Ethics and hacking. These are two fringe topics that people get interested in, they affect a lot of people, but few entities invest in understanding the intersection. Here are a few articles and news sources (all support RSS) to whet the appetite.
What is hacking
Nowadays, hack is a positive-connotation term. Geeks love to attend hackathons, programming all-nighters. Hack is the name of a programming language Facebook uses (based on PHP). But some people still use “hack” for other situations:
- Gaining unauthorized (or unintended!) access to something
- Breaking the security guarantees of a system
The relevant definition/law in the United States related to hacking is the Computer Fraud and Abuse Act (CFAA). This prescribes jail time for accessing something you are not authorized to access on a network. Very broad. But ethics and law get murky when a computer system is configured to give more access than was intended.
Resources
- [Cryptome](https://cryptome.org/ posts full disclosures. There are many other topics and theories discussed. But as a primary resource it has lots of good releases.
How is ethics involved?
Maybe the simplest definition of ethics is it’s the study of how two people who disagree on something each convince a third person that they are right. Companies and security researchers have different interests and this leads to disagreement. Computer systems have widespread use by the public and poor security so the public is party to this discussion.
Companies rarely pay for tips related to security on their systems. If they do, the price is a pittance. A person who finds the problems usually has some of these interests:
- Have the system fixed so the public is not vulnerable
- Get public recognition to improve their resume
- Get paid for their contribution
- Exploit the hack for criminal profit
If the security researcher discloses a bug to a vendor, then the vendor may have some conflicting interests:
- Fix the system so the public is not vulnerable
- Learn if they are vulnerable from other bugs
- Avoid hysteria and front-page news coverage, loss of customers
- Prevent the researcher from finding anything else
- Avoid responsibility for having done anything wrong
- Retaliate against the messenger for brining bad news
This dichotomy leads to laws being passed, court cases, doxing and more. Often this plays out in the public theater.
Resources / case studies from this blog
- A Developer Broke His Decade-Long Silence to Expose This Bank’s Cybersecurity Cover-Up
- American Express Prepaid Holiday Cards Vulnerable to Enumeration Attack
What is ethical hacking?
The security researchers’ interests are maximized if vendors will:
- Provide strong guarantees about the security of their systems
- Offer outsized cash payment and recognition if somebody can prove these guarantees are wrong
The vendor’s interests are maximized if would-be researchers will:
- Never poke around or do things they are not expecting
- Sign an NDA if they accidentally find something, never tell anybody, and hopefully die
The public’s interests are maximized if they can:
- Wake up two consecutive days in a row without hearing news about how their trust and privacy was violated last night
In other words, ethical hacking is different based on who you ask. Being involved in ethical hacking includes understanding the nuance between these different interests and setting your own moral compass. There is more nuance and discussion based on the above. Here are just a few question for the reader:
- What is an “outsized” payment? Do researchers really deserve enough money to retire because they found another bug in Internet Explorer? Is this self-aggrandizing?
- If laws and public support strongly disapprove attempting to use systems in unexpected ways, will people stop doing it? Will outsized payment incentivize bad employee behavior?
- Does the public care enough to leave a vendor when they are violated? Does the concept of privacy even exist for digital systems?
Resources
- [US] Federal policy on technology, privacy, and cybersecurity, 2017-2020 is a great collection by Ballotpedia.
- Google’s Project Zero is an introduction explains a little about their views on ethics and hacking, representing both a vendor and researcher.
▧
Comments
There are no comments yet.
Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.