SBN

Hacking Ethics

In his introduction for the book Secrets of a super hacker,
Writer Gareth Branwyn talks of the different images
that hackers have had throughout thirty-so years
prior to the book’s publication.
He mentions how
in the 60s and 70s hackers had the profile of “independent scientists.”
Their ethics centered around the belief
that every hacker should have access to the information and tools
that would help them improve society.
This benevolent goal is reflected in the first meaning of hacking,
used by engineering students,
which was to find out
the way to optimize the technology under study.

Well-intentioned hackers not only worked
with their entitlement to information in mind
but also with mankind’s.
In the book,
authored by the hacker known as The Knightmare,
ideals of human rights regarding the free flow of information are mentioned.
These include that everyone be made aware of the information that exists,
be given free access to it
and have their ideas and questions heard.
And each individual should be able to control
how their own personal information is used.
The author then provides a definition of hacking
as the pursuit of these and related ideals by using computers.
It’s easy for us now to see the attitude of early hackers
present in the Cyberpunk
and the Anonymous
manifestos.

Branwyn explores the different myths
that have fueled hacker fantasies
of being tech-enabled nomads in an unforgiving world,
such as the hacker as a cowboy, pirate or cyborg.
I would expect you also find the image of the hacker hero as most compelling.
In a society where those having the brains are mocked and hurt
by those having the brawn,
the computer “nerd” finds in cyberspace a place
where they are allowed to be the badass that defeats the latter
to help people regain their freedom.

Still,
the actions of hacktivists and the like spark mixed feelings in people.
Feelings kindled by the media
and perhaps matching people’s own political inclinations.
But what may cause less divisive opinions are the crimes
committed by malicious hackers.
It’s in the 80s and 90s that the prosecution and waves of arrests
of computer-savvy individuals with less-than-honorable intentions
started in earnest.

In the book,
it was previsioned
that in the future computer terrorism would present itself
in a significant way.
It has, alright.
Today we’ve already heard many different names of ransomware gangs
and know that cyberattacks of many kinds are happening worldwide
at this very moment,
representing a considerable cost to victims.
Meanwhile, cybersecurity is ever trying to counteract the force of cybercrime.

To fight against malicious threat actors,
the best bet has been to test system security preventively
through the eyes of the attacker.
Luckily for cyber security, hacking can be done legally today.
Regular readers of this blog may remember our post “Think like a hacker!
There,
we urge organizations to understand how malicious hackers work,
as well as hire professionals to try and penetrate the organizations’ defenses
and inform of the detected weaknesses.
The strategy of hiring well-meaning hackers to do good is far from new.
And it was striking to me,
as it might be to you too,
learning that in the beginning these hackers were often cybercriminals
who had cleaned up their act.
The hired hackers formed “tiger teams”
and helped governments and agencies improve their cybersecurity.
Also from the beginning,
there have been hackers who work as self-appointed security checkers
and tip off firms about security problems in their systems.

With so much information and gratification to be gained from hacking
into systems,
it is a great feat of white hat hackers
that they do not let curiosity get the better of them
and instead abide by some code of ethics.
Yet we could wonder
whether such a code is one that needs to be expressively spelled out in,
say, official documents.
Actually,
as Journalist Stephen Levy wrote in a book chapter titled “The hacker ethic,”
no manifestos nor missionaries had to drill principles
into the early hacker community
but rather “[t]he computer did the converting.”
It’s possible to relate this to what some authors argue,
namely,
that as computing expertise develops
so grows the respect for computers and information,
and that lacking ability and respect
toward the integrity of systems is looked down upon by white hat hackers.

But a problem which may justify formulating ethics of hacking is
that the work of malicious hackers and ethical hackers
each demands the same aptitudes.
We have sketched elsewhere
the behavior that both groups demonstrate:
patience, determination, cleverness and curiosity
during exploration and exploitation processes.
A reinforcer of these behaviors may be the pleasure
present in complex feelings of pride in oneself and recognition
(both apparent in the narrations of The Knightmare).
Where do we draw the line?
Well,
one commonly referenced trigger of computer criminal behavior
appears to be greed.
And this aligns with the primary motivation of cyberattacks,
which is most often monetary gain.
Other than that,
considering motivations like political dissatisfaction,
risk-taking,
building a reputation,
war,
seem to take us back to square one.
The stark difference may be found instead
in the effects of each group’s practices.
Ethics enters the stage then to regulate hackers in this regard.

Fortunately,
we’re not short of codes of ethics to choose from.
Most conveniently,
The Knightmare’s is appropriate here,
as it considers the effects of hacker practice.
It states the principles that I put here
just paraphrasing the author:

  • A hacker should never willfully harm, alter or damage
    any technology or person.

  • In case that damage has been done,
    the hacker should correct it and then avoid doing the same damage again.

  • A hacker should not profit unfairly from a hack
    and should not let others do so.

  • A hacker should inform system owners
    of the security vulnerabilities and weaknesses found.

  • A hacker should teach when asked to teach,
    and share when they have knowledge to spread.
    (The author adds: “This isn’t necessary, it is politeness.”)

  • A hacker should be aware of their potential vulnerability
    in all computing environments,
    even in the role of hacker.
    “Act discreetly,” the author says.

  • A hacker should persevere but not be stupid nor take greedy risks.

Also,
The Knightmare offers a couple of tips.
One is to surround oneself with people who follow the same code
or a similar one.
Another is to show honesty and compassion in one’s actions,
which will lead to others acting in the same way
and save the hacker troubles that may arise due to unkindliness.

Some time has passed since Secrets of a super hacker
came out.
The context has evolved
and among the changes is the affiliation
(and certification) of ethical hackers.
Like I said,
there are plenty more codes of ethics,
and they may offer some items
that could be added to the list above.
For example,
the Electronic Commerce Council (EC-Council),
which issues the Certified Ethical Hacker (CEH) certifications,
offers its own code of ethics.
Among its code’s 18 items,
this institution asks hackers to respect intellectual property,
avoid using illegal software or processes,
gain prior consent from clients to collect
and handle information during hacking,
check that their (the hacker’s) abilities are up to the tasks,
lead a good project management,
not associate with black hat hackers,
and not be convicted for any felony or violating the law of the land.
Moreover,
some institutions,
like GIAC,
which issues several information security certifications,
officially state that they will investigate
the violation of their code of ethics
and subject the transgressor to a course of discipline.

To conclude,
even though hacking was born a benevolent undertaking—and
though it may seem like the codes of ethics just underscore
being a decent person—it is now part of a legitimate professional path
and,
as with the activities of any other profession—which
may also cross the line into corruption—,
it helps the hackers’ and their clients’ interest quite a lot
to try to guarantee
that it is done with the good of the systems,
their users
and their owners in mind.

Fluid Attacks’ certified ethical hackers
and vulnerability scanner
look for vulnerabilities in your system continuously
and during your software development lifecycle (SDLC).
Contact us to ask us about our service.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/hacking-ethics/