Slashdot Mirror
Ethical Lines of the Gray Hat
Facter writes "There is a great article on CNET about the ethical debate between white/gray/black-hat hackers - interesting to note is that it reports the "fading away" of the "gray" definition between white and black, due to the DMCA hindering anything in between.."
IMO, there are hackers, and there are security professionals. If you were a hacker and are now a security professional...great. If you continue to break the law, you should go to jail. Pretty simple, and none of this hat confusion.
"Herbivores eat well cause their food never, ever runs."
You mean Cracker. While some of these people might be hackers I can't think too many of them are. Please I know everyone else uses the term hacker in this way. But can't we use the real term?
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
One could take that to mean that early "white hat" hackers served their purpose successfully. By roaming through corporate systems, they managed to call attention to a lot of gaping security flaws that ended up getting fixed.
Also, roaming through corporate streams was a necessity for hard-core geeks in the days when Internet connectivity was prohibitively expensive. Much of what recreational hackers where "borrowing" other people's network resources for can now be done on a common consumer connection.
Information wants to be anthropomorphized.
It seems to me that giving companies time to fix their holes is always a Good Thing (tm) but that a lack of public disclosure by a 3rd-party will only help obscure legitimate problems. People with the attitudes similar to that of Peter Lindstrom* demonstrate, to me at least, a lack of care towards users and their potentialy open/vulnerable systems. One of the easiest ways to get a slow company to fix something seems to be to talk about it in the press.
* quote: ("If you are gray, you are black," Lindstrom said. "It's not that I don't understand what they are trying to do, but it comes down to what you are actually doing.)
In Soviet Russia...michael would be rotting in Siberia!
The days aren't gone, but now we must use techniques that will keep all of our tracks hidden.
One of the largest holes that I currently see is the lack of any security on all of the wireless networks! You can load a machine up and use a card with a MAC address that you use for nothing but hacking and NEVER be caught. The good ole days aren't gone, but the good ole days are here right now. UNTRACEABLE baby, with COTS equipment at that. From my house with a 24db antenna I can see ten networks that are not encrypted. I was thretened with a lawsuit recently when I informed a company of an unencrpted network that I found while driving to my house, I will never do that again, but now I will keep them to myself just incase I want to do some "gray" actions. Don't get me wrong, I don't go around destroying networks, but with wireless in the state that it is in today, I could definately do that.
Cheers
Unfortunately, this fear overwhelms the suit's intelligence, which would tell the suit that in the long term, a climate where disclosing holes is discouraged merely limits access to the information to the so-called "black hats".
Obviously, an environment where most of the flaws and holes are only known by the less scrupulous because you'd lawsuit-threatened the scrupulous out of finding the holes and telling you about them just makes it that much easier for your programs to be hacked and your customer's data to be stolen - and then they definitely won't trust your product.
paintball
traipsing into someone's computer isn't exactly ethically RIGHT
I was under the impression that right and wrong were mutually exclusive. If it's not right then it has to be wrong. If you "traipse" into my computer you will go to jail. Pretty simple. Should I be able to pop the hood on your car if it's in the parking lot of Wal-Mart because I'm curious as to how your car is different from mine. What about your house? I'm interested in the architectural differences between our houses, so I break into your house because of my "curiosity." Please try to refrain from ridiculousness in the future.
"Herbivores eat well cause their food never, ever runs."
Facter writes "There is a great article at CNet..." but I wasn't so impressed. This example of Kevin Finisterre isn't really that amazing. Finisterre's employee publically disclosed the vulnerability. You gotta expect to piss off HP when you do something like that. Look, I'm a fan of open-source software and I understand that publically disclosing software bugs is one way of motivating a lazy company to plug those holes but I'm not sure you can really defend this ethically. If you find a bug in Company A's software, then let A know about it. If A decides not to do anything about it (or if they are taking longer to plug the hole than you thought) I don't see how you are morally justified in leaking that info to the world.
Finisterre, who was not hired by HP, now says he'll think twice before voluntarily informing another company of any security holes he finds.
This is just silly. If he had just informed HP, there wouldn't have been a problem. However, his employee decided to inform the entire world and that's what triggered HP's retalliation. If Finisterre and his employees restrict themselves to informing the company, they should be okay.
The rest of the CNET article is okay. But starting off with such a stupid example really weakens the story. They could have started off this story with the Sklyarov example. That would make a stronger case for the idiocy of the DMCA.
GMD
watch this
Well, if you leave your car's hood propped open, with a flashing blue light on top of it. Or if you prominently display your house with open doors (commonly known as an "open house", at least in america, they're kept near the entrance to new neighborhoods, specifically so people can come in and examine the workmanship and . . . architecture).
funny munging
If you have somebody who's informed a company of their problem, waited for them to do something, and then finally anonymously or semi-anonymously posted the problem, then we have the "security" types that are looking out for all of us. Somebody who posts it as "hey look at me, I hacked XXX/YYY and somebody should fix it" is just looking for fame or possibly profit.
I think that if you can hack a system and then offer a viable fix/solution without the indicated repercussion of telling everyone in the world what the problem is, then you shouldn't be blacklisted as a "black hacker".
However, if you go off and tell everyone that so-and-so's software/network is insecure because they didn't pay you, then you're no better than an extortionist or a crook.
If you've bypassed security on a product that was hindering legitimate users, we have another really hard area to define. Anything that gets done to a company's product generally should be done with the grace of the producing company.
Perhaps one of the biggest problems is those who just jump out and post something on the internet without thinking of the ramifications to the owner/users of the product. If you post a security vulnerability and fix, you may be allowing a certain amount of people to fix the problem, but you're also letting all the hackers out there know where there's easy prey in those that don't see the fix soon enough.
In the same hand, if companies legally lambaste anyone who hacks and then offers a solution to their woes, it only makes things worse.
Corporations with insecure products/networks need to recognise that running for the lawyers isn't always the best solution, while those doing the hacking need to recognise that extortionist/fame mongering/otherwise damaging tactics aren't helping either.
If more companies can work with legitimate hackers in a productive way (as stated in the article, many have internal hackers), without inviting dozens of script-kiddies to poke at their servers, then perhaps one day the important people (we, the end-users) will find a day when we can legitimately use the products we pay for, in a meaninful manner, and without security woes.
It's not what you can do, it's how you do it that counts - phorm
Now let's say you notice that my HP server is likely to be compromised. But there's a law in place that says HP can sue you if you tell me, because that violates their cracker security, which consists in not letting people who might be malicious know that the rear door of an HP could be a tempting target.
Exactly why should HP deserve a legal protection that no sane person would give to Ford, when in both cases the customers are far better off with the knowledge?
"with their freedom lost all virtue lose" - Milton
really? ok.. so do you investigate hardware designs and modify equipment that YOU PURCHASED as a hobby? if so then you are a Black hat and need to go to jail by your definition.
Security means nothing with the term hacker unless you are an un-educated manager. What you are referring to is a cracker and a completely different individual....
Please, get a clue as to what term is what. I dont care what the illeterate media calls them or how they use the term... a HACKER is not a criminal but a software and hardware genius...
A CRACKER tries to break into systems or bypass security. Why is this so hard for people to understand? The drivel that spews forth from the anchorwoman/man's mouth does NOT make it truth.
Do not look at laser with remaining good eye.
I fully support the use of the alternate term "cracker" to refer to people who use hacker-like skills (or often, no skill just downloaded cracker kits) to vandalise whatever system they can manage to crack. Yes, some hackers get sucked into these activities at some point in their development, but that doesn't mean it is condoned by the hacker ethic.
How about some analogies. When you check the door of the business down the street and find it unlocked, is it legal so wander around inside and see what you find? No, but if you didn't do any damage, it shouldn't be more than a legal slap on the wrist. If when you tried the door, you triggered the alarm, or some damage was done just by trying it, you can expect someone to be pissed off, and maybe prosecute you when you try it again on another business.
If a responsible third party closely inspects and tests the security perimiter around your nuclear, chemical or biological plant, and finds vulnerabilities, what should be done? Right, first they tell you and the relevent government authorities, and if there is no real response for a reasonable period of time, tell someone else (press, other trusted third party, etc.).
What is going on now is a typical corporate response, and it is exactly the same as using SLAPP lawsuits to silence critics. It is evil and anyone getting hit by such tactics should get help from advocacy groups. Of course, staying away from controversy is one approach, but it doesn't give you good hacker-karma.
While the ethics of cracking have always been interesting, the legality has never been an issue. It is, and for years has been, a crime, essentially, merely to knowingly obtain unauthorized access or to exceed authorized access to a computer owned by another. [Alas, many companies have injudiciously asserted these criminal charges against former consultants, merely to beat a bill with a nasty counterclaim.]
However popular it is to join the bandwagon railing against the DMCA anti-circumvention provisions (people seem to forget that the DMCA is itself an omnibus of technical and non-technical issues, good, bad and indifferent, and ranging from boat-hull designs to ISP immunities), the article's focus on DMCA is misplaced -- almost irresponsibly so.
The big guns against cracking conduct have been in place for years, and well before DMCA: The Computer Fraud and Abuse Act, the ECPA and countless state computer crime and regular theft statutes. All of these tend to be much broader in scope and reach, and far easier to prove and enforce. After the enhancements (from a prosecutor's point of view) made in the USA-PATRIOT Act, CFAA has become an even more powerful tool. The FBI didn't need a DMCA to get Kevin.
At the end of the day, the HP nonsense was just that: nonsense. The reason the HP DMCA threat was never pressed was simple -- it was a no-play claim, and everybody knew it. However, there are and have for years been a kazillion laws to beat up on anybody who engages in unauthorized access or exceeding authorized access of any kind, and regardless whether the conduct amounts to any circumvention of an effective copyright protection scheme.
I'm not arguing cracker ethics, or defending DMCA. I'm simply saying that the focus of the article is wildly misplaced. DMCA is just barely an interesting curiousity in the enforcement quiver -- so far as real cracking goes, it isn't even a fourth-string defense except in the oddest cases.
Right and Wrong are only mutually exclusive in today's simplistic binary computers, and the minds of some simplistic people.
Should you be able to pop the hood on my car in the Wal-Mart parking lot to see how my car is different than yours? No.
Should you be able to pop the hood on my car to extinguish a fire in the engine compartment and keep it from destroying the vehicle, anything in it, and probably the vehicles on either side? Yes, please do!
But... you still "broke into" my car. Do you want to go to prison and enjoy the tender thrusts of Bubba for your good deed?
If you have an ftp server running on your machine, and I happen to notice it, I feel perfectly justified in connecting to that server. If it allows anonymous logins, I feel fine looking around. If not, I won't sit there and try to guess passwords, as that *would* be wrong.
Yet, if after logging in as an anonymous user, I manage to get access to your filesystem, I would feel obliged to leave you a note, telling you that maybe / isn't the best anonymous ftp root. Would you send me to prison for that? If so, I'd suggest you seek counseling, since you obviously have some personal insecurities and ego problems beyond your server.
The DMCA is an abomination. It creates a situation where one can be punished without actually doing anything beyond research. How many people who just happen to own Sharpies bought them with the criminal intent of listening to protected music CD's? Most of my sharpies pre-date the DMCA, yet I am technically a criminal because they COULD be used to circumvent copy-protection??? All of you out there who have screwdrivers -- you can use those to unscrew poorly secured locks. There, now I'm in trouble for disseminating information about circumvention, and you're all screwed for having the tools. Go Law!
While I'm not familiar with Kevin's case, I've been in a similar situation before. Bank A would not patch their holes in their banking websites. I notified them again and again. After months waiting, I went public. Problem was solved the NEXT DAY! It was simply a matter of getting the right people to make it a priority. I feel that this is completely morally justified and I don't think that the bug was exploited, and I don't think that USERS were harmed just because it was public.
Congrats on getting the bank to do something. And your sentence makes it clear that you feel that you deserve the credit for getting the bank to fix this.
Now I am wondering: what if the bank did not fix this problem the next day? And what if some cracker/con-artist used your publically-disclosed exploit to cause significant damage to the accounts of one or more bank's customers? Would you be willing to take the blame for this? Yes, the bank should have fixed the problem and you gave them ample opportunity to solve the problem themselves. But I would argue that, yes, you do bear some responsibility in this case. But that's just my opinion. I am curious what yours is.
You are very eager to take the credit for a case when a public exploit resulted in something beneficial. Would you also be willing to take the blame if your actions had had disasterous consequences? If so, then I salute you as a fair man/woman/slashkitty. If not, I wish I could smack you upside the head.
GMD
watch this
Bull. There's plenty of room in the grey-hat region, and plenty of population in it. The wiggle room for those who crack systems/software and then publicly announce the results is getting tighter. However there are an awful lot of people whose main concern is simply sharing results of bug/flaw discovery or other necessary activities that aren't good for vendor busines models. The fact that the DMCA seeks to redefine discovery and community notification as reverse-engineering and criminal collusion doesn't do a thing to shrink the number of people (admins, architects, programmers, dbas, etc) who simply need to do these things to do their jobs. The grey hat is still a thinking person's hat -- one abides by the letter of the law as best one can, and find ways around the obtuse or wrong-headed sections to accomplish primary goals of systems operation, data protection, and other work processes. Some prefer to skirt the line with black-hat-dom, while others simply protest bad law. Ain't nobody a white hat unless they utter phrases like "He was arrested so he must be guilty" or "The law is always right."
Not too long ago, I sent a note to several of my friends about a conflict I saw between the DMCA-esque proposed Microsoft security certification -- requiring software bug hiding and notification of the software vendor before notification of the affected client -- and the codes of ethics binding those with CISA and CISSP certifications -- both of which require protection or notification of the potential target/victim. (My personal favorite part of the ISC2/CISSP code is "Tell the truth" which is anathma to the DMCA/bug-hiding camp.)
Of course, since DMCA enforcement tends towards the corporate view of things (property, ownership, patents, royalties) rather than the societal view (ethics, trust, truth, community), if I follow the vendor-independent (societal) path, I get labelled as a grey-hat or a black-hat right out of the starting gate. Have I personally cracked and distributed software? No. But do I swear to uphold the right of the consumer to know of flaws in their software or implementation? Of course I do -- it's the core of my job as a consultant. But doing so may label me as a criminal, and not doing so is unethical and unprofessional. As the article point out, all you can do is try to do the right thing. Currently that may be illegal.
Maybe some of us will go to jail for it, but that's what it'll take to change or repeal ill-formed laws such as the DMCA. Nothing induces judicial scrutiny like a situation where a judge is embarassed to enforce a bad law against a just person. But for anyone contemplating the notion of a "test case", keep in mind that the ACLU only picks up your legal fees if you keep your nose clean while you're doing the (illegal) right thing.
J
I think not...(*poof*)
The argument that you need to publish to the whole world instantly is absurd. Sure, a couple vendors may not be responsive, but most are. Even in the cases where the vendor's response is not entirely adequate, the "harm" posed by waiting is negligable because it's rather unlikely that some unknown hacker will discover the same bug and start exploiting it before then. Few would argue that the developers of Linux and a couple other leading open source packages are slow to respond, yet we see this same instant disclosure of code, often without a patch (even in the cases where a patch is provided, it's not necessarily one that is suitable).
The reason for this publication in the majority of cases is pretty simple. The publisher wants some recognition for his discovery. While this is understandable, there are other ways to gain recognition. For instance, he could disclose the fundamental details of the exploit to the public and/or a trusted 3rd party on discovery and maybe attach a checksum or PGP signature of his official advisory that he sent to the vendor (in case someone else tries to take credit for the particulars, the corresponding document could be revealed and proven to be known by the discoverer at least when the first advisory was sent out). It may not bring him quite the same fame, but it would be something.
Even if the so-called "white" or "grey" hats cease to disclose these vulnerabilities to anyone, it would be virtually impossible for a large number of black hats to keep the exploit to themselves without it getting back to the security community. It's human nature to brag and to leak. What's more, I would argue that very few blackhats have the sophistication to come up with original exploits themselves. They pretty much depend upon the more knowledgable people that disclose the vulnerabilities to the public. In other words, the community of people having exploits over vulnerable machines would be far smaller.
I'm already a criminal. I imagine most people on here are. Who the hell hasn't broken a law today. We're in a drought here in Maryland. Water a plant today, did ya? Broke the law. have you let a teenager bum a cigarette? Criminal.
Why should anyone care what color hat they supposedly wear. It's an arbitrary label. I call myself a hacker. I don't break things. I don't steal things. I try not to hurt people I like. In my opinion, that makes me an OK guy. Of course, opinions vary.
Oh, and you... yeah you. Stop looking over your shoulder. I'm running crack against your password file right now. Might want to go change a few of 'em. Especially root. You know, the one that's your girlfriend's name. (And we both know she's not really your girlfriend. All you really have to do is ask her out, but you're scared. Pussy.) I'm only telling you all this because I like you. Now go ask her out, wimp.
The "spotless white" hat notifies Ford, but the company ignores the warning and goes on making the Pinto without any changes. The CIA, Mafia, and Mossad learn of the weakness (through leaks or by discovering the issue independently) and build selective exploits, using them against their enemies for several years before the weakness becomes widely known. (This scenario has played out in both physical security and remote software exploits more than once.)
The "light gray" hat tells Ford and his circle of 'leet buddies, and when Ford does not respond, some or all of his research notes are published to a "Full-Disclosure" list. Ford rushes out a fix in record time.
The "pitch black" hat builds selective exploit tools and sells them to the highest bidder.
Yes, it can be "the lesser harm" to publish.I've learned the hard way on more than one occasion that if you don't publish, most vendors will almost certainly not respond in a timely manner. They may create a fix and quietly distribute it in their next scheduled release, or they may just ignore the warning.
Meanwhile, other researchers (including some truly morally bankrupt black hats) are almost certainly looking at the same areas you are, and will eventually discover the same vulnerability independently, and begin to exploit it.
In case after case it has been demonstrated that for most vendors, nothing short of full disclosure is sufficient for them to take the problem seriously.I do not deploy Linux. Ever.