Ethical(?) Hacking

Infosec is an interesting industry. It’s a common assumption that to be a good security practitioner you have to be conversant with the methods an adversary might use against you. Or to overly simplify, the “good guys” have to learn some of the same skills as the “bad guys”. This is only true to a degree. Certainly a security analyst should be able to look at a code fragment like perl -e ‘{print “A”x”255”}’ and recognize that it’s probably a buffer overflow. However, in many cases, analyzing malware and creating signatures is outsourced to A/V or IDS companies; analysts only have to recognize an attempted intrusion, determine if it was successful and maybe do forensics.

This need for the white hats / defenders to learn offensive skills must bother some people because ethical standards seem to have a more prominent place in the industry than in many others. There’s the Certified *Ethical* Hacker credential, a strong ethical component to the CISSP, etc. Obviously some other professions have these: doctors, lawyers, CPAs, etc. There are, however, many more that do not, even if their particular circumstances or skill set could be used for unethical behavior. Your phone guy could be tapping dozens of phones a day for example. Your mechanic could be (and probably is) sabotaging your car so you have to get it fixed more often. Don’t even get me started on politicians, the entertainment industry, or so called “business leaders”.

Why this focus in infosec? My hypothesis is because non-techies are scared of what “hackers” (of any color hat) can do. The security pros, therefore, voluntarily adopted these codes of conduct primarily for PR reasons, as they have little punitive force against anyone who is willing to violate them in the first place. It’s like the wizards in certain fantasy books who have taken strong oaths so the general public won’t resent / fear / lynch them. The fact that “wizard” has often been used to describe someone who is very computer savvy is, I’m sure, a coincidence.

Why do I say this? It’s pretty obvious, huh? There are “black hats”, who try to break in to systems, and “white hats” who are the defenders. It’s like the Alamo (with approximately the same odds, but hopefully a better outcome for the defenders.) The only gray area are those misleadingly named “penetration testers”, who are sort of like undercover cops without the corresponding oversight. (This is not a judgment, just an observation.)

What I’m interested in is people’s opinions on other “gray” areas. I’m not saying whether I have or have not done any of these things, nor am I defending any of my own actions (which are, of course, always above reproach.) I’m just curious what people think about them. Think of it as a game of infosec “Scruples”. Remember the question is, Is it (or can it be) ethical? Not, Is it legal? which isn’t the same question in most moral systems.

– Can an intelligence agency break in to other countries’ computers for general intel gathering?
– Can they break in to computers if they believe the information is vital to national defense?
– Is offensive cyberwar as part of a physical conflict acceptable (i.e., hack comms systems.)?
– How about corporate espionage?
– Should local laws and mores be taken in to account?
– Can undercover cops hack machines of suspected criminals? Can they hack to prove themselves to criminals (similar to doing drugs in front of a drug dealer to prove you’re not a cop.)?
– Are “hacktivists” who break in to computers of suspected criminals like child porn dealers acting ethically?
– What if they break in to third party computers to catch the criminals?
– What if it’s not criminals at all but people or organizations that they believe are “wrong”)? Like if PETA was to hack in to a Japanese whaling company’s servers.
– What if it’s a person who is harassing / stalking / threatening / inciting hate against someone else?
– What if the someone else is a friend or family member you want to help?
– Is it ethical to help a friend access their spouse’s email if they suspect adultery?
– What are other gray area you can think of?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: