Slashdot Mirror
Ethical Lines of the Gray Hat
Facter writes "There is a great article on CNET about the ethical debate between white/gray/black-hat hackers - interesting to note is that it reports the "fading away" of the "gray" definition between white and black, due to the DMCA hindering anything in between.."
One could take that to mean that early "white hat" hackers served their purpose successfully. By roaming through corporate systems, they managed to call attention to a lot of gaping security flaws that ended up getting fixed.
Also, roaming through corporate streams was a necessity for hard-core geeks in the days when Internet connectivity was prohibitively expensive. Much of what recreational hackers where "borrowing" other people's network resources for can now be done on a common consumer connection.
Information wants to be anthropomorphized.
The question "Do we really need a hat?" from someone who's blog is at whitehatorganization.com
Yes, apparently you really need a hat.
It seems to me that giving companies time to fix their holes is always a Good Thing (tm) but that a lack of public disclosure by a 3rd-party will only help obscure legitimate problems. People with the attitudes similar to that of Peter Lindstrom* demonstrate, to me at least, a lack of care towards users and their potentialy open/vulnerable systems. One of the easiest ways to get a slow company to fix something seems to be to talk about it in the press.
* quote: ("If you are gray, you are black," Lindstrom said. "It's not that I don't understand what they are trying to do, but it comes down to what you are actually doing.)
In Soviet Russia...michael would be rotting in Siberia!
The days aren't gone, but now we must use techniques that will keep all of our tracks hidden.
One of the largest holes that I currently see is the lack of any security on all of the wireless networks! You can load a machine up and use a card with a MAC address that you use for nothing but hacking and NEVER be caught. The good ole days aren't gone, but the good ole days are here right now. UNTRACEABLE baby, with COTS equipment at that. From my house with a 24db antenna I can see ten networks that are not encrypted. I was thretened with a lawsuit recently when I informed a company of an unencrpted network that I found while driving to my house, I will never do that again, but now I will keep them to myself just incase I want to do some "gray" actions. Don't get me wrong, I don't go around destroying networks, but with wireless in the state that it is in today, I could definately do that.
Cheers
traipsing into someone's computer isn't exactly ethically RIGHT
I was under the impression that right and wrong were mutually exclusive. If it's not right then it has to be wrong. If you "traipse" into my computer you will go to jail. Pretty simple. Should I be able to pop the hood on your car if it's in the parking lot of Wal-Mart because I'm curious as to how your car is different from mine. What about your house? I'm interested in the architectural differences between our houses, so I break into your house because of my "curiosity." Please try to refrain from ridiculousness in the future.
"Herbivores eat well cause their food never, ever runs."
Facter writes "There is a great article at CNet..." but I wasn't so impressed. This example of Kevin Finisterre isn't really that amazing. Finisterre's employee publically disclosed the vulnerability. You gotta expect to piss off HP when you do something like that. Look, I'm a fan of open-source software and I understand that publically disclosing software bugs is one way of motivating a lazy company to plug those holes but I'm not sure you can really defend this ethically. If you find a bug in Company A's software, then let A know about it. If A decides not to do anything about it (or if they are taking longer to plug the hole than you thought) I don't see how you are morally justified in leaking that info to the world.
Finisterre, who was not hired by HP, now says he'll think twice before voluntarily informing another company of any security holes he finds.
This is just silly. If he had just informed HP, there wouldn't have been a problem. However, his employee decided to inform the entire world and that's what triggered HP's retalliation. If Finisterre and his employees restrict themselves to informing the company, they should be okay.
The rest of the CNET article is okay. But starting off with such a stupid example really weakens the story. They could have started off this story with the Sklyarov example. That would make a stronger case for the idiocy of the DMCA.
GMD
watch this
Where do you draw the line? Are the only sanctioned hackers the ones that work for a security company? Personally, if I'm using software, I want to find out about any vulnerability that exists. If I find one, I want to report it. I have no trouble reporting it to only the company that produced the software, but let's face it...they don't always respond with a patch or a fix. If you've taken the legit route and the company has done nothing, I don't see a problem reporting it. I think this is a notable difference between the Hats.
Not to sound like I'm getting up on my soapbox (I'm not), but it's one of the reasons I like Linux software. I know that if someone finds a problem with bind/apache/ftp that a fix is going to be published somewhere I'll read it (fyi, I don't go surfing the Microsoft website for patches) and I can fix the hole. It's comforting, and that's the defense I give people when they ask why they should use OSS for secure systems.
--trb
Well, if you leave your car's hood propped open, with a flashing blue light on top of it. Or if you prominently display your house with open doors (commonly known as an "open house", at least in america, they're kept near the entrance to new neighborhoods, specifically so people can come in and examine the workmanship and . . . architecture).
funny munging
If you continue to break the law, you should go to jail
Ok. So you realize that merely reporting a security hole in a protocol to a company, with working source code, is a violation of the DMCA?
So, as a "security professional" you have now broken the law and should go to jail.
If we want to be sane about the situation then people trying to uphold themselves as being better than black hats need to get off their high horse. Realize that if you've found a security hole in a product then you're probably not the only one. And yes, you should dutifully report it to the company with enough data/code for them to verify your claim, and give them time to address it (which is a key issue - how long is long enough?).
But what happens when they don't fix it? Do you just decide that you've done your duty and ignore the fact that someone else out there either has or will discover the hole and exploit it? Or do you report it to a public independant organization like BugTraq? To whom do you owe loyalty? The company producing the product, or to the customers who are being left hanging in the breeze by the company?
I'll admit that I'm no hacker or security professional, but as a programmer I'd damn well want you to do the latter. It's called whistleblowing, and it's accepted as a viable method to right wrongs when other attempts to solve a problem have failed. This isn't a new concept, nor is it limited to the computer world. The only real difference is the speed at which companies are expected (and needed) to act.
White hat and black hat are necessary distinctions. Either someone intends to cause harm, or does not. Those terms are an easy way of explaining to the average layperson that there are 'good' and 'bad' hackers, otherwise they'll lump us all together.
The 'bull' is that there is no longer a 'gray hat' hacker. The elimination of the 'gray areas' is a legality, and a stupid one, at that. It is not a reality. Hackers will still walk the line, and things they do will still be thought of as "good", "bad", or "fuzzy line down the middle". The only difference is that the DMCA has moved the line of acceptable actions so far over, that people can be White Hat hackers and still end up being persecuted under the DMCA for doing something that even the majority of the population would consider "GOOD" as opposed to bad.
This doesn't mean that the hackers are "black hat", and it's stupid to imply so.
-Sara
Now let's say you notice that my HP server is likely to be compromised. But there's a law in place that says HP can sue you if you tell me, because that violates their cracker security, which consists in not letting people who might be malicious know that the rear door of an HP could be a tempting target.
Exactly why should HP deserve a legal protection that no sane person would give to Ford, when in both cases the customers are far better off with the knowledge?
"with their freedom lost all virtue lose" - Milton
I fully support the use of the alternate term "cracker" to refer to people who use hacker-like skills (or often, no skill just downloaded cracker kits) to vandalise whatever system they can manage to crack. Yes, some hackers get sucked into these activities at some point in their development, but that doesn't mean it is condoned by the hacker ethic.
How about some analogies. When you check the door of the business down the street and find it unlocked, is it legal so wander around inside and see what you find? No, but if you didn't do any damage, it shouldn't be more than a legal slap on the wrist. If when you tried the door, you triggered the alarm, or some damage was done just by trying it, you can expect someone to be pissed off, and maybe prosecute you when you try it again on another business.
If a responsible third party closely inspects and tests the security perimiter around your nuclear, chemical or biological plant, and finds vulnerabilities, what should be done? Right, first they tell you and the relevent government authorities, and if there is no real response for a reasonable period of time, tell someone else (press, other trusted third party, etc.).
What is going on now is a typical corporate response, and it is exactly the same as using SLAPP lawsuits to silence critics. It is evil and anyone getting hit by such tactics should get help from advocacy groups. Of course, staying away from controversy is one approach, but it doesn't give you good hacker-karma.
While the ethics of cracking have always been interesting, the legality has never been an issue. It is, and for years has been, a crime, essentially, merely to knowingly obtain unauthorized access or to exceed authorized access to a computer owned by another. [Alas, many companies have injudiciously asserted these criminal charges against former consultants, merely to beat a bill with a nasty counterclaim.]
However popular it is to join the bandwagon railing against the DMCA anti-circumvention provisions (people seem to forget that the DMCA is itself an omnibus of technical and non-technical issues, good, bad and indifferent, and ranging from boat-hull designs to ISP immunities), the article's focus on DMCA is misplaced -- almost irresponsibly so.
The big guns against cracking conduct have been in place for years, and well before DMCA: The Computer Fraud and Abuse Act, the ECPA and countless state computer crime and regular theft statutes. All of these tend to be much broader in scope and reach, and far easier to prove and enforce. After the enhancements (from a prosecutor's point of view) made in the USA-PATRIOT Act, CFAA has become an even more powerful tool. The FBI didn't need a DMCA to get Kevin.
At the end of the day, the HP nonsense was just that: nonsense. The reason the HP DMCA threat was never pressed was simple -- it was a no-play claim, and everybody knew it. However, there are and have for years been a kazillion laws to beat up on anybody who engages in unauthorized access or exceeding authorized access of any kind, and regardless whether the conduct amounts to any circumvention of an effective copyright protection scheme.
I'm not arguing cracker ethics, or defending DMCA. I'm simply saying that the focus of the article is wildly misplaced. DMCA is just barely an interesting curiousity in the enforcement quiver -- so far as real cracking goes, it isn't even a fourth-string defense except in the oddest cases.
Right and Wrong are only mutually exclusive in today's simplistic binary computers, and the minds of some simplistic people.
Should you be able to pop the hood on my car in the Wal-Mart parking lot to see how my car is different than yours? No.
Should you be able to pop the hood on my car to extinguish a fire in the engine compartment and keep it from destroying the vehicle, anything in it, and probably the vehicles on either side? Yes, please do!
But... you still "broke into" my car. Do you want to go to prison and enjoy the tender thrusts of Bubba for your good deed?
If you have an ftp server running on your machine, and I happen to notice it, I feel perfectly justified in connecting to that server. If it allows anonymous logins, I feel fine looking around. If not, I won't sit there and try to guess passwords, as that *would* be wrong.
Yet, if after logging in as an anonymous user, I manage to get access to your filesystem, I would feel obliged to leave you a note, telling you that maybe / isn't the best anonymous ftp root. Would you send me to prison for that? If so, I'd suggest you seek counseling, since you obviously have some personal insecurities and ego problems beyond your server.
The DMCA is an abomination. It creates a situation where one can be punished without actually doing anything beyond research. How many people who just happen to own Sharpies bought them with the criminal intent of listening to protected music CD's? Most of my sharpies pre-date the DMCA, yet I am technically a criminal because they COULD be used to circumvent copy-protection??? All of you out there who have screwdrivers -- you can use those to unscrew poorly secured locks. There, now I'm in trouble for disseminating information about circumvention, and you're all screwed for having the tools. Go Law!
Bull. There's plenty of room in the grey-hat region, and plenty of population in it. The wiggle room for those who crack systems/software and then publicly announce the results is getting tighter. However there are an awful lot of people whose main concern is simply sharing results of bug/flaw discovery or other necessary activities that aren't good for vendor busines models. The fact that the DMCA seeks to redefine discovery and community notification as reverse-engineering and criminal collusion doesn't do a thing to shrink the number of people (admins, architects, programmers, dbas, etc) who simply need to do these things to do their jobs. The grey hat is still a thinking person's hat -- one abides by the letter of the law as best one can, and find ways around the obtuse or wrong-headed sections to accomplish primary goals of systems operation, data protection, and other work processes. Some prefer to skirt the line with black-hat-dom, while others simply protest bad law. Ain't nobody a white hat unless they utter phrases like "He was arrested so he must be guilty" or "The law is always right."
Not too long ago, I sent a note to several of my friends about a conflict I saw between the DMCA-esque proposed Microsoft security certification -- requiring software bug hiding and notification of the software vendor before notification of the affected client -- and the codes of ethics binding those with CISA and CISSP certifications -- both of which require protection or notification of the potential target/victim. (My personal favorite part of the ISC2/CISSP code is "Tell the truth" which is anathma to the DMCA/bug-hiding camp.)
Of course, since DMCA enforcement tends towards the corporate view of things (property, ownership, patents, royalties) rather than the societal view (ethics, trust, truth, community), if I follow the vendor-independent (societal) path, I get labelled as a grey-hat or a black-hat right out of the starting gate. Have I personally cracked and distributed software? No. But do I swear to uphold the right of the consumer to know of flaws in their software or implementation? Of course I do -- it's the core of my job as a consultant. But doing so may label me as a criminal, and not doing so is unethical and unprofessional. As the article point out, all you can do is try to do the right thing. Currently that may be illegal.
Maybe some of us will go to jail for it, but that's what it'll take to change or repeal ill-formed laws such as the DMCA. Nothing induces judicial scrutiny like a situation where a judge is embarassed to enforce a bad law against a just person. But for anyone contemplating the notion of a "test case", keep in mind that the ACLU only picks up your legal fees if you keep your nose clean while you're doing the (illegal) right thing.
J
I think not...(*poof*)
Hmm... this sounds like an obvious troll, but since you've been modded insightful, I'll byte.
The term "hacker" has a lot of confusion tied to it. Where I come from it's a term of respect for someone's raw technical abilities. A hacker is someone who is so good at taking things apart and understanding them that they can make gadgets and software do things the original designers never dreamed of. If you think everyone fitting that description without "proper approval" belongs in jail you've got another think coming.
Maybe when you say hacker you mean someone who breaks into systems belonging to someone else without permission. Yes, that is a minor criminal act, much like trespassing. And there is no excuse for responsible adults doing such things without very good reason, but kids will be kids (Sometimes a system is so insecure this can happen by accident. )
The term hacker in general usage today usually covers both the system hacker who gains access to systems not belonging to them as well as the software hacker who takes apart software they have rightfully purchased on their own system. Classically system hacking has been seen as wrong or illegal, but software hacking has always been accepted, and only disclosure has ever been at issue. The DMCA attempts to deal with both in one fell swoop and does so very badly. I take your comment to mean we should just enforce the law to it's fullest even while it is changing in subtle and terrible ways.
White hats hide information. It seems they *never* disclose exploit code. Black hats hide information. They only use vulnerabilities for themselves. It would seem to be only Grey hats who hold the advancement of security important by sharing their code and knowledge fully. In fact, I'd say it is highly unethical for a White hat to get a vulnerability fixed without ever disclosing it. Perhaps we need criminal penalties for that as well? It also seems a tragedy that white hats will never be inclined to disclose their exploit code even after a fix has been made. They just don't seem to realize that information sharing really is a power positive good. (wasn't that the hacker eithic?)
Actually there are a whole host of other things White hats can and do that are wrong. Like implanting spyware in a product or being negligent in protecting customer information. I don't see criminal penalties for those...
I'm already a criminal. I imagine most people on here are. Who the hell hasn't broken a law today. We're in a drought here in Maryland. Water a plant today, did ya? Broke the law. have you let a teenager bum a cigarette? Criminal.
Why should anyone care what color hat they supposedly wear. It's an arbitrary label. I call myself a hacker. I don't break things. I don't steal things. I try not to hurt people I like. In my opinion, that makes me an OK guy. Of course, opinions vary.
Oh, and you... yeah you. Stop looking over your shoulder. I'm running crack against your password file right now. Might want to go change a few of 'em. Especially root. You know, the one that's your girlfriend's name. (And we both know she's not really your girlfriend. All you really have to do is ask her out, but you're scared. Pussy.) I'm only telling you all this because I like you. Now go ask her out, wimp.