. so do you investigate hardware designs and modify equipment that YOU PURCHASED as a hobby? if so then you are a Black hat and need to go to jail by your definition.
Security means nothing with the term hacker unless you are an un-educated manager. What you are referring to is a cracker and a completely different individual....
Please, get a clue as to what term is what. I dont care what the illeterate media calls them or how they use the term... a HACKER is not a criminal but a software and hardware genius...
A CRACKER tries to break into systems or bypass security. Why is this so hard for people to understand? The drivel that spews forth from the anchorwoman/man's mouth does NOT make it truth.
Do not look at laser with remaining good eye.
Almost all major players in the security field nowadays sell early access to information on unpublished vulnerablities (or let others sell it). Therefore, "responsible disclosure" is important: not only have vendors a comfortable time frame for dealing with problems, but the information is also more valuable if its distribution is limited for a longer period of time.
Of course, this hasn't got to do much with security anymore, it's all about making profit and a feeling of security. After all, when you learn about a new, critical defect in Windows or some component of the GNU/Linux system, there's already a patch (at least in most cases, and the other ones are so obscure that you don't understand what's going on, so you really can't be bothered by them). So it's not that bad if you run software which is poorly designed and sluggishly implemented, isn't it? The whitehats will keep everything in control, and thanks to the new DMCA law, we can safely tell them from the blackhats!
sigh
(And BTW, the "responsible disclosure" document is referenced quite a lot for a withdrawn Internet Draft.)
A self-proclaimed white-hat hacker is someone who decries as a 'cracker' those who perform now what used to be perfectly acceptable hacks, and accepts the current state of the law as a fair arbiter for hacker ethics. But the DMCA has made hacking security systems not just on others' computers, but on those completely owned (not oWn3d) by you, into a criminal act.
You can still be a hacker and not hack security systems. But then you're not a "white hat" -- you're just out of the "hat" picture entirely. If you're a hacker with a hat, like it or not, it's black. The DMCA didn't get rid of just the greys, it took out the whites as well.
Linux will be a small nitch of hobbiest for macs and nothing else.
Not hobby, not hobbier, but hobbiest!
I fully support the use of the alternate term "cracker" to refer to people who use hacker-like skills (or often, no skill just downloaded cracker kits) to vandalise whatever system they can manage to crack. Yes, some hackers get sucked into these activities at some point in their development, but that doesn't mean it is condoned by the hacker ethic.
How about some analogies. When you check the door of the business down the street and find it unlocked, is it legal so wander around inside and see what you find? No, but if you didn't do any damage, it shouldn't be more than a legal slap on the wrist. If when you tried the door, you triggered the alarm, or some damage was done just by trying it, you can expect someone to be pissed off, and maybe prosecute you when you try it again on another business.
If a responsible third party closely inspects and tests the security perimiter around your nuclear, chemical or biological plant, and finds vulnerabilities, what should be done? Right, first they tell you and the relevent government authorities, and if there is no real response for a reasonable period of time, tell someone else (press, other trusted third party, etc.).
What is going on now is a typical corporate response, and it is exactly the same as using SLAPP lawsuits to silence critics. It is evil and anyone getting hit by such tactics should get help from advocacy groups. Of course, staying away from controversy is one approach, but it doesn't give you good hacker-karma.
Is security research ethical? When does it become unethical, and criminal, and who decides? As a security professional, I'm seriously thinking of hanging up my "hat" and going to law school.
While the ethics of cracking have always been interesting, the legality has never been an issue. It is, and for years has been, a crime, essentially, merely to knowingly obtain unauthorized access or to exceed authorized access to a computer owned by another. [Alas, many companies have injudiciously asserted these criminal charges against former consultants, merely to beat a bill with a nasty counterclaim.]
However popular it is to join the bandwagon railing against the DMCA anti-circumvention provisions (people seem to forget that the DMCA is itself an omnibus of technical and non-technical issues, good, bad and indifferent, and ranging from boat-hull designs to ISP immunities), the article's focus on DMCA is misplaced -- almost irresponsibly so.
The big guns against cracking conduct have been in place for years, and well before DMCA: The Computer Fraud and Abuse Act, the ECPA and countless state computer crime and regular theft statutes. All of these tend to be much broader in scope and reach, and far easier to prove and enforce. After the enhancements (from a prosecutor's point of view) made in the USA-PATRIOT Act, CFAA has become an even more powerful tool. The FBI didn't need a DMCA to get Kevin.
At the end of the day, the HP nonsense was just that: nonsense. The reason the HP DMCA threat was never pressed was simple -- it was a no-play claim, and everybody knew it. However, there are and have for years been a kazillion laws to beat up on anybody who engages in unauthorized access or exceeding authorized access of any kind, and regardless whether the conduct amounts to any circumvention of an effective copyright protection scheme.
I'm not arguing cracker ethics, or defending DMCA. I'm simply saying that the focus of the article is wildly misplaced. DMCA is just barely an interesting curiousity in the enforcement quiver -- so far as real cracking goes, it isn't even a fourth-string defense except in the oddest cases.
reguardless of that article, which was VERY biased. I'd like to point out that those who see the world, computer hacking especially, as either black hat or white hat, only see it that way due to the limitations on the dunce hat they already wear.
>Never and I mean never underestimate Microsoft! Everyone who has, has been stomped on or crushed. Their bussiness model couldn't compete with oss so they are now using a legal model to squash us. Its perfect agaisnt individuals who do not have the finiancial power to defend themselves in court.
The law is SO far away from justice now, it's not even funny.
You can buy the law and make your ennemies criminals. But that doesn't mean it's right, and it's surely not justice.
USSR, land of the Free!
If a company feels like it, it can go right ahead and sue regardless of how "ethical" the hacker might be.
Since when is giving out information unethical? I find a flaw in something - anything - and somebody asks me about it, I am going to tell that person what the flaw is. If my wife buys a car that she will be travelling around with my little girl in and my wife asks if there are any problems with the car the salesman has to tell my wife about any flaws. If I find a problem with the tires that causes the car to flip I anm going to tell people about it. This is the nature of information.
Ethics are relative to each person anyway.
And besides, they are for loosers..
---- Booth was a patriot ----
While I'm not familiar with Kevin's case, I've been in a similar situation before. Bank A would not patch their holes in their banking websites. I notified them again and again. After months waiting, I went public. Problem was solved the NEXT DAY! It was simply a matter of getting the right people to make it a priority. I feel that this is completely morally justified and I don't think that the bug was exploited, and I don't think that USERS were harmed just because it was public.
Congrats on getting the bank to do something. And your sentence makes it clear that you feel that you deserve the credit for getting the bank to fix this.
Now I am wondering: what if the bank did not fix this problem the next day? And what if some cracker/con-artist used your publically-disclosed exploit to cause significant damage to the accounts of one or more bank's customers? Would you be willing to take the blame for this? Yes, the bank should have fixed the problem and you gave them ample opportunity to solve the problem themselves. But I would argue that, yes, you do bear some responsibility in this case. But that's just my opinion. I am curious what yours is.
You are very eager to take the credit for a case when a public exploit resulted in something beneficial. Would you also be willing to take the blame if your actions had had disasterous consequences? If so, then I salute you as a fair man/woman/slashkitty. If not, I wish I could smack you upside the head.
GMD
watch this
I'd have to look up the law, but I'm pretty sure most all of them were legal before the legalisation of abortion. All the legalisation did was make it a right, so you didn't need a doctors recommendation or any good reason whatsoever.
There is no real distinction between hacker and cracker.
The tools, tricks, and procedures used by one are used by the other. The original hackers were the original crackers. It was fun to break into things (be it your radio, your telephone, your telephone network, or someones computer system). Well whats the fun in just being there if no one knows you were there. This is where data stealing, or defacing came in. All the way back when the hack/crack was as simple as making a score board say MIT, when they didn't have a sports team, let alone being involved in the specific contest.
To you and me, it is obvious where a prank ends, and malicious intent begins. To the person that has to clean up the prank, it is all malicious. So to you an me, there is a distinction between hacker and cracker, but to the laymen, they are the same. Not because they don't know any better, but because to them the outcome is the same. And now with the DMCA and the like, the line is clearer.
And before someone says kernel hacker, the prankster hacker is where the term originated. So if anyone is using the term incorrectly, they are probably the ones that should get the chastising. Kernel hacking is such a small and specific subset of the word, it isn't what the term was created for, nor does it truly represent the standard.
You do realize that if you hack into another computer you own on a public network, that is technically against the law. If the ISP finds out, you will be in jail for a few days.
What about a sys admin testing "his own servers" (company servers he/she is responsible for) for vulnerabilities? If the PHBs find out the "hacker" tools he is using to test his own server's vulnerabilities, they will fire the poor sap and try to get the Feds to charge him/her with FELONY HACKING!!!! Punishable with many, many years in prison in solatary confinement plus 10 years parole with virtually no way to generate income.
Therefore, the moral of this story is: Don't own any "hacker" tools for ANY REASON. Add the vendor's upgrades when they come out and NEVER test your servers for vulnerabilities. Then when the network is compromised, explain this little scenario and say "I did the best I can, given the current legal climate of said vulnerability testing". It won't save your job, but it will save your career and keep you outta jail.
If there is no longer a grey hat because of dumb-ass laws, what do you think the distribution is going to be from grey to black or grey to white? I personally believe, since there aren't that many jobs available, many more people will switch to black hat instead of white.
Either way, "black" or "grey" doesn't matter as long as they continue to push the industry into security. In my opinion both are doing good to the industry. What happens if we get into an information war and we never had to deal with security before? Black and grey hatters - you are patriots to me, no matter what the government says.
Good job.
...And when they came for me, there was no one left to speak out for me." - Martin Niemoeller (1892-1984)
Bull. There's plenty of room in the grey-hat region, and plenty of population in it. The wiggle room for those who crack systems/software and then publicly announce the results is getting tighter. However there are an awful lot of people whose main concern is simply sharing results of bug/flaw discovery or other necessary activities that aren't good for vendor busines models. The fact that the DMCA seeks to redefine discovery and community notification as reverse-engineering and criminal collusion doesn't do a thing to shrink the number of people (admins, architects, programmers, dbas, etc) who simply need to do these things to do their jobs. The grey hat is still a thinking person's hat -- one abides by the letter of the law as best one can, and find ways around the obtuse or wrong-headed sections to accomplish primary goals of systems operation, data protection, and other work processes. Some prefer to skirt the line with black-hat-dom, while others simply protest bad law. Ain't nobody a white hat unless they utter phrases like "He was arrested so he must be guilty" or "The law is always right."
Not too long ago, I sent a note to several of my friends about a conflict I saw between the DMCA-esque proposed Microsoft security certification -- requiring software bug hiding and notification of the software vendor before notification of the affected client -- and the codes of ethics binding those with CISA and CISSP certifications -- both of which require protection or notification of the potential target/victim. (My personal favorite part of the ISC2/CISSP code is "Tell the truth" which is anathma to the DMCA/bug-hiding camp.)
Of course, since DMCA enforcement tends towards the corporate view of things (property, ownership, patents, royalties) rather than the societal view (ethics, trust, truth, community), if I follow the vendor-independent (societal) path, I get labelled as a grey-hat or a black-hat right out of the starting gate. Have I personally cracked and distributed software? No. But do I swear to uphold the right of the consumer to know of flaws in their software or implementation? Of course I do -- it's the core of my job as a consultant. But doing so may label me as a criminal, and not doing so is unethical and unprofessional. As the article point out, all you can do is try to do the right thing. Currently that may be illegal.
Maybe some of us will go to jail for it, but that's what it'll take to change or repeal ill-formed laws such as the DMCA. Nothing induces judicial scrutiny like a situation where a judge is embarassed to enforce a bad law against a just person. But for anyone contemplating the notion of a "test case", keep in mind that the ACLU only picks up your legal fees if you keep your nose clean while you're doing the (illegal) right thing.
J
I think not...(*poof*)
In Philadelphia there is a resturant attached to the Spectrum (venue for conerts, circus, minor league hockey). There is a stair way leading up to the inside arena at which point you have to show your ticket. There is also a door that leads to a hallway that leads to the interior stadium. There is no guard at the door, you do not have to show your ticket. If I use that door, I think it is clear that I am stealing. Just as if I crashed the gate.
But is telling someone else about the door stealing.
Many of the agruements about no real property being lost apply.
What if there is a 'Do not enter' sign on the door?
What if the door is locked, but pushing opens the door anyway?
Apparently you're now a bad guy if you do an independent security audit of a product and publish the results.
The argument that you need to publish to the whole world instantly is absurd. Sure, a couple vendors may not be responsive, but most are. Even in the cases where the vendor's response is not entirely adequate, the "harm" posed by waiting is negligable because it's rather unlikely that some unknown hacker will discover the same bug and start exploiting it before then. Few would argue that the developers of Linux and a couple other leading open source packages are slow to respond, yet we see this same instant disclosure of code, often without a patch (even in the cases where a patch is provided, it's not necessarily one that is suitable).
The reason for this publication in the majority of cases is pretty simple. The publisher wants some recognition for his discovery. While this is understandable, there are other ways to gain recognition. For instance, he could disclose the fundamental details of the exploit to the public and/or a trusted 3rd party on discovery and maybe attach a checksum or PGP signature of his official advisory that he sent to the vendor (in case someone else tries to take credit for the particulars, the corresponding document could be revealed and proven to be known by the discoverer at least when the first advisory was sent out). It may not bring him quite the same fame, but it would be something.
Even if the so-called "white" or "grey" hats cease to disclose these vulnerabilities to anyone, it would be virtually impossible for a large number of black hats to keep the exploit to themselves without it getting back to the security community. It's human nature to brag and to leak. What's more, I would argue that very few blackhats have the sophistication to come up with original exploits themselves. They pretty much depend upon the more knowledgable people that disclose the vulnerabilities to the public. In other words, the community of people having exploits over vulnerable machines would be far smaller.
What about the ...RED...hats .. (laugh/snort/laugh)
"Narrow them down to a simple choice. Make them think it's their own." - Luke, on salesmanship
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
If I bought a truck, and the seatbelt linkage into the truck's frame was faulty and likely to fail in a crash, then I suspect I'd write a letter to Consumer Reports reporting it. I'd probably also write a letter to the company. The fact that I would have had to take apart a portion of the truck to find the fault would make NO difference. No one would say it was illegal, no one would complain that I was 'gray hat' or 'black hat'. I bought the truck, the truck had a problem, I told people. Big deal.
If I took apart someone else's truck without asking for permission, I suspect I'd just get my ass kicked. But, charges could of course be filed by the owner of the truck as well.
Why is it different with computers? Why are there people here saying that someone who looks at something they've legally purchased and find flaws with it are ethically in the wrong? And why should they not be able to speak up about it? The article is about a guy who reverse-engineered something on his own system. He didn't hack anyone else's system. What is wrong with that? I'm seeing tons of posts saying that all gray hats are black hats, or that ethically gray hat hacking is wrong although they do it anyway, and lots of garbage like that. What is gray at all about experimenting on your own machine when you've purchased the software?!? The whole gray/black/white hat stuff to me only applies (in any way, even if it is all b.s.) when you're poking into *other* people's computers.
Yes, if you find a hole, it's polite to everyone to give the company a chance to fix it before going public. But - that's a polite social thing to do. I see nothing wrong with telling an emporer or anyone else that they are butt naked. And if I feel like it, I should be able to tell everyone that the emporer is butt naked without asking his permission. That's called freedom of speech.
I write code.
Now I am wondering: what if the bank did not fix this problem the next day? And what if some cracker/con-artist used your publically-disclosed exploit to cause significant damage to the accounts of one or more bank's customers? Would you be willing to take the blame for this?
The fact that an attack is performed shortly after the weakness is disclosed does not mean that (a) the attack would not have been performed had the weakness not been disclosed or (b) that the disclosure had any relationship whatsoever with the attack.
What's very clear, however, is that the correction of the defect has a direct, causal relationship with the public disclosure.
Certainly, public disclosure increases the odds of an attack, but it does not increase them from from zero, and disclosure which results in the correction of the defect reduces them from the previously-unknown value to zero.
In most cases, the bank's customers are better served by public disclosure. For one thing, it lets them know that their bank behaves irresponsibly with their money, and gives them a good hint that they should take their business elsewhere.
I would agree that it's irresponsible to publish software that automates an exploit, and that doing so might place the author at fault, to some degree. Publishing the vulnerability on a secret crackers-only forum would be thoroughly reprehensible. And it's both polite and good for the bank's customers to give the bank a chance to fix the problem themselves before going public. But if the bank isn't willing to protect its customers unless its nose is publically rubbed in the problem, then the responsible thing to do is to go public.
You are very eager to take the credit for a case when a public exploit resulted in something beneficial. Would you also be willing to take the blame if your actions had had disasterous consequences?
You have it backwards. The poster would be at fault if he had continued to keep it quiet until the customers' accounts had been emptied. The only difference is that there would be no one trying to apportion blame to him, so that is an /easier/ approach. But a much less moral one.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
...not the means to an end. The difference between me killing someone to save the world or to make myself a million dollars is huge.
It's unfortunate that the legal system tends to look more at actions instead of inactions. Did you ever see the final episode of "Seinfeld"?
I feel that there is less RISK to users if they know which company / product / website is more risky to use, and know which companies keep up to date on fixing things.
In the end, in my case, the type of bug in the bank's site had been listed in CERT for 2 years, along with how to fix it. I think that it's clearly the company's fault for not building a safe website.
-- these are only opinions and they might not be mine.
To an extent, I would say it is fair to give an organization a set amount of time to respond with a patch, but if the organization does not respond, then who is benefitted by staying silent? It is better to get the word out and inform those that care for their systems rather than entrusting that security to an unresponsive organization.
If an organization uses the DMCA to coerce an individual to stop disclosing information that pertains to the security of the organization's software or OS, then perhaps it is time to consider foregoing the 30-day notice period. In the end, we (generally) are just trying to build more secure systems. If the organizations who write/sponsor the code cannot support maintaining the security of the product, then screw them!
Uzmo
WHITE
Hacks systems at the request of the system owner to find vulnerabilities. Helps system administrator eliminate obvious holes first. Gets a paycheck and free lunches from the IT manager.
GRAY
Inconsiderately hacks systems without the knowledge of the system owner, blinded by his good intentions. Notifies system administrator about holes in the system. Receives suspicion and a subpoena, gets free representation.
BLACK
Cracks systems in search of personal booty and root exploits. His back-door scripts leave no traces. Notifies the world by rerouting all requests for the public site to goatse.cx. Never gets caught, gets all the chicks.
-- thinkyhead software and media
... and so should yours, if you're worried about this stuff. Go here and send them a hundred dollars. You'll be glad you did.
If the community keeps all the hacks secret all software will be secure. No one will need to patch their systems. Personal firewalls will no longer be needed. Anti-Virus will a thing of the past. I think this is what the white house and other insecurity, are really trying to tell all of you. Don't share and don't hack. That way no one know about a hole. ie, China will be the only place that can hack into your system. Well including the government, MPAA, RIAA. Remember if you don't know they are doing it. It's not illegal. So IF are smart enough to find a hole, don't tell and OWN THE SYSTEM. At this rate it won't be patched and they most likely won't even know your there. This is how our government is going to protect us.
I don't suffer from insanity, I enjoy every minute of it.
I was really aiming at the legal arsenal wielded to discourage even attempting to find and disclose bugs - not saying that bugs should be immediately publically disclosed. Or at least not trying to say that.
paintball
...Even if know damage is done, if you're in my system...
and that system would be your elementary school network, where you're just lerning how two speel?
I agree that if your Gray then your black. You might be Black with good intentions.. but your still black.
It's like breaking into a store; simply to warn the store owner that you could break into a store.. no different. Or to use a popular theme in other postings regarding a house with an Open sign on it. NO! It's more like going up to a house, trying all the doors and windows till you find one that is open.
Unless you are specifically asked by a company owner or software maker to exploit security holes, you shouldn't be doing it. If your concerned about security of the source, then choose a OpenSource alternative or write your own. If your using a COTS, then ask the publisher for permission to test the software for security holes, most will allow you as long as your a paying customer. If they don't, you probably don't want to be using that software vendor's appliction anyways.
It's all about property people and respecting peoples privacy. Yes, it would be a utopian society if everybody could be online without fears of your network being compromised, and that's not reality obviously. But we don't need vigilanties running around exploiting everybodies software or network just because they can. It's not research its criminal; you've breached somebodies privacy even if you didn't do damage. If you want to practice, setup your own private network with software that allow's you to do as such. An no, I don't agree at all with the penalties associated with violations of the DMCA. They are outrageous and should be removed and educated individuals should re-establish new ones.This article, and the climate that it has arisen out of (the recent White House cyber-security report, and the new penalties introduced by the USA PATRIOT Act) make me quite glad that I've gotten out of the Information Security business altogether.
This conflict between the ex-hackers and the ex-military/police within the information security community has been building for quite awhile, and it was only a matter of time before something tipped the balance. The crashing economy was already starting to weed the more rebellious of us out, as we just looked plain untrustworthy, and being the rebellious and out-of-the-box thinking geeks that made us good security people in the first place, many were unwilling to undergo the image transformation that was being required of us, to become security "professionals".
9/11, however, was all the excuse needed to tip the balance all the way back to the suited "professionals". Now the shifty-looking security guys weren't just an eyesore, they were downright untrustworthy, possible cyber-terrorists (ala ex-Soviet chemical/biological/nuclear scientists), that could destroy your company if you look at them the wrong way.
I don't remember who first said "Image is everything" but there's a reason it has become cliche. Real security is a scary, complicated, painfully obtuse thing, that rubs users the wrong way, and makes them want to use the system as little as possible. The more secure you need it, the more downright annoying and obtuse it HAS to be. Otherwise it isn't good security. For that very reason, good security doesn't sell awfully well. All the computer companies need to sell to suits, who equate security with increased cost and no benefit. A lot of computer companies can't afford to scare off a single client, so they will do their utmost to prevent their image being tarnished, especially in such hard times.
So, being one of those people who calls a spade a damn shovel, I'm glad to be out of the business of covering up problems. I like fixing them which I will continue to be able to do for myself and my various consulting clients, but my country has apparently come to a consensus that doing so, for free, is immoral. Who am I to question my country? If I find something, that knowledge will stay comfortably in my head. I don't need a company suing me because I tried to help. I don't need to be a martyr for some cause that no one but a handful of people pay more than lip service to. The United States and the corporations that keep it running have chosen bad security, and they'll pay the piper eventually. I'll just sit back and watch the show.
I'm already a criminal. I imagine most people on here are. Who the hell hasn't broken a law today. We're in a drought here in Maryland. Water a plant today, did ya? Broke the law. have you let a teenager bum a cigarette? Criminal.
Why should anyone care what color hat they supposedly wear. It's an arbitrary label. I call myself a hacker. I don't break things. I don't steal things. I try not to hurt people I like. In my opinion, that makes me an OK guy. Of course, opinions vary.
Oh, and you... yeah you. Stop looking over your shoulder. I'm running crack against your password file right now. Might want to go change a few of 'em. Especially root. You know, the one that's your girlfriend's name. (And we both know she's not really your girlfriend. All you really have to do is ask her out, but you're scared. Pussy.) I'm only telling you all this because I like you. Now go ask her out, wimp.
Who needs whitehats or greyhats?
I say then, let them suffer the consequences of their own karma. No help from me, that is sure! Let them eat cake, in other words, and the fully digested and expunged cake too!
Rien n'est plus beau que le creux du 0.
You publish your findings and some incredibly malajusted person actually builds the device and uses it to blow up every occupied and unoccupied car that he can find. Now the chances of his being able to do this without your having published your discovery are essentially nil. Leaving aside legal responsibility for the moment are you ethically responsible for the harm that has been done?
This goes right to the heart of the Black/Gray/White Hat issue. Knowing that there are Script Kiddies and other malicious forces that will IMMEDIATELY act to turn your published discovery into harmfull results and that there is no way the company could both create a fix and fully distribute it fast enough is it EVER the lesser harm to publish it?
You might say that you are encouraging them to release a fix. But even if they had a fix already created and tested (unlikely) how much harm would occur to machines that did not get a chance to install it fast enough? No, your act of publishing will allways create the greater harm.
If I went to my bank and noticed the door to the vault was open, I would tell the manager about it.
If I came back the next day and it was still open, I would close my account. I would also feel ethically obliged to tell all the other customers at that bank that their money isn't secure.
A: Do you agree with that, in the terms of the analogy? (physical bank; physical door)
B: Does the analogy become any different when a computer is involved?
One person, and one person only, is responsible for a malicious exploit: the person who performed the exploit.
Networking protocols were designed for sharing information. There are (relatively) easy ways to ensure that only authorized recipients get information through these protocols. If a security system allows me access to parts of an internetwork, I have no reason to think I'm an unauthorized recipient of the information on that network.
All's true that is mistrusted
We still have Red Hat.
Can we at least get away from the terrible analogy of:
"Ok, say you someone breaks into your house/car/business but doesn't steal anything" to mirror the actions of "hacking"?
Yes, it really sounds like it might be a good analogy, but computers are absolutely none of the above.
There is no such thing as a nice citizen who comes around to your house and checks to make sure your door is locked and your jewelry is secured in your house. There never has been, there never will be, and there never will need to be, because the Internet is a way different medium than the real world.
Analogies are great for helping geeks explain computer terms to non-computer people, but no matter how you slice it an apple will never be an orange.
A prime example of how it doesn't work is in software "hacking". If a major gaping security hole in someone's software exists, it is something that desperately needs to be fixed immediately and brought to people's attention.
Imagine something simple like an IIS bug (no way!) that allows people to download the source code for some script on your server that includes things like database and system passwords. Some well meaning (gray) hacker tells Microsoft about this, and gets tossed in jail. Meanwhile the same exploit is found at the same time by a malicious (black) cracker, who tells all his l337 script kiddie friends and before you know it some poor startup companies have just given out credit card numbers and secure corporate information to exactly the wrong kind of people.
Where is the white hat in all this?
Oh, he thought about the exploit, but didn't look into it because that sort of thing is naughty and he might get his pretty little white hat dirty.
Testing security measures and breaking software is absolutely necessary if we want to keep robust efficient systems across the country.
Do you really think other countries prosecute their L337 cR4X0rs when they break into our untested unsecured networks?
There have been hackers ever since there have been computers, and it needs to stay that way or we will all find ourselves up that silicon creek without a paddle.
What makes the American Civil Liberties Union "diametrically opposed" to God? The ACLU doesn't oppose anything. It's merely that they support the rights of the extremists. Yes, some extremists are "diametrically opposed" to the idea of the Judeo-Christian deity. But some aren't.
Any other nonsense you'd like to spout forth in order to get me modded down by going further offtopic at the prodding of a troll?
In Soviet Russia, Beowulf cluster imagines you!
Wanna know what color my 'hat' is? You may as well as me what kind of mood I am in, the answer is very relevant. Besides, there is *no* security and anyone who thinks otherwise is in for a rude awakening one day. Either a system is completely secure and trusted, or it is not. Now guess which category 99.99% of the world's systems fall into? You are only 'secure' until someone better than you comes along. Better, or more motivated, or sadly enough just luckier also means you just got owned.
Ignorance is bliss, and therefore, what you don't know won't hurt you. Let sleeping dogs lie, and never look a gift horse in the mouth.
Now, I'm sure every software vendor would love nothing more than to prevent security holes from being found in their products, but they're likely to try to accomplish this goal using the wrong method -- adding terms to the license that prohibit such activities. Instead we have to rely on those people who ignore the unenforcable restrictions on reverse engineering to find the holes, and keep these companies honest.
The problem with your logic is that you seem to be implying that only those who are publishing vulnerability reports are those who are capable of finding them. There are likely many that go unreported for ages until either the exploit gets widely distributed enough, or someone else finds it. Personally, I would find no moral problem with violating a license that dared to tell me what I can and cannot do with it, after I purchased it. After all, I may be violating the law, but am I Right or Wrong?
There is no absolute right, and absolute wrong. The law can't legislate right and wrong, and can't make us good people. All the law can do is provide punishment for those who harm others. Trying to get the law to distinguish between Right and Wrong is a recipe for disaster.
I used up all my sick days, so I'm calling in dead.
I don't understand the statement in the article that white hats only disclose vulnerabilities to the owner and trusted third parties. Isn't there still room for white hats to do full or responsible disclosure?
Fsck the man!
That's what grey is. It's white with some black. Or black with some white. By the same logic, if you are grey you are white, because of you're intentions. Grey do things blacks would never do, like doing the Right Thing (tm). Greys also do things whites would not do, i.e. disclosing information.
"Unless you are specifically asked by a company owner or software maker to exploit security holes, you shouldn't be doing it. "
I totally disagree. Then the only unauthorized people that find holes will use it against you. What happens if you are a company that can't afford to hire White Hats? What happens when you are a mega corporation and don't want your shoddy security reputation shot any further? You can't make security updates without saying that you made a mistake in the first place.
For every grey hat that discloses information there is probably at least one black hat that also finds it. If you are smart enough to find a hole, then somebody else is too.
If my company hires me to do network security and I happen to find a gapping hole in the 3rd party firewall software, you'd better bet that I'd tell my company. I'd also tell my collegues that consult for other companies. The best way to diseminate information is to make it public. I am more loyal to the company that pays me than I am to Microsoft.
How can you prevent black hat break ins? Find the holes first. Notify the software maker. Patch the holes if you can. If the software maker chooses to not budget the fix until next year, I'll go public. I'm also more loyal to security professionals whose jobs rely on software than to Microsoft et al. whose profits depend on software.
Why, o why must the sky fall when I've learned to fly?
My job (and my hobbies) involves legally acquiring software and hardware and testing it, tearing it apart, looking for weak spots.
That includes purchasing items like a Cisco PIX or a software firewall, testing for security holes, and often extends to writing and executing working exploits for these holes, on legally acquired copies running in my test lab.
These actions may violate the vendor's EULA. But they do not ever involving penatration of the network, host, or data belonging to an innocent third-party. Do these acts make me a black hat?
Neither I personally nor my employers trust the publisher to do their own testing and report honestly on the results.If my customer agrees, I report issues to the vendor. If they not respond, and if my customer agrees, I will post some or all information to a full-disclosure list. What color is my hat now?
While it may be in violation of the law or a civil transgression to "test" software after purchasing a legally licensed copy, I do not agree that such testing turns a grey hat to black.
I've breached whose privacy? That of the vendor who wrote the software or designed the hardware?
If I legally acquire software and hardware, install it on my private testbed, then exploit the software (locally, in my "sandbox"), it most certainly is research. It may also be criminal. If I take the results of my tests and publish them, that too is research, and under the DMCA or certain EULAs, may be unlawful.
Regardless of how the laws are contorted to depict my actions, I will not accept the label of "black hat" on this basis.
I do not deploy Linux. Ever.
The only effective way to get many compaines to fix problems is blackmail which is technicaly illegal just about everywhere. There is something wrong when you have to break the law to get your vendor to fix something.
The page says a black hat will not disclose their hacks and use them for their own gain. That sounds like me. I run unix boxes and I think Windows in most cases is trash. When a client says they are as secure, I've been known to show them why they aren't. I've had one client get all upset since I wouldn't explain to MS how I took down their secure box. MS isn't paying me and they have done enough boneheaded things to make my life hell at times. I'm not going to do anything else that helps gates and his evil minions make my job harder.
Maybe it should go like this:
When the discussion in a threat starts to invoke the voice of Homer Simpson, the thread is deemed to be ended.
Winner NOBODY!
Hi --
I used to admire America, the Great. A nation full of ideals, dynamic, and fast-paced. But what the hell's going on nowadays? Everything is oversimplified: "the axis of Evil", "White hats/Black hats", DMCA, etc. Like someone said in the article, it used to be a script kiddie cracked your server, because you were to dumb to keep it patched up. Now, it's "terror" against "a mission critical server." Get fucking real!
It seems America's capacity for creative thinking, analysis, and the criticism that's intrinsic is withering away amidst lawsuits, stringent patent laws, simpleminded thinking (Bush) and overregulation...
I'm sure as hell glad that I don't have to live there, and can just look at it from the outside, sucking up the info...Too bad...
America is on the way to dying from lack of oxygen.
(And now, let's all watch the whole shit go down on CNN as oil prices go up, as George W. Bush throws the whole world in a crisis so deep we're going to start missing Ronald Reagan and want to crawl into our assholes.)
A reader from another continent (wouldn't matter where, Americans flunk Geography at school).
sexually frustrated purple
There are some very intelligent people coding for black hats. Many of the brightest people on the legitimate side of network security honed their skills as a black hat, then had a change of heart in the past few years as the threat of criminal charges grew larger, or after suddenly realizing that having a house, a wife, and kids changes your priorities. However, the pool of exploitable machines would be much much larger.
Restricting public exposure of holes has been tried, and found wanting. Limited distribution of the details of holes was the unwritten law in the 1980's and early 1990s (anybody remember the 'core' list?). This is why the creation of Bugtraq in 1993 was such a big deal. Prior to that, vulnerability information was carefully controlled, distributed to a limited pool of "trusted" admins... including the "daytime personas" of a number of black hats.
This approach did little to keep the black hats from learning about new vulnerabilities and writing exploits, and put little pressure on vendors to patch their software or pro-actively work to limit security holes.
Full-disclosure may not be ideal, but it is better than the alternatives.
I do not deploy Linux. Ever.
Unfortunately, America has always had problems like this that seem to clutter up the media, and then eventually people's everyday lives.
Things like the Vietnam war that caused an entire generation to dress funny and smoke a lot of pot. McCarthyism caused us to put a whole lot of innocent people in horrible concentration camps just because we were looking for a communist ghost. Less than 200 years ago we kept other people in chains, beat them, killed them and forced them to do our manual labor.
You won't always find the strength or spirit of America on CNN, just Connie Chung and Larry King yapping away about what a tragedy it is that a few CEOs scammed some money. Meanwhile thousands of people are dying in countries that wept for us on 9/11, but we can't afford the airtime to cover that news.
It's been the norm for the government and the media to blow things out of proportion and to dig up the wrong dirt on the right issues. But it's also been the norm for the citizens of the US to fight against the government for what we believe in. That's why we all turned into hippies, fought against communist concentration camps, and had a civil war over slavery.
That's also the reason that we have big discussions like these on Slashdot about the ethics, definitions and social implications of hacking. What we need to do is focus less on what's being said, and focus more on who it's being said to. A bunch of geeks on a web site writing inflammatory comments about the government really only affects a bunch of geeks that come to that website and read those comments. It would be more effective if we could somehow get a real geek in Washington. Unfortunately for politicians to pay attention to you, you have to waft money in front of their nose. (Here boy! Nice senator want a campaign donation? Good senator!)
Therein lies the problem. Those with the money are bringing wheelbarrows of it to their congressman to shut us geeks up, while we piss and moan about it in our forums.
White, gray, black, purple... it doesn't matter what hat you're wearing now.
If those in control now (Hollywood, Washington) have their way you'll eventually end up with a pair of matching handcuffs and a free ride to Alcatraz.
TCP = Trusted Computing Platform.
Hacker = any person writing illegal code.
Legal code = code that observes legal requirements for security and traceability.
Requirements: a bloody huge set of rules that only very large companies will be able to observe.
Consequence: in five years' time, 'independent' software developers will go the way of independent car manufacturers.
Captain, I predict that this scenario has a 45% chance of occuring.
Sig for sale or rent. One previous user. Inquire within.
The fact that I did not obtain the publisher's permission does not magically redefine my activity to be "not research".
I bought a sports car. I don't think it goes fast enough. I swap out the intake system, have a machine shop rebore the engine, and I extract the manufacturer's ROM, edit the ROM image to tune the pre-computed fuel curve table, and burn a new ROM for myself.
All of this activity I define as "research". The car manufacturer might not agree, and will void my warranty. But the fact that I do not have permission from them to "hack" my car does not change the definition of my research to something else, it only changes my relationship with the vendor, and precludes me from obtaining future "tech support" from the vendor.
My clients choose to use non-open-source products. They choose to pay me to perform "research" on these products and supply my results either exclusively to my client, or to Bugtraq. I accept my client's conditions, and perform research for them.The fact that the company that sold them the hardware or software did not agree to this "research" does not change the definition of my activity.
If my client was "Consumer Reports", would you still have a problem with my research?
Consumer Reports buys all the items they test from retail outlets, and does not ask the manufacturer for permission to perform their "research": http://www.consumerreports.org/static/popup/didyou know.html
I do not deploy Linux. Ever.
You are a humorless moron.
-- thinkyhead software and media
a HACKER is not a criminal but a software and hardware genius...
A CRACKER tries to break into systems or bypass security.
That's true, but would you be more scared of a guy waving his axe around hacking things, or a salty biscuit that you crush up and put into your chicken soup?
That's why mainstream media says "hacker"
Y2K Compliant since the late 1890s
Real programmers disdain structured programming. Structured programming is
for compulsive neurotics who were prematurely toilet- trained. They wear
neckties and carefully line up pencils on otherwise clear desks.
- this post brought to you by the Automated Last Post Generator...