[Infowarrior] - Exploding The Myth Of The 'Ethical Hacker'

Richard Forno rforno at infowarrior.org
Wed Aug 1 07:00:48 CDT 2012


Exploding The Myth Of The 'Ethical Hacker'

Guest post by  Conrad Constantine and Dominique Karg

http://www.forbes.com/sites/parmyolson/2012/07/31/exploding-the-myth-of-the-ethical-hacker/print/

Fretful members of U.S. Senate are preparing to debate the Cybersecurity Act of 2012, potentially making it easier for corporations to share data about their users with the authorities. But who are they scared of? In the current lexicon of the cyber security industry, it’s the so-called blackhat hackers who seek to subvert information for their own gain. On the other side of that coin are so-called whitehats, or “ethical” hackers. Two IT security specialists at cyber security firm AlienVault offer 5 reasons why the latter term is best left unsaid:

The subject of whether or not to hire an ‘ethical hacker’ has been debated since the 90’s, albeit with perhaps a little less misdirection back then. We’d argue that the ‘ethical’ hacker simply does not exist, so perhaps the time has come for a new question, about whether we should even use the term “ethical hacker.”

If you find yourself on the wrong side of a locked door, you do not think to yourself ‘I need an ethical locksmith’ – unless you’re a thief, in which case you probably have a whole host of other questions. Instead, you look for a locksmith, pure and simple. You trust that the person that turns up to break your lock will do no more, and no less, than the job you’ve hired him for. Calling him ethical does not legitimize his practice of breaking in.

So why is there a need to justify hiring a hacker by claiming he’s “ethical?” In my opinion, the job title itself is the problem.

Argument 1 : A hacker is a hacker is a hacker

The term “hacker” has two connotations:

	• someone that has been convicted of a computer related criminal activity, or
	• someone who thinks a certain way about technology.

If you consider it a term that refers to criminal intentions then you’re basically saying “ethical criminal.” How is it possible to argue that that makes sense when it’s obviously a contradiction?

On the other hand, if you are using it to describe a person who thinks about technology in a certain way, then why does it need the word “ethical” in front of it?

Argument 2: Good versus evil

This takes us back to our ethical locksmith argument.

Yes, hackers have had bad press for many years, but calling the practice “ethical” will not change that. The job of the hacker is to clandestinely look for ways to infiltrate systems. What is then done with that access is the differentiator.

It’s easy right now to pick on bankers who are having a hard time, especially as many are being tarred fraudsters and thieves. However, we don’t see any of these professionals clamouring to repackage themselves as “ethical” to distance themselves from their unsavory peers.

Argument 3: Legitimate versus dishonest

Some hackers would argue that they’re not criminals, but activists. Others would say that they’re just rebellious in the way they think about technology and have a duty to highlight an organisations’ poor security. Does that make them unethical?

We need people who are willing to stand up and challenge authority – in so doing, does that then make them ethical? We don’t see why it should.

It just means that they can look at something – an application or a business process, for example — and can see why something won’t work and are willing to explain why – or better still how it can be improved.

A case in point is the Fukushima nuclear disaster. A report into the incident stated that the disaster was completely preventable. It wasn’t the earthquake, or resulting tsunami, that was to blame but human error, or human oversight, spawned from a culture of unquestioning obedience. All it would have taken was for one person to stand up and state that the various technical processes employed to implement safety regulations, rather than preventing an accident, could fail.

And that’s precisely a hacker’s mindset – not to take things for granted, to question authority and challenge the regimented way of doing something that pushes back on the status quo. Ethical or unethical doesn’t come into the equation.

Argument 4: Hiring a ‘non-criminal’

We would concede that for many convicted of hacking it could be argued that there are extenuating circumstances.

For example, a few years ago it was almost impossible to get access to code to learn on your own, resulting in many resourceful technical people being convicted of “hacking.” Today, this argument of “I had to hack so I could learn” would not be considered adequate defence as the availability of virtual infrastructure technologies — among other interesting tools — means there is so much more that can be set up in your own home to learn your craft.

Additionally, Germany’s “Hacking” law defines many security tools as illegal purely because of their design and ability. For that reason, you don’t even have to be doing anything with these tools that could harm someone to be found guilty of hacking.

This ambiguity has resulted in the argument that not all hackers are criminals and therefore the term ‘ethical’ started to be used. While we would agree that not all hackers are criminals, we would therefore also argue that the term ‘ethical’ is unnecessary.

Ultimately it comes down to the fact that most organizations would not hire a criminal – therefore why do we need “ethical” in front of hacker to prove this.

Argument 5: Criminal turned protector

Moving on from the last argument, it doesn’t seem logical to refer to someone as an “ethical hacker” because he or she has moved over from the dark side “into the light.” It just makes them a bad hacker. Kevin Mitnick isn’t famous because of his skills – he’s famous because he got caught.

And before we move on from talking about skills, we’d like to clarify that “ethical hacking certificates” aren’t worth the paper they’re printed on. The reason you want to employ a hacker is not because they know the “rules” to hacking, can run them and produce reports. What makes a hacker desirable as an employee is the very fact that they don’t play by the rules, with an “anything that works” mentality, as it’s this combination that will give them the skills to test your systems to the very limit.

A spade is a spade

When people use the term ‘ethical’ hacker, they mean someone who is good at breaking into things by using creative techniques and methods but without the criminal intention. However, my case is that the inclusion of the term “ethical” does not legitimize the practice. It is still hacking – end of argument.

I’m also not saying that you shouldn’t hire a hacker, just don’t make them out to be something that they’re not. If they’re a hacker – they’re a hacker. By describing them as ethical does not necessarily make them ethical, or unethical for that matter.

And for hackers, you have a talent and should not have to hide it under a rock because some people practice the art for malicious or fraudulent reasons.

If we’re too embarrassed to openly admit that we need and want a hacker to test our systems then let’s give them a new name not legitimize the practice. Answers on a postcard please.

-----
Dominique Karg is the co-founder and chief hacking officer of AlienVault. Karg wrote the first line of OSSIM code and later published it in 2003 on Sourceforge.net. Dominique has led the project since its beginning to today, first as security architect and coder, then as manager of the development team.

Conrad Constantines a research engineer at AlienVault and has spent more than a decade researching security vulnerabilities in telecom, medical and media corporations, as well as dealing with the fallout of the 2011 RSA breach.



---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.



More information about the Infowarrior mailing list