Ethical Lines of the Gray Hat

Facter writes "There is a great article on CNET about the ethical debate between white/gray/black-hat hackers - interesting to note is that it reports the "fading away" of the "gray" definition between white and black, due to the DMCA hindering anything in between.."

Re:DMCA

[Golias]

Gone forever are the days when hackers could roam through corporate systems, not really doing any damage, but just playing around.

One could take that to mean that early "white hat" hackers served their purpose successfully. By roaming through corporate systems, they managed to call attention to a lot of gaping security flaws that ended up getting fixed.

Also, roaming through corporate streams was a necessity for hard-core geeks in the days when Internet connectivity was prohibitively expensive. Much of what recreational hackers where "borrowing" other people's network resources for can now be done on a common consumer connection.

Nearly everyone's a grey-hat

[xeno]

Bull. There's plenty of room in the grey-hat region, and plenty of population in it. The wiggle room for those who crack systems/software and then publicly announce the results is getting tighter. However there are an awful lot of people whose main concern is simply sharing results of bug/flaw discovery or other necessary activities that aren't good for vendor busines models. The fact that the DMCA seeks to redefine discovery and community notification as reverse-engineering and criminal collusion doesn't do a thing to shrink the number of people (admins, architects, programmers, dbas, etc) who simply need to do these things to do their jobs. The grey hat is still a thinking person's hat -- one abides by the letter of the law as best one can, and find ways around the obtuse or wrong-headed sections to accomplish primary goals of systems operation, data protection, and other work processes. Some prefer to skirt the line with black-hat-dom, while others simply protest bad law. Ain't nobody a white hat unless they utter phrases like "He was arrested so he must be guilty" or "The law is always right."

Not too long ago, I sent a note to several of my friends about a conflict I saw between the DMCA-esque proposed Microsoft security certification -- requiring software bug hiding and notification of the software vendor before notification of the affected client -- and the codes of ethics binding those with CISA and CISSP certifications -- both of which require protection or notification of the potential target/victim. (My personal favorite part of the ISC2/CISSP code is "Tell the truth" which is anathma to the DMCA/bug-hiding camp.)

Of course, since DMCA enforcement tends towards the corporate view of things (property, ownership, patents, royalties) rather than the societal view (ethics, trust, truth, community), if I follow the vendor-independent (societal) path, I get labelled as a grey-hat or a black-hat right out of the starting gate. Have I personally cracked and distributed software? No. But do I swear to uphold the right of the consumer to know of flaws in their software or implementation? Of course I do -- it's the core of my job as a consultant. But doing so may label me as a criminal, and not doing so is unethical and unprofessional. As the article point out, all you can do is try to do the right thing. Currently that may be illegal.

Maybe some of us will go to jail for it, but that's what it'll take to change or repeal ill-formed laws such as the DMCA. Nothing induces judicial scrutiny like a situation where a judge is embarassed to enforce a bad law against a just person. But for anyone contemplating the notion of a "test case", keep in mind that the ACLU only picks up your legal fees if you keep your nose clean while you're doing the (illegal) right thing.

J

For me to poop on.

[FallLine]

Suits are scared of the public knowing about holes in their product, because that could erode trust in the product. That's the short term vision that motivates suit fear, and causes them to lash out with threats of lawsuits.

Unfortunately, this fear overwhelms the suit's intelligence, which would tell the suit that in the long term

I'm not a suit, I'm well aware of the arguments on all sides and I was once involved in the hacking community, but I don't agree that the the instant disclosure of new vulnerabilities (and especially the all too common practice of releasing corresponding exploit code with it) is good policy. Regardless of the speed of the vendor or development team to release an appropriate patch, the person that publishes a new vulnerability gives those that wish to hack (yes, I know and I don't care) into systems a huge advantage on the administrators of the world. With the publication of a new exploit to bugtraq or what have you, you instantly arm thousands of script kiddies with an attack that cannot be defended against (in the majority of cases anyways). Even in the best of situations, there is going to be some delay in the development team's response. Even in the best of situations, the sysadmin can only patch so many systems so quickly. Even in the best of situations, only so many admins are going to be available to update their systems in the first place. This is simply a totally unnecessary situation in the vast majority of cases. If the so-called hacker were a little more reasonable and a little less self-centered, then they would give the vendor at least a day or two to come out with a patch before announcing it to the world.

The argument that you need to publish to the whole world instantly is absurd. Sure, a couple vendors may not be responsive, but most are. Even in the cases where the vendor's response is not entirely adequate, the "harm" posed by waiting is negligable because it's rather unlikely that some unknown hacker will discover the same bug and start exploiting it before then. Few would argue that the developers of Linux and a couple other leading open source packages are slow to respond, yet we see this same instant disclosure of code, often without a patch (even in the cases where a patch is provided, it's not necessarily one that is suitable).

The reason for this publication in the majority of cases is pretty simple. The publisher wants some recognition for his discovery. While this is understandable, there are other ways to gain recognition. For instance, he could disclose the fundamental details of the exploit to the public and/or a trusted 3rd party on discovery and maybe attach a checksum or PGP signature of his official advisory that he sent to the vendor (in case someone else tries to take credit for the particulars, the corresponding document could be revealed and proven to be known by the discoverer at least when the first advisory was sent out). It may not bring him quite the same fame, but it would be something.

a climate where disclosing holes is discouraged merely limits access to the information to the so- called "black hats".

Even if the so-called "white" or "grey" hats cease to disclose these vulnerabilities to anyone, it would be virtually impossible for a large number of black hats to keep the exploit to themselves without it getting back to the security community. It's human nature to brag and to leak. What's more, I would argue that very few blackhats have the sophistication to come up with original exploits themselves. They pretty much depend upon the more knowledgable people that disclose the vulnerabilities to the public. In other words, the community of people having exploits over vulnerable machines would be far smaller.

I don't mind wearing a black hat

[alexjohns]

You can call me white, gray, black, puce, ochre, whatever. I already break the law, every day. I speed; roll through stop signs; jaywalk; litter; drive after having a beer or two with dinner; try to get every conceivable deduction on my taxes; copy software and music CDs. In the past, I experimented with illegal drugs; shared prescription drugs; bought alcohol for minors; participated in sodomy in at least one state that outlaws it. Shit, the list's just too freakin' long.

I'm already a criminal. I imagine most people on here are. Who the hell hasn't broken a law today. We're in a drought here in Maryland. Water a plant today, did ya? Broke the law. have you let a teenager bum a cigarette? Criminal.

Why should anyone care what color hat they supposedly wear. It's an arbitrary label. I call myself a hacker. I don't break things. I don't steal things. I try not to hurt people I like. In my opinion, that makes me an OK guy. Of course, opinions vary.

Oh, and you... yeah you. Stop looking over your shoulder. I'm running crack against your password file right now. Might want to go change a few of 'em. Especially root. You know, the one that's your girlfriend's name. (And we both know she's not really your girlfriend. All you really have to do is ask her out, but you're scared. Pussy.) I'm only telling you all this because I like you. Now go ask her out, wimp.

Re:The greater harm.

[Nonesuch]

InnovATIONS writes:

Your analogy is interesting, but flawed. Instead imagine that your discovery about the Ford Pinto did not involve rear-end collisions but something that could be induced by making a few modifications to a garage door remote control.

You publish your findings and some incredibly malajusted person actually builds the device and uses it to blow up every occupied and unoccupied car that he can find. Now the chances of his being able to do this without your having published your discovery are essentially nil. Leaving aside legal responsibility for the moment are you ethically responsible for the harm that has been done?

It's not just black and white, and (most) software exploits do not result in human deaths.

The "spotless white" hat notifies Ford, but the company ignores the warning and goes on making the Pinto without any changes. The CIA, Mafia, and Mossad learn of the weakness (through leaks or by discovering the issue independently) and build selective exploits, using them against their enemies for several years before the weakness becomes widely known. (This scenario has played out in both physical security and remote software exploits more than once.)

The "light gray" hat tells Ford and his circle of 'leet buddies, and when Ford does not respond, some or all of his research notes are published to a "Full-Disclosure" list. Ford rushes out a fix in record time.

The "pitch black" hat builds selective exploit tools and sells them to the highest bidder.

This goes right to the heart of the Black/Gray/White Hat issue. Knowing that there are Script Kiddies and other malicious forces that will IMMEDIATELY act to turn your published discovery into harmfull results and that there is no way the company could both create a fix and fully distribute it fast enough is it EVER the lesser harm to publish it?

Yes, it can be "the lesser harm" to publish.

I've learned the hard way on more than one occasion that if you don't publish, most vendors will almost certainly not respond in a timely manner. They may create a fix and quietly distribute it in their next scheduled release, or they may just ignore the warning.

Meanwhile, other researchers (including some truly morally bankrupt black hats) are almost certainly looking at the same areas you are, and will eventually discover the same vulnerability independently, and begin to exploit it.

You might say that you are encouraging them to release a fix. But even if they had a fix already created and tested (unlikely) how much harm would occur to machines that did not get a chance to install it fast enough? No, your act of publishing will allways create the greater harm.

In case after case it has been demonstrated that for most vendors, nothing short of full disclosure is sufficient for them to take the problem seriously.