Slashdot Mirror
Ethical Lines of the Gray Hat
Facter writes "There is a great article on CNET about the ethical debate between white/gray/black-hat hackers - interesting to note is that it reports the "fading away" of the "gray" definition between white and black, due to the DMCA hindering anything in between.."
IMO, there are hackers, and there are security professionals. If you were a hacker and are now a security professional...great. If you continue to break the law, you should go to jail. Pretty simple, and none of this hat confusion.
"Herbivores eat well cause their food never, ever runs."
You mean Cracker. While some of these people might be hackers I can't think too many of them are. Please I know everyone else uses the term hacker in this way. But can't we use the real term?
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
What about the new legislation (forget the name) that makes 'hacking' a federal crime, and heavily punishable. I think I remember reading that you can get a life sentence for hacking? What the hell? And I can guarantee you that they're just WAITING for another Kevin to come around so they can make an example of him:
"See? Look what he did! He 'hacked' into someone's computer, and now he's someone's bitch for life."
"But he didn't do anything damaging."
"He was HACKING. That's BAD. He's gone for LIFE. Let that be a lesson."
The lesson is that curiousity is now punishable by life in prison. Great. Don't get me wrong, traipsing into someone's computer isn't exactly ethically RIGHT (I don't care HOW wide open they leave it), but it's certainly not criminally WRONG.
It seems to me that giving companies time to fix their holes is always a Good Thing (tm) but that a lack of public disclosure by a 3rd-party will only help obscure legitimate problems. People with the attitudes similar to that of Peter Lindstrom* demonstrate, to me at least, a lack of care towards users and their potentialy open/vulnerable systems. One of the easiest ways to get a slow company to fix something seems to be to talk about it in the press.
* quote: ("If you are gray, you are black," Lindstrom said. "It's not that I don't understand what they are trying to do, but it comes down to what you are actually doing.)
In Soviet Russia...michael would be rotting in Siberia!
The days aren't gone, but now we must use techniques that will keep all of our tracks hidden.
One of the largest holes that I currently see is the lack of any security on all of the wireless networks! You can load a machine up and use a card with a MAC address that you use for nothing but hacking and NEVER be caught. The good ole days aren't gone, but the good ole days are here right now. UNTRACEABLE baby, with COTS equipment at that. From my house with a 24db antenna I can see ten networks that are not encrypted. I was thretened with a lawsuit recently when I informed a company of an unencrpted network that I found while driving to my house, I will never do that again, but now I will keep them to myself just incase I want to do some "gray" actions. Don't get me wrong, I don't go around destroying networks, but with wireless in the state that it is in today, I could definately do that.
Cheers
Unfortunately, this fear overwhelms the suit's intelligence, which would tell the suit that in the long term, a climate where disclosing holes is discouraged merely limits access to the information to the so-called "black hats".
Obviously, an environment where most of the flaws and holes are only known by the less scrupulous because you'd lawsuit-threatened the scrupulous out of finding the holes and telling you about them just makes it that much easier for your programs to be hacked and your customer's data to be stolen - and then they definitely won't trust your product.
paintball
These so-claimed whitehats happily search for vulnerabilities and post them to bugtraq, only to know that someone will code an exploit for it... IF you don't want to cause any damage, you only inform the vendor, not the entire community about it.
Dragonlance, heck...
a uthority...
Reminds me of some primitive societies on our own planet, where they burn witches, medicine-men, doctors, anyone-with-specialized-knowledge-who-challenges-
Smart people, regardless of their intentions, have always been feared...
"Can of worms? The can is open... the worms are everywhere."
Facter writes "There is a great article at CNet..." but I wasn't so impressed. This example of Kevin Finisterre isn't really that amazing. Finisterre's employee publically disclosed the vulnerability. You gotta expect to piss off HP when you do something like that. Look, I'm a fan of open-source software and I understand that publically disclosing software bugs is one way of motivating a lazy company to plug those holes but I'm not sure you can really defend this ethically. If you find a bug in Company A's software, then let A know about it. If A decides not to do anything about it (or if they are taking longer to plug the hole than you thought) I don't see how you are morally justified in leaking that info to the world.
Finisterre, who was not hired by HP, now says he'll think twice before voluntarily informing another company of any security holes he finds.
This is just silly. If he had just informed HP, there wouldn't have been a problem. However, his employee decided to inform the entire world and that's what triggered HP's retalliation. If Finisterre and his employees restrict themselves to informing the company, they should be okay.
The rest of the CNET article is okay. But starting off with such a stupid example really weakens the story. They could have started off this story with the Sklyarov example. That would make a stronger case for the idiocy of the DMCA.
GMD
watch this
If you have somebody who's informed a company of their problem, waited for them to do something, and then finally anonymously or semi-anonymously posted the problem, then we have the "security" types that are looking out for all of us. Somebody who posts it as "hey look at me, I hacked XXX/YYY and somebody should fix it" is just looking for fame or possibly profit.
I think that if you can hack a system and then offer a viable fix/solution without the indicated repercussion of telling everyone in the world what the problem is, then you shouldn't be blacklisted as a "black hacker".
However, if you go off and tell everyone that so-and-so's software/network is insecure because they didn't pay you, then you're no better than an extortionist or a crook.
If you've bypassed security on a product that was hindering legitimate users, we have another really hard area to define. Anything that gets done to a company's product generally should be done with the grace of the producing company.
Perhaps one of the biggest problems is those who just jump out and post something on the internet without thinking of the ramifications to the owner/users of the product. If you post a security vulnerability and fix, you may be allowing a certain amount of people to fix the problem, but you're also letting all the hackers out there know where there's easy prey in those that don't see the fix soon enough.
In the same hand, if companies legally lambaste anyone who hacks and then offers a solution to their woes, it only makes things worse.
Corporations with insecure products/networks need to recognise that running for the lawyers isn't always the best solution, while those doing the hacking need to recognise that extortionist/fame mongering/otherwise damaging tactics aren't helping either.
If more companies can work with legitimate hackers in a productive way (as stated in the article, many have internal hackers), without inviting dozens of script-kiddies to poke at their servers, then perhaps one day the important people (we, the end-users) will find a day when we can legitimately use the products we pay for, in a meaninful manner, and without security woes.
It's not what you can do, it's how you do it that counts - phorm
Now let's say you notice that my HP server is likely to be compromised. But there's a law in place that says HP can sue you if you tell me, because that violates their cracker security, which consists in not letting people who might be malicious know that the rear door of an HP could be a tempting target.
Exactly why should HP deserve a legal protection that no sane person would give to Ford, when in both cases the customers are far better off with the knowledge?
"with their freedom lost all virtue lose" - Milton
I fully support the use of the alternate term "cracker" to refer to people who use hacker-like skills (or often, no skill just downloaded cracker kits) to vandalise whatever system they can manage to crack. Yes, some hackers get sucked into these activities at some point in their development, but that doesn't mean it is condoned by the hacker ethic.
How about some analogies. When you check the door of the business down the street and find it unlocked, is it legal so wander around inside and see what you find? No, but if you didn't do any damage, it shouldn't be more than a legal slap on the wrist. If when you tried the door, you triggered the alarm, or some damage was done just by trying it, you can expect someone to be pissed off, and maybe prosecute you when you try it again on another business.
If a responsible third party closely inspects and tests the security perimiter around your nuclear, chemical or biological plant, and finds vulnerabilities, what should be done? Right, first they tell you and the relevent government authorities, and if there is no real response for a reasonable period of time, tell someone else (press, other trusted third party, etc.).
What is going on now is a typical corporate response, and it is exactly the same as using SLAPP lawsuits to silence critics. It is evil and anyone getting hit by such tactics should get help from advocacy groups. Of course, staying away from controversy is one approach, but it doesn't give you good hacker-karma.
Since when is giving out information unethical? I find a flaw in something - anything - and somebody asks me about it, I am going to tell that person what the flaw is. If my wife buys a car that she will be travelling around with my little girl in and my wife asks if there are any problems with the car the salesman has to tell my wife about any flaws. If I find a problem with the tires that causes the car to flip I anm going to tell people about it. This is the nature of information.
While I'm not familiar with Kevin's case, I've been in a similar situation before. Bank A would not patch their holes in their banking websites. I notified them again and again. After months waiting, I went public. Problem was solved the NEXT DAY! It was simply a matter of getting the right people to make it a priority. I feel that this is completely morally justified and I don't think that the bug was exploited, and I don't think that USERS were harmed just because it was public.
Congrats on getting the bank to do something. And your sentence makes it clear that you feel that you deserve the credit for getting the bank to fix this.
Now I am wondering: what if the bank did not fix this problem the next day? And what if some cracker/con-artist used your publically-disclosed exploit to cause significant damage to the accounts of one or more bank's customers? Would you be willing to take the blame for this? Yes, the bank should have fixed the problem and you gave them ample opportunity to solve the problem themselves. But I would argue that, yes, you do bear some responsibility in this case. But that's just my opinion. I am curious what yours is.
You are very eager to take the credit for a case when a public exploit resulted in something beneficial. Would you also be willing to take the blame if your actions had had disasterous consequences? If so, then I salute you as a fair man/woman/slashkitty. If not, I wish I could smack you upside the head.
GMD
watch this
I agree that if your Gray then your black. You might be Black with good intentions.. but your still black.
It's like breaking into a store; simply to warn the store owner that you could break into a store.. no different. Or to use a popular theme in other postings regarding a house with an Open sign on it. NO! It's more like going up to a house, trying all the doors and windows till you find one that is open.
Unless you are specifically asked by a company owner or software maker to exploit security holes, you shouldn't be doing it. If your concerned about security of the source, then choose a OpenSource alternative or write your own. If your using a COTS, then ask the publisher for permission to test the software for security holes, most will allow you as long as your a paying customer. If they don't, you probably don't want to be using that software vendor's appliction anyways.
It's all about property people and respecting peoples privacy. Yes, it would be a utopian society if everybody could be online without fears of your network being compromised, and that's not reality obviously. But we don't need vigilanties running around exploiting everybodies software or network just because they can. It's not research its criminal; you've breached somebodies privacy even if you didn't do damage. If you want to practice, setup your own private network with software that allow's you to do as such. An no, I don't agree at all with the penalties associated with violations of the DMCA. They are outrageous and should be removed and educated individuals should re-establish new ones.If I went to my bank and noticed the door to the vault was open, I would tell the manager about it.
If I came back the next day and it was still open, I would close my account. I would also feel ethically obliged to tell all the other customers at that bank that their money isn't secure.
A: Do you agree with that, in the terms of the analogy? (physical bank; physical door)
B: Does the analogy become any different when a computer is involved?
One person, and one person only, is responsible for a malicious exploit: the person who performed the exploit.
Networking protocols were designed for sharing information. There are (relatively) easy ways to ensure that only authorized recipients get information through these protocols. If a security system allows me access to parts of an internetwork, I have no reason to think I'm an unauthorized recipient of the information on that network.
All's true that is mistrusted
Can we at least get away from the terrible analogy of:
"Ok, say you someone breaks into your house/car/business but doesn't steal anything" to mirror the actions of "hacking"?
Yes, it really sounds like it might be a good analogy, but computers are absolutely none of the above.
There is no such thing as a nice citizen who comes around to your house and checks to make sure your door is locked and your jewelry is secured in your house. There never has been, there never will be, and there never will need to be, because the Internet is a way different medium than the real world.
Analogies are great for helping geeks explain computer terms to non-computer people, but no matter how you slice it an apple will never be an orange.
A prime example of how it doesn't work is in software "hacking". If a major gaping security hole in someone's software exists, it is something that desperately needs to be fixed immediately and brought to people's attention.
Imagine something simple like an IIS bug (no way!) that allows people to download the source code for some script on your server that includes things like database and system passwords. Some well meaning (gray) hacker tells Microsoft about this, and gets tossed in jail. Meanwhile the same exploit is found at the same time by a malicious (black) cracker, who tells all his l337 script kiddie friends and before you know it some poor startup companies have just given out credit card numbers and secure corporate information to exactly the wrong kind of people.
Where is the white hat in all this?
Oh, he thought about the exploit, but didn't look into it because that sort of thing is naughty and he might get his pretty little white hat dirty.
Testing security measures and breaking software is absolutely necessary if we want to keep robust efficient systems across the country.
Do you really think other countries prosecute their L337 cR4X0rs when they break into our untested unsecured networks?
There have been hackers ever since there have been computers, and it needs to stay that way or we will all find ourselves up that silicon creek without a paddle.