Slashdot Mirror
Ethical Lines of the Gray Hat
Facter writes "There is a great article on CNET about the ethical debate between white/gray/black-hat hackers - interesting to note is that it reports the "fading away" of the "gray" definition between white and black, due to the DMCA hindering anything in between.."
IMO, there are hackers, and there are security professionals. If you were a hacker and are now a security professional...great. If you continue to break the law, you should go to jail. Pretty simple, and none of this hat confusion.
"Herbivores eat well cause their food never, ever runs."
You mean Cracker. While some of these people might be hackers I can't think too many of them are. Please I know everyone else uses the term hacker in this way. But can't we use the real term?
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
What about the new legislation (forget the name) that makes 'hacking' a federal crime, and heavily punishable. I think I remember reading that you can get a life sentence for hacking? What the hell? And I can guarantee you that they're just WAITING for another Kevin to come around so they can make an example of him:
"See? Look what he did! He 'hacked' into someone's computer, and now he's someone's bitch for life."
"But he didn't do anything damaging."
"He was HACKING. That's BAD. He's gone for LIFE. Let that be a lesson."
The lesson is that curiousity is now punishable by life in prison. Great. Don't get me wrong, traipsing into someone's computer isn't exactly ethically RIGHT (I don't care HOW wide open they leave it), but it's certainly not criminally WRONG.
One could take that to mean that early "white hat" hackers served their purpose successfully. By roaming through corporate systems, they managed to call attention to a lot of gaping security flaws that ended up getting fixed.
Also, roaming through corporate streams was a necessity for hard-core geeks in the days when Internet connectivity was prohibitively expensive. Much of what recreational hackers where "borrowing" other people's network resources for can now be done on a common consumer connection.
Information wants to be anthropomorphized.
It seems to me that giving companies time to fix their holes is always a Good Thing (tm) but that a lack of public disclosure by a 3rd-party will only help obscure legitimate problems. People with the attitudes similar to that of Peter Lindstrom* demonstrate, to me at least, a lack of care towards users and their potentialy open/vulnerable systems. One of the easiest ways to get a slow company to fix something seems to be to talk about it in the press.
* quote: ("If you are gray, you are black," Lindstrom said. "It's not that I don't understand what they are trying to do, but it comes down to what you are actually doing.)
In Soviet Russia...michael would be rotting in Siberia!
The days aren't gone, but now we must use techniques that will keep all of our tracks hidden.
One of the largest holes that I currently see is the lack of any security on all of the wireless networks! You can load a machine up and use a card with a MAC address that you use for nothing but hacking and NEVER be caught. The good ole days aren't gone, but the good ole days are here right now. UNTRACEABLE baby, with COTS equipment at that. From my house with a 24db antenna I can see ten networks that are not encrypted. I was thretened with a lawsuit recently when I informed a company of an unencrpted network that I found while driving to my house, I will never do that again, but now I will keep them to myself just incase I want to do some "gray" actions. Don't get me wrong, I don't go around destroying networks, but with wireless in the state that it is in today, I could definately do that.
Cheers
Unfortunately, this fear overwhelms the suit's intelligence, which would tell the suit that in the long term, a climate where disclosing holes is discouraged merely limits access to the information to the so-called "black hats".
Obviously, an environment where most of the flaws and holes are only known by the less scrupulous because you'd lawsuit-threatened the scrupulous out of finding the holes and telling you about them just makes it that much easier for your programs to be hacked and your customer's data to be stolen - and then they definitely won't trust your product.
paintball
Dragonlance, heck...
a uthority...
Reminds me of some primitive societies on our own planet, where they burn witches, medicine-men, doctors, anyone-with-specialized-knowledge-who-challenges-
Smart people, regardless of their intentions, have always been feared...
"Can of worms? The can is open... the worms are everywhere."
Facter writes "There is a great article at CNet..." but I wasn't so impressed. This example of Kevin Finisterre isn't really that amazing. Finisterre's employee publically disclosed the vulnerability. You gotta expect to piss off HP when you do something like that. Look, I'm a fan of open-source software and I understand that publically disclosing software bugs is one way of motivating a lazy company to plug those holes but I'm not sure you can really defend this ethically. If you find a bug in Company A's software, then let A know about it. If A decides not to do anything about it (or if they are taking longer to plug the hole than you thought) I don't see how you are morally justified in leaking that info to the world.
Finisterre, who was not hired by HP, now says he'll think twice before voluntarily informing another company of any security holes he finds.
This is just silly. If he had just informed HP, there wouldn't have been a problem. However, his employee decided to inform the entire world and that's what triggered HP's retalliation. If Finisterre and his employees restrict themselves to informing the company, they should be okay.
The rest of the CNET article is okay. But starting off with such a stupid example really weakens the story. They could have started off this story with the Sklyarov example. That would make a stronger case for the idiocy of the DMCA.
GMD
watch this
That being said I do thing ou give the comapny a little notice (at most 5 days) before you release it..
"Get your network out of my airspace or I will sue you for trespass."
funny munging
Comment removed based on user account deletion
5 days ought to be enough time for them to get a court order telling you to keep your yap shut, and they still won't fix the problem.
The Kruger Dunning explains most post on
Just because you found a hole, it doesn't mean that you are the ONLY one to find the hole. It's possible that any hole you find is an actively exploited hole.
While I'm not familiar with Kevin's case, I've been in a similar situation before. Bank A would not patch their holes in their banking websites. I notified them again and again. After months waiting, I went public. Problem was solved the NEXT DAY! It was simply a matter of getting the right people to make it a priority. I feel that this is completely morally justified and I don't think that the bug was exploited, and I don't think that USERS were harmed just because it was public. It may however have hurt Company A's reputation.
-- these are only opinions and they might not be mine.
The whole conversation makes a lot more sense if you drop the hat references.. sure its easy to lump people into categorys of white, black, gray, etc hat. But in reality there are crooks, good guys and crooks who play good guys. It used to just be a hax0r description to use the hat verbage.. its unfortunate that its passed into mainstream security usage.. I personally have a hard time taking anyone seriously that describes themselves by the figurative color of their hat..
If you have somebody who's informed a company of their problem, waited for them to do something, and then finally anonymously or semi-anonymously posted the problem, then we have the "security" types that are looking out for all of us. Somebody who posts it as "hey look at me, I hacked XXX/YYY and somebody should fix it" is just looking for fame or possibly profit.
I think that if you can hack a system and then offer a viable fix/solution without the indicated repercussion of telling everyone in the world what the problem is, then you shouldn't be blacklisted as a "black hacker".
However, if you go off and tell everyone that so-and-so's software/network is insecure because they didn't pay you, then you're no better than an extortionist or a crook.
If you've bypassed security on a product that was hindering legitimate users, we have another really hard area to define. Anything that gets done to a company's product generally should be done with the grace of the producing company.
Perhaps one of the biggest problems is those who just jump out and post something on the internet without thinking of the ramifications to the owner/users of the product. If you post a security vulnerability and fix, you may be allowing a certain amount of people to fix the problem, but you're also letting all the hackers out there know where there's easy prey in those that don't see the fix soon enough.
In the same hand, if companies legally lambaste anyone who hacks and then offers a solution to their woes, it only makes things worse.
Corporations with insecure products/networks need to recognise that running for the lawyers isn't always the best solution, while those doing the hacking need to recognise that extortionist/fame mongering/otherwise damaging tactics aren't helping either.
If more companies can work with legitimate hackers in a productive way (as stated in the article, many have internal hackers), without inviting dozens of script-kiddies to poke at their servers, then perhaps one day the important people (we, the end-users) will find a day when we can legitimately use the products we pay for, in a meaninful manner, and without security woes.
It's not what you can do, it's how you do it that counts - phorm
Now let's say you notice that my HP server is likely to be compromised. But there's a law in place that says HP can sue you if you tell me, because that violates their cracker security, which consists in not letting people who might be malicious know that the rear door of an HP could be a tempting target.
Exactly why should HP deserve a legal protection that no sane person would give to Ford, when in both cases the customers are far better off with the knowledge?
"with their freedom lost all virtue lose" - Milton
I would have thought most of the white hats would give up, seeing how most people seem to wear dark black sunglasses when determining how white/gray/black a hat is....
Kjella
Live today, because you never know what tomorrow brings
really? ok.. so do you investigate hardware designs and modify equipment that YOU PURCHASED as a hobby? if so then you are a Black hat and need to go to jail by your definition.
Security means nothing with the term hacker unless you are an un-educated manager. What you are referring to is a cracker and a completely different individual....
Please, get a clue as to what term is what. I dont care what the illeterate media calls them or how they use the term... a HACKER is not a criminal but a software and hardware genius...
A CRACKER tries to break into systems or bypass security. Why is this so hard for people to understand? The drivel that spews forth from the anchorwoman/man's mouth does NOT make it truth.
Do not look at laser with remaining good eye.
Almost all major players in the security field nowadays sell early access to information on unpublished vulnerablities (or let others sell it). Therefore, "responsible disclosure" is important: not only have vendors a comfortable time frame for dealing with problems, but the information is also more valuable if its distribution is limited for a longer period of time.
Of course, this hasn't got to do much with security anymore, it's all about making profit and a feeling of security. After all, when you learn about a new, critical defect in Windows or some component of the GNU/Linux system, there's already a patch (at least in most cases, and the other ones are so obscure that you don't understand what's going on, so you really can't be bothered by them). So it's not that bad if you run software which is poorly designed and sluggishly implemented, isn't it? The whitehats will keep everything in control, and thanks to the new DMCA law, we can safely tell them from the blackhats!
sigh
(And BTW, the "responsible disclosure" document is referenced quite a lot for a withdrawn Internet Draft.)
I fully support the use of the alternate term "cracker" to refer to people who use hacker-like skills (or often, no skill just downloaded cracker kits) to vandalise whatever system they can manage to crack. Yes, some hackers get sucked into these activities at some point in their development, but that doesn't mean it is condoned by the hacker ethic.
How about some analogies. When you check the door of the business down the street and find it unlocked, is it legal so wander around inside and see what you find? No, but if you didn't do any damage, it shouldn't be more than a legal slap on the wrist. If when you tried the door, you triggered the alarm, or some damage was done just by trying it, you can expect someone to be pissed off, and maybe prosecute you when you try it again on another business.
If a responsible third party closely inspects and tests the security perimiter around your nuclear, chemical or biological plant, and finds vulnerabilities, what should be done? Right, first they tell you and the relevent government authorities, and if there is no real response for a reasonable period of time, tell someone else (press, other trusted third party, etc.).
What is going on now is a typical corporate response, and it is exactly the same as using SLAPP lawsuits to silence critics. It is evil and anyone getting hit by such tactics should get help from advocacy groups. Of course, staying away from controversy is one approach, but it doesn't give you good hacker-karma.
While the ethics of cracking have always been interesting, the legality has never been an issue. It is, and for years has been, a crime, essentially, merely to knowingly obtain unauthorized access or to exceed authorized access to a computer owned by another. [Alas, many companies have injudiciously asserted these criminal charges against former consultants, merely to beat a bill with a nasty counterclaim.]
However popular it is to join the bandwagon railing against the DMCA anti-circumvention provisions (people seem to forget that the DMCA is itself an omnibus of technical and non-technical issues, good, bad and indifferent, and ranging from boat-hull designs to ISP immunities), the article's focus on DMCA is misplaced -- almost irresponsibly so.
The big guns against cracking conduct have been in place for years, and well before DMCA: The Computer Fraud and Abuse Act, the ECPA and countless state computer crime and regular theft statutes. All of these tend to be much broader in scope and reach, and far easier to prove and enforce. After the enhancements (from a prosecutor's point of view) made in the USA-PATRIOT Act, CFAA has become an even more powerful tool. The FBI didn't need a DMCA to get Kevin.
At the end of the day, the HP nonsense was just that: nonsense. The reason the HP DMCA threat was never pressed was simple -- it was a no-play claim, and everybody knew it. However, there are and have for years been a kazillion laws to beat up on anybody who engages in unauthorized access or exceeding authorized access of any kind, and regardless whether the conduct amounts to any circumvention of an effective copyright protection scheme.
I'm not arguing cracker ethics, or defending DMCA. I'm simply saying that the focus of the article is wildly misplaced. DMCA is just barely an interesting curiousity in the enforcement quiver -- so far as real cracking goes, it isn't even a fourth-string defense except in the oddest cases.
Since when is giving out information unethical? I find a flaw in something - anything - and somebody asks me about it, I am going to tell that person what the flaw is. If my wife buys a car that she will be travelling around with my little girl in and my wife asks if there are any problems with the car the salesman has to tell my wife about any flaws. If I find a problem with the tires that causes the car to flip I anm going to tell people about it. This is the nature of information.
While I'm not familiar with Kevin's case, I've been in a similar situation before. Bank A would not patch their holes in their banking websites. I notified them again and again. After months waiting, I went public. Problem was solved the NEXT DAY! It was simply a matter of getting the right people to make it a priority. I feel that this is completely morally justified and I don't think that the bug was exploited, and I don't think that USERS were harmed just because it was public.
Congrats on getting the bank to do something. And your sentence makes it clear that you feel that you deserve the credit for getting the bank to fix this.
Now I am wondering: what if the bank did not fix this problem the next day? And what if some cracker/con-artist used your publically-disclosed exploit to cause significant damage to the accounts of one or more bank's customers? Would you be willing to take the blame for this? Yes, the bank should have fixed the problem and you gave them ample opportunity to solve the problem themselves. But I would argue that, yes, you do bear some responsibility in this case. But that's just my opinion. I am curious what yours is.
You are very eager to take the credit for a case when a public exploit resulted in something beneficial. Would you also be willing to take the blame if your actions had had disasterous consequences? If so, then I salute you as a fair man/woman/slashkitty. If not, I wish I could smack you upside the head.
GMD
watch this
There is no real distinction between hacker and cracker.
The tools, tricks, and procedures used by one are used by the other. The original hackers were the original crackers. It was fun to break into things (be it your radio, your telephone, your telephone network, or someones computer system). Well whats the fun in just being there if no one knows you were there. This is where data stealing, or defacing came in. All the way back when the hack/crack was as simple as making a score board say MIT, when they didn't have a sports team, let alone being involved in the specific contest.
To you and me, it is obvious where a prank ends, and malicious intent begins. To the person that has to clean up the prank, it is all malicious. So to you an me, there is a distinction between hacker and cracker, but to the laymen, they are the same. Not because they don't know any better, but because to them the outcome is the same. And now with the DMCA and the like, the line is clearer.
And before someone says kernel hacker, the prankster hacker is where the term originated. So if anyone is using the term incorrectly, they are probably the ones that should get the chastising. Kernel hacking is such a small and specific subset of the word, it isn't what the term was created for, nor does it truly represent the standard.
Bull. There's plenty of room in the grey-hat region, and plenty of population in it. The wiggle room for those who crack systems/software and then publicly announce the results is getting tighter. However there are an awful lot of people whose main concern is simply sharing results of bug/flaw discovery or other necessary activities that aren't good for vendor busines models. The fact that the DMCA seeks to redefine discovery and community notification as reverse-engineering and criminal collusion doesn't do a thing to shrink the number of people (admins, architects, programmers, dbas, etc) who simply need to do these things to do their jobs. The grey hat is still a thinking person's hat -- one abides by the letter of the law as best one can, and find ways around the obtuse or wrong-headed sections to accomplish primary goals of systems operation, data protection, and other work processes. Some prefer to skirt the line with black-hat-dom, while others simply protest bad law. Ain't nobody a white hat unless they utter phrases like "He was arrested so he must be guilty" or "The law is always right."
Not too long ago, I sent a note to several of my friends about a conflict I saw between the DMCA-esque proposed Microsoft security certification -- requiring software bug hiding and notification of the software vendor before notification of the affected client -- and the codes of ethics binding those with CISA and CISSP certifications -- both of which require protection or notification of the potential target/victim. (My personal favorite part of the ISC2/CISSP code is "Tell the truth" which is anathma to the DMCA/bug-hiding camp.)
Of course, since DMCA enforcement tends towards the corporate view of things (property, ownership, patents, royalties) rather than the societal view (ethics, trust, truth, community), if I follow the vendor-independent (societal) path, I get labelled as a grey-hat or a black-hat right out of the starting gate. Have I personally cracked and distributed software? No. But do I swear to uphold the right of the consumer to know of flaws in their software or implementation? Of course I do -- it's the core of my job as a consultant. But doing so may label me as a criminal, and not doing so is unethical and unprofessional. As the article point out, all you can do is try to do the right thing. Currently that may be illegal.
Maybe some of us will go to jail for it, but that's what it'll take to change or repeal ill-formed laws such as the DMCA. Nothing induces judicial scrutiny like a situation where a judge is embarassed to enforce a bad law against a just person. But for anyone contemplating the notion of a "test case", keep in mind that the ACLU only picks up your legal fees if you keep your nose clean while you're doing the (illegal) right thing.
J
I think not...(*poof*)
The argument that you need to publish to the whole world instantly is absurd. Sure, a couple vendors may not be responsive, but most are. Even in the cases where the vendor's response is not entirely adequate, the "harm" posed by waiting is negligable because it's rather unlikely that some unknown hacker will discover the same bug and start exploiting it before then. Few would argue that the developers of Linux and a couple other leading open source packages are slow to respond, yet we see this same instant disclosure of code, often without a patch (even in the cases where a patch is provided, it's not necessarily one that is suitable).
The reason for this publication in the majority of cases is pretty simple. The publisher wants some recognition for his discovery. While this is understandable, there are other ways to gain recognition. For instance, he could disclose the fundamental details of the exploit to the public and/or a trusted 3rd party on discovery and maybe attach a checksum or PGP signature of his official advisory that he sent to the vendor (in case someone else tries to take credit for the particulars, the corresponding document could be revealed and proven to be known by the discoverer at least when the first advisory was sent out). It may not bring him quite the same fame, but it would be something.
Even if the so-called "white" or "grey" hats cease to disclose these vulnerabilities to anyone, it would be virtually impossible for a large number of black hats to keep the exploit to themselves without it getting back to the security community. It's human nature to brag and to leak. What's more, I would argue that very few blackhats have the sophistication to come up with original exploits themselves. They pretty much depend upon the more knowledgable people that disclose the vulnerabilities to the public. In other words, the community of people having exploits over vulnerable machines would be far smaller.
"Narrow them down to a simple choice. Make them think it's their own." - Luke, on salesmanship
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
If I bought a truck, and the seatbelt linkage into the truck's frame was faulty and likely to fail in a crash, then I suspect I'd write a letter to Consumer Reports reporting it. I'd probably also write a letter to the company. The fact that I would have had to take apart a portion of the truck to find the fault would make NO difference. No one would say it was illegal, no one would complain that I was 'gray hat' or 'black hat'. I bought the truck, the truck had a problem, I told people. Big deal.
If I took apart someone else's truck without asking for permission, I suspect I'd just get my ass kicked. But, charges could of course be filed by the owner of the truck as well.
Why is it different with computers? Why are there people here saying that someone who looks at something they've legally purchased and find flaws with it are ethically in the wrong? And why should they not be able to speak up about it? The article is about a guy who reverse-engineered something on his own system. He didn't hack anyone else's system. What is wrong with that? I'm seeing tons of posts saying that all gray hats are black hats, or that ethically gray hat hacking is wrong although they do it anyway, and lots of garbage like that. What is gray at all about experimenting on your own machine when you've purchased the software?!? The whole gray/black/white hat stuff to me only applies (in any way, even if it is all b.s.) when you're poking into *other* people's computers.
Yes, if you find a hole, it's polite to everyone to give the company a chance to fix it before going public. But - that's a polite social thing to do. I see nothing wrong with telling an emporer or anyone else that they are butt naked. And if I feel like it, I should be able to tell everyone that the emporer is butt naked without asking his permission. That's called freedom of speech.
I write code.
Now I am wondering: what if the bank did not fix this problem the next day? And what if some cracker/con-artist used your publically-disclosed exploit to cause significant damage to the accounts of one or more bank's customers? Would you be willing to take the blame for this?
The fact that an attack is performed shortly after the weakness is disclosed does not mean that (a) the attack would not have been performed had the weakness not been disclosed or (b) that the disclosure had any relationship whatsoever with the attack.
What's very clear, however, is that the correction of the defect has a direct, causal relationship with the public disclosure.
Certainly, public disclosure increases the odds of an attack, but it does not increase them from from zero, and disclosure which results in the correction of the defect reduces them from the previously-unknown value to zero.
In most cases, the bank's customers are better served by public disclosure. For one thing, it lets them know that their bank behaves irresponsibly with their money, and gives them a good hint that they should take their business elsewhere.
I would agree that it's irresponsible to publish software that automates an exploit, and that doing so might place the author at fault, to some degree. Publishing the vulnerability on a secret crackers-only forum would be thoroughly reprehensible. And it's both polite and good for the bank's customers to give the bank a chance to fix the problem themselves before going public. But if the bank isn't willing to protect its customers unless its nose is publically rubbed in the problem, then the responsible thing to do is to go public.
You are very eager to take the credit for a case when a public exploit resulted in something beneficial. Would you also be willing to take the blame if your actions had had disasterous consequences?
You have it backwards. The poster would be at fault if he had continued to keep it quiet until the customers' accounts had been emptied. The only difference is that there would be no one trying to apportion blame to him, so that is an /easier/ approach. But a much less moral one.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Like he said... down hill.
It's unfortunate that the legal system tends to look more at actions instead of inactions. Did you ever see the final episode of "Seinfeld"?
I feel that there is less RISK to users if they know which company / product / website is more risky to use, and know which companies keep up to date on fixing things.
In the end, in my case, the type of bug in the bank's site had been listed in CERT for 2 years, along with how to fix it. I think that it's clearly the company's fault for not building a safe website.
-- these are only opinions and they might not be mine.
WHITE
Hacks systems at the request of the system owner to find vulnerabilities. Helps system administrator eliminate obvious holes first. Gets a paycheck and free lunches from the IT manager.
GRAY
Inconsiderately hacks systems without the knowledge of the system owner, blinded by his good intentions. Notifies system administrator about holes in the system. Receives suspicion and a subpoena, gets free representation.
BLACK
Cracks systems in search of personal booty and root exploits. His back-door scripts leave no traces. Notifies the world by rerouting all requests for the public site to goatse.cx. Never gets caught, gets all the chicks.
-- thinkyhead software and media
... and so should yours, if you're worried about this stuff. Go here and send them a hundred dollars. You'll be glad you did.
If the community keeps all the hacks secret all software will be secure. No one will need to patch their systems. Personal firewalls will no longer be needed. Anti-Virus will a thing of the past. I think this is what the white house and other insecurity, are really trying to tell all of you. Don't share and don't hack. That way no one know about a hole. ie, China will be the only place that can hack into your system. Well including the government, MPAA, RIAA. Remember if you don't know they are doing it. It's not illegal. So IF are smart enough to find a hole, don't tell and OWN THE SYSTEM. At this rate it won't be patched and they most likely won't even know your there. This is how our government is going to protect us.
I don't suffer from insanity, I enjoy every minute of it.
I agree that if your Gray then your black. You might be Black with good intentions.. but your still black.
It's like breaking into a store; simply to warn the store owner that you could break into a store.. no different. Or to use a popular theme in other postings regarding a house with an Open sign on it. NO! It's more like going up to a house, trying all the doors and windows till you find one that is open.
Unless you are specifically asked by a company owner or software maker to exploit security holes, you shouldn't be doing it. If your concerned about security of the source, then choose a OpenSource alternative or write your own. If your using a COTS, then ask the publisher for permission to test the software for security holes, most will allow you as long as your a paying customer. If they don't, you probably don't want to be using that software vendor's appliction anyways.
It's all about property people and respecting peoples privacy. Yes, it would be a utopian society if everybody could be online without fears of your network being compromised, and that's not reality obviously. But we don't need vigilanties running around exploiting everybodies software or network just because they can. It's not research its criminal; you've breached somebodies privacy even if you didn't do damage. If you want to practice, setup your own private network with software that allow's you to do as such. An no, I don't agree at all with the penalties associated with violations of the DMCA. They are outrageous and should be removed and educated individuals should re-establish new ones.I'm already a criminal. I imagine most people on here are. Who the hell hasn't broken a law today. We're in a drought here in Maryland. Water a plant today, did ya? Broke the law. have you let a teenager bum a cigarette? Criminal.
Why should anyone care what color hat they supposedly wear. It's an arbitrary label. I call myself a hacker. I don't break things. I don't steal things. I try not to hurt people I like. In my opinion, that makes me an OK guy. Of course, opinions vary.
Oh, and you... yeah you. Stop looking over your shoulder. I'm running crack against your password file right now. Might want to go change a few of 'em. Especially root. You know, the one that's your girlfriend's name. (And we both know she's not really your girlfriend. All you really have to do is ask her out, but you're scared. Pussy.) I'm only telling you all this because I like you. Now go ask her out, wimp.
If I went to my bank and noticed the door to the vault was open, I would tell the manager about it.
If I came back the next day and it was still open, I would close my account. I would also feel ethically obliged to tell all the other customers at that bank that their money isn't secure.
A: Do you agree with that, in the terms of the analogy? (physical bank; physical door)
B: Does the analogy become any different when a computer is involved?
One person, and one person only, is responsible for a malicious exploit: the person who performed the exploit.
Networking protocols were designed for sharing information. There are (relatively) easy ways to ensure that only authorized recipients get information through these protocols. If a security system allows me access to parts of an internetwork, I have no reason to think I'm an unauthorized recipient of the information on that network.
All's true that is mistrusted
Can we at least get away from the terrible analogy of:
"Ok, say you someone breaks into your house/car/business but doesn't steal anything" to mirror the actions of "hacking"?
Yes, it really sounds like it might be a good analogy, but computers are absolutely none of the above.
There is no such thing as a nice citizen who comes around to your house and checks to make sure your door is locked and your jewelry is secured in your house. There never has been, there never will be, and there never will need to be, because the Internet is a way different medium than the real world.
Analogies are great for helping geeks explain computer terms to non-computer people, but no matter how you slice it an apple will never be an orange.
A prime example of how it doesn't work is in software "hacking". If a major gaping security hole in someone's software exists, it is something that desperately needs to be fixed immediately and brought to people's attention.
Imagine something simple like an IIS bug (no way!) that allows people to download the source code for some script on your server that includes things like database and system passwords. Some well meaning (gray) hacker tells Microsoft about this, and gets tossed in jail. Meanwhile the same exploit is found at the same time by a malicious (black) cracker, who tells all his l337 script kiddie friends and before you know it some poor startup companies have just given out credit card numbers and secure corporate information to exactly the wrong kind of people.
Where is the white hat in all this?
Oh, he thought about the exploit, but didn't look into it because that sort of thing is naughty and he might get his pretty little white hat dirty.
Testing security measures and breaking software is absolutely necessary if we want to keep robust efficient systems across the country.
Do you really think other countries prosecute their L337 cR4X0rs when they break into our untested unsecured networks?
There have been hackers ever since there have been computers, and it needs to stay that way or we will all find ourselves up that silicon creek without a paddle.
My job (and my hobbies) involves legally acquiring software and hardware and testing it, tearing it apart, looking for weak spots.
That includes purchasing items like a Cisco PIX or a software firewall, testing for security holes, and often extends to writing and executing working exploits for these holes, on legally acquired copies running in my test lab.
These actions may violate the vendor's EULA. But they do not ever involving penatration of the network, host, or data belonging to an innocent third-party. Do these acts make me a black hat?
Neither I personally nor my employers trust the publisher to do their own testing and report honestly on the results.If my customer agrees, I report issues to the vendor. If they not respond, and if my customer agrees, I will post some or all information to a full-disclosure list. What color is my hat now?
While it may be in violation of the law or a civil transgression to "test" software after purchasing a legally licensed copy, I do not agree that such testing turns a grey hat to black.
I've breached whose privacy? That of the vendor who wrote the software or designed the hardware?
If I legally acquire software and hardware, install it on my private testbed, then exploit the software (locally, in my "sandbox"), it most certainly is research. It may also be criminal. If I take the results of my tests and publish them, that too is research, and under the DMCA or certain EULAs, may be unlawful.
Regardless of how the laws are contorted to depict my actions, I will not accept the label of "black hat" on this basis.
I do not deploy Linux. Ever.
The "spotless white" hat notifies Ford, but the company ignores the warning and goes on making the Pinto without any changes. The CIA, Mafia, and Mossad learn of the weakness (through leaks or by discovering the issue independently) and build selective exploits, using them against their enemies for several years before the weakness becomes widely known. (This scenario has played out in both physical security and remote software exploits more than once.)
The "light gray" hat tells Ford and his circle of 'leet buddies, and when Ford does not respond, some or all of his research notes are published to a "Full-Disclosure" list. Ford rushes out a fix in record time.
The "pitch black" hat builds selective exploit tools and sells them to the highest bidder.
Yes, it can be "the lesser harm" to publish.I've learned the hard way on more than one occasion that if you don't publish, most vendors will almost certainly not respond in a timely manner. They may create a fix and quietly distribute it in their next scheduled release, or they may just ignore the warning.
Meanwhile, other researchers (including some truly morally bankrupt black hats) are almost certainly looking at the same areas you are, and will eventually discover the same vulnerability independently, and begin to exploit it.
In case after case it has been demonstrated that for most vendors, nothing short of full disclosure is sufficient for them to take the problem seriously.I do not deploy Linux. Ever.
The only effective way to get many compaines to fix problems is blackmail which is technicaly illegal just about everywhere. There is something wrong when you have to break the law to get your vendor to fix something.
The page says a black hat will not disclose their hacks and use them for their own gain. That sounds like me. I run unix boxes and I think Windows in most cases is trash. When a client says they are as secure, I've been known to show them why they aren't. I've had one client get all upset since I wouldn't explain to MS how I took down their secure box. MS isn't paying me and they have done enough boneheaded things to make my life hell at times. I'm not going to do anything else that helps gates and his evil minions make my job harder.
There are some very intelligent people coding for black hats. Many of the brightest people on the legitimate side of network security honed their skills as a black hat, then had a change of heart in the past few years as the threat of criminal charges grew larger, or after suddenly realizing that having a house, a wife, and kids changes your priorities. However, the pool of exploitable machines would be much much larger.
Restricting public exposure of holes has been tried, and found wanting. Limited distribution of the details of holes was the unwritten law in the 1980's and early 1990s (anybody remember the 'core' list?). This is why the creation of Bugtraq in 1993 was such a big deal. Prior to that, vulnerability information was carefully controlled, distributed to a limited pool of "trusted" admins... including the "daytime personas" of a number of black hats.
This approach did little to keep the black hats from learning about new vulnerabilities and writing exploits, and put little pressure on vendors to patch their software or pro-actively work to limit security holes.
Full-disclosure may not be ideal, but it is better than the alternatives.
I do not deploy Linux. Ever.
Hell yes, it matters. If you fuck up a company's data, or possibly worse, take a company's data and sell it to their competitor, then that's a crime. The same as if I happened to leave my front door unlocked, it's still a crime for someone to come in and steal my TV. That's the difference between white and black hats.
And then there's the ultimate "black-hat" attack - the DDOS. Requires little or no skill, just the ability to use some scripts off the web. Doesn't teach you anything. Just fucks up everything for the ppl attacked and for anyone trying to use their systems, without any gains for anyone except the immature little wanker sat giggling in his bedroom.
I'm 100% anti-DMCA for its restrictions on reverse-engineering. But I'm 100% *for* fucking over the script kiddies.
The "gray hat" thing is harder. RFPolicy is a good start towards this - get a standard code of conduct and everyone knows where they are. If you're genuinely not interested in hurting the affected people, give them a chance to respond and fix it, and then take the kudos. Hell, anyone who's ever worked in software knows that you never find all the bugs - even NASA can't manage that, for all its budget and procedures! - so this in-depth testing helps everyone. And this also provides a stick with the carrot - the software company *does* have to respond in a timely manner to alerts, bcos otherwise their product will get cracked.
"Then screw them" is one argument, but it assumes you're not affected. Suppose you happen to have one of those servers? Remember, it's not really the software companies affected, it's anyone who uses that company's products. So if someone finds a vulnerability in the Apache software and then cracks your server wide open, wiping all your data in the process, it's *you* that's suffered, not the Apache team who were slow in responding to the alert.
Grab.
The fact that I did not obtain the publisher's permission does not magically redefine my activity to be "not research".
I bought a sports car. I don't think it goes fast enough. I swap out the intake system, have a machine shop rebore the engine, and I extract the manufacturer's ROM, edit the ROM image to tune the pre-computed fuel curve table, and burn a new ROM for myself.
All of this activity I define as "research". The car manufacturer might not agree, and will void my warranty. But the fact that I do not have permission from them to "hack" my car does not change the definition of my research to something else, it only changes my relationship with the vendor, and precludes me from obtaining future "tech support" from the vendor.
My clients choose to use non-open-source products. They choose to pay me to perform "research" on these products and supply my results either exclusively to my client, or to Bugtraq. I accept my client's conditions, and perform research for them.The fact that the company that sold them the hardware or software did not agree to this "research" does not change the definition of my activity.
If my client was "Consumer Reports", would you still have a problem with my research?
Consumer Reports buys all the items they test from retail outlets, and does not ask the manufacturer for permission to perform their "research": http://www.consumerreports.org/static/popup/didyou know.html
I do not deploy Linux. Ever.
You are a humorless moron.
-- thinkyhead software and media
a HACKER is not a criminal but a software and hardware genius...
A CRACKER tries to break into systems or bypass security.
That's true, but would you be more scared of a guy waving his axe around hacking things, or a salty biscuit that you crush up and put into your chicken soup?
That's why mainstream media says "hacker"
Y2K Compliant since the late 1890s