Slashdot Mirror
Ethical Lines of the Gray Hat
Facter writes "There is a great article on CNET about the ethical debate between white/gray/black-hat hackers - interesting to note is that it reports the "fading away" of the "gray" definition between white and black, due to the DMCA hindering anything in between.."
Gone forever are the days when hackers could roam through corporate systems, not really doing any damage, but just playing around.
*sniff*
The whole conversation makes a lot more sense if you drop the hat references.. sure its easy to lump people into categorys of white, black, gray, etc hat. But in reality there are crooks, good guys and crooks who play good guys. It used to just be a hax0r description to use the hat verbage.. its unfortunate that its passed into mainstream security usage.. I personally have a hard time taking anyone seriously that describes themselves by the figurative color of their hat..
it's wrong.
you should always plan for the worst and hope for the best. but regardless of your actions (leaving car windows down) it's still wrong to reach in and start screwing around with stuff.
There is no real distinction between hacker and cracker.
The tools, tricks, and procedures used by one are used by the other. The original hackers were the original crackers. It was fun to break into things (be it your radio, your telephone, your telephone network, or someones computer system). Well whats the fun in just being there if no one knows you were there. This is where data stealing, or defacing came in. All the way back when the hack/crack was as simple as making a score board say MIT, when they didn't have a sports team, let alone being involved in the specific contest.
To you and me, it is obvious where a prank ends, and malicious intent begins. To the person that has to clean up the prank, it is all malicious. So to you an me, there is a distinction between hacker and cracker, but to the laymen, they are the same. Not because they don't know any better, but because to them the outcome is the same. And now with the DMCA and the like, the line is clearer.
And before someone says kernel hacker, the prankster hacker is where the term originated. So if anyone is using the term incorrectly, they are probably the ones that should get the chastising. Kernel hacking is such a small and specific subset of the word, it isn't what the term was created for, nor does it truly represent the standard.
Bull. There's plenty of room in the grey-hat region, and plenty of population in it. The wiggle room for those who crack systems/software and then publicly announce the results is getting tighter. However there are an awful lot of people whose main concern is simply sharing results of bug/flaw discovery or other necessary activities that aren't good for vendor busines models. The fact that the DMCA seeks to redefine discovery and community notification as reverse-engineering and criminal collusion doesn't do a thing to shrink the number of people (admins, architects, programmers, dbas, etc) who simply need to do these things to do their jobs. The grey hat is still a thinking person's hat -- one abides by the letter of the law as best one can, and find ways around the obtuse or wrong-headed sections to accomplish primary goals of systems operation, data protection, and other work processes. Some prefer to skirt the line with black-hat-dom, while others simply protest bad law. Ain't nobody a white hat unless they utter phrases like "He was arrested so he must be guilty" or "The law is always right."
Not too long ago, I sent a note to several of my friends about a conflict I saw between the DMCA-esque proposed Microsoft security certification -- requiring software bug hiding and notification of the software vendor before notification of the affected client -- and the codes of ethics binding those with CISA and CISSP certifications -- both of which require protection or notification of the potential target/victim. (My personal favorite part of the ISC2/CISSP code is "Tell the truth" which is anathma to the DMCA/bug-hiding camp.)
Of course, since DMCA enforcement tends towards the corporate view of things (property, ownership, patents, royalties) rather than the societal view (ethics, trust, truth, community), if I follow the vendor-independent (societal) path, I get labelled as a grey-hat or a black-hat right out of the starting gate. Have I personally cracked and distributed software? No. But do I swear to uphold the right of the consumer to know of flaws in their software or implementation? Of course I do -- it's the core of my job as a consultant. But doing so may label me as a criminal, and not doing so is unethical and unprofessional. As the article point out, all you can do is try to do the right thing. Currently that may be illegal.
Maybe some of us will go to jail for it, but that's what it'll take to change or repeal ill-formed laws such as the DMCA. Nothing induces judicial scrutiny like a situation where a judge is embarassed to enforce a bad law against a just person. But for anyone contemplating the notion of a "test case", keep in mind that the ACLU only picks up your legal fees if you keep your nose clean while you're doing the (illegal) right thing.
J
I think not...(*poof*)
The argument that you need to publish to the whole world instantly is absurd. Sure, a couple vendors may not be responsive, but most are. Even in the cases where the vendor's response is not entirely adequate, the "harm" posed by waiting is negligable because it's rather unlikely that some unknown hacker will discover the same bug and start exploiting it before then. Few would argue that the developers of Linux and a couple other leading open source packages are slow to respond, yet we see this same instant disclosure of code, often without a patch (even in the cases where a patch is provided, it's not necessarily one that is suitable).
The reason for this publication in the majority of cases is pretty simple. The publisher wants some recognition for his discovery. While this is understandable, there are other ways to gain recognition. For instance, he could disclose the fundamental details of the exploit to the public and/or a trusted 3rd party on discovery and maybe attach a checksum or PGP signature of his official advisory that he sent to the vendor (in case someone else tries to take credit for the particulars, the corresponding document could be revealed and proven to be known by the discoverer at least when the first advisory was sent out). It may not bring him quite the same fame, but it would be something.
Even if the so-called "white" or "grey" hats cease to disclose these vulnerabilities to anyone, it would be virtually impossible for a large number of black hats to keep the exploit to themselves without it getting back to the security community. It's human nature to brag and to leak. What's more, I would argue that very few blackhats have the sophistication to come up with original exploits themselves. They pretty much depend upon the more knowledgable people that disclose the vulnerabilities to the public. In other words, the community of people having exploits over vulnerable machines would be far smaller.
If I bought a truck, and the seatbelt linkage into the truck's frame was faulty and likely to fail in a crash, then I suspect I'd write a letter to Consumer Reports reporting it. I'd probably also write a letter to the company. The fact that I would have had to take apart a portion of the truck to find the fault would make NO difference. No one would say it was illegal, no one would complain that I was 'gray hat' or 'black hat'. I bought the truck, the truck had a problem, I told people. Big deal.
If I took apart someone else's truck without asking for permission, I suspect I'd just get my ass kicked. But, charges could of course be filed by the owner of the truck as well.
Why is it different with computers? Why are there people here saying that someone who looks at something they've legally purchased and find flaws with it are ethically in the wrong? And why should they not be able to speak up about it? The article is about a guy who reverse-engineered something on his own system. He didn't hack anyone else's system. What is wrong with that? I'm seeing tons of posts saying that all gray hats are black hats, or that ethically gray hat hacking is wrong although they do it anyway, and lots of garbage like that. What is gray at all about experimenting on your own machine when you've purchased the software?!? The whole gray/black/white hat stuff to me only applies (in any way, even if it is all b.s.) when you're poking into *other* people's computers.
Yes, if you find a hole, it's polite to everyone to give the company a chance to fix it before going public. But - that's a polite social thing to do. I see nothing wrong with telling an emporer or anyone else that they are butt naked. And if I feel like it, I should be able to tell everyone that the emporer is butt naked without asking his permission. That's called freedom of speech.
I write code.
If the community keeps all the hacks secret all software will be secure. No one will need to patch their systems. Personal firewalls will no longer be needed. Anti-Virus will a thing of the past. I think this is what the white house and other insecurity, are really trying to tell all of you. Don't share and don't hack. That way no one know about a hole. ie, China will be the only place that can hack into your system. Well including the government, MPAA, RIAA. Remember if you don't know they are doing it. It's not illegal. So IF are smart enough to find a hole, don't tell and OWN THE SYSTEM. At this rate it won't be patched and they most likely won't even know your there. This is how our government is going to protect us.
I don't suffer from insanity, I enjoy every minute of it.
I'm already a criminal. I imagine most people on here are. Who the hell hasn't broken a law today. We're in a drought here in Maryland. Water a plant today, did ya? Broke the law. have you let a teenager bum a cigarette? Criminal.
Why should anyone care what color hat they supposedly wear. It's an arbitrary label. I call myself a hacker. I don't break things. I don't steal things. I try not to hurt people I like. In my opinion, that makes me an OK guy. Of course, opinions vary.
Oh, and you... yeah you. Stop looking over your shoulder. I'm running crack against your password file right now. Might want to go change a few of 'em. Especially root. You know, the one that's your girlfriend's name. (And we both know she's not really your girlfriend. All you really have to do is ask her out, but you're scared. Pussy.) I'm only telling you all this because I like you. Now go ask her out, wimp.
The "spotless white" hat notifies Ford, but the company ignores the warning and goes on making the Pinto without any changes. The CIA, Mafia, and Mossad learn of the weakness (through leaks or by discovering the issue independently) and build selective exploits, using them against their enemies for several years before the weakness becomes widely known. (This scenario has played out in both physical security and remote software exploits more than once.)
The "light gray" hat tells Ford and his circle of 'leet buddies, and when Ford does not respond, some or all of his research notes are published to a "Full-Disclosure" list. Ford rushes out a fix in record time.
The "pitch black" hat builds selective exploit tools and sells them to the highest bidder.
Yes, it can be "the lesser harm" to publish.I've learned the hard way on more than one occasion that if you don't publish, most vendors will almost certainly not respond in a timely manner. They may create a fix and quietly distribute it in their next scheduled release, or they may just ignore the warning.
Meanwhile, other researchers (including some truly morally bankrupt black hats) are almost certainly looking at the same areas you are, and will eventually discover the same vulnerability independently, and begin to exploit it.
In case after case it has been demonstrated that for most vendors, nothing short of full disclosure is sufficient for them to take the problem seriously.I do not deploy Linux. Ever.