How to be an Ethical Hacker

by @jehiah on 2004-08-11 14:58UTC
Filed under: All , Articles

What is hacking, and when is it ok?

Without a clear definition of hacking, you can’t clearly identify how to do so ethically or even legally for that matter. A “hacker” is more akin to an inventor who crates new solutions or builds upon the works of someone else in a new way. Kevin Mitnick, one of the most famous hackers of all time, defines a hacker in his autobiography as “… a person who [spends] a great deal of time tinkering with hardware and [or] software, either to develop more efficient programs or to bypass unnecessary steps and get the job done more quickly.

Hacking also has a sense of a creative process, similar to the way a musician writes music or an author writes a novel. In the same way that only some musicians can write music - as opposed to play it - only some programmers can do much beyond implement well-defined specifications. Paul Graham, a well known essayist and hacker, would add that hackers also have similarities to painters where creativity is involved. The notion of innovation and new solutions are the hallmark of hackers. It is hackers that come up with innovative solutions to real-world problems like bayesian spam filtering, reverse-engineering Microsoft’s proprietary Office formats for compatibility in OpenOffice.

Curiosity may kill a cat, but for a hacker it tends to provide inspiration. Hackers by nature have an intense curiosity, but it is focused on how things work. Many computer-literate people can use a piece of software or browse the web, but hackers do not seem to rest until they know how a task was performed and how it works under the covers. These curiosity skills often make hackers particularly qualified for jobs that involve troubleshooting or involve intense problem-solving skills. Many people know to ask the question “how?” when presented with a task or hurdle, but it is hackers who know where to get the answer.

Don’t Do It

An interesting tidbit in Kevin’s definition is “bypassing unnecessary steps” – this is often where hackers run into trouble. Unfortunately, the Digital Millennium Copyright Act (DMCA), which was passed in 1998 by the United States Congress, made it illegal to circumvent anti-piracy measures built into software. This causes problems for hackers which would like to remove unnecessary steps in programs even when there would seem to be a clear legitimate use.

An example of this conflict between what is ethically OK due to legitimate use, and illegal due to the DMCA is the story of DeCSS. CSS (content scrambling system) is a method of scrambling video content on DVDs to prevent unauthorized copying (and thus piracy). However, there is a legitimate use for copying DVDs both for a personal backup and to transfer the content to a different form of media. Although backing up the DVD is legal, and covered under fair use, it is illegal according to the DMCA for a hacker to create (and distribute) software which would bypass the anti-piracy aspect of CSS. There was a hacker which did create such software named DeCSS, and that was found to be illegal by the courts, though it was ethical in that it had a legitimate use.

As Kevin articulated, the old-school definition of ‘hacker’ does not have the modern-day implication of unethical law-breaker. Hacking is not breaking-and-entering, unauthorized to a computer system. This scenario which is geared towards stealing information - though that is not required-, or using a computer without authorization really does not even fit into the definition of a hackers activities. Breaking-and-entering has no relation to creating more efficient process and or solution to existing or new problem. Furthermore, using unauthorized computers is a violation of the laws as written. Despite the stereotype, hackers in general do not sit in a dimly lit room trying for hours on end to break into a system around the world just to steal information. While there may be hackers that to partake in that illegal activity of breaking-and-entering, it is not part of the definition of a hacker. That breaking-and-entering activity would be part of the definition of a “cracker.”

Finding vulnerabilities which could allow someone to break-and-enter or maliciously use a system is a good use for a hackers skills. To keep this investigation aspect ethical, one simply has to explore, attack, and verify the integrity of systems to which one is authorized to do so. The DMCA also allows for legitimate use of a hackers skills to verify, by method of attack, that copyright protection systems perform properly..

If then a hacker is legitimately verifying the legitimacy of a copyright protection algorithm or system and discovers a vulnerability, is it ethical for said hacker to make it known? In such an instance a hacker would actually have an obligation to make it known so that people are not putting false trust in a broken system. This does not ethically give freedom to exploit or use such vulnerabilities, only freedom to know about them.

Social Engineering - the process of tricking people into willingly divulging secret information - is what got Kevin Mitnick in trouble, and he served several years in jail for it. Although in most cases a person involved in social engineering has misrepresented him or herself, the part of receiving information which has been given out freely should keep it a legal activity. There may be problems with the way in which a person misrepresents themself. The burden (and guilt) for giving away information should be placed with the giver and not the receiver. This is important to remember when there are things like national or trade secrets involved. The burden of secrecy is on the person with the knowledge to give. If it is willingly given out, it should not be illegal to receive that information.

For Free

In the same way that many musicians play music for their enjoyment, and work in a musical field to put bread on their tables, many hackers gain enjoyment and gratification from hacking in their own time, while working in a computer related field (normally programming or sys admin) to put bread on the table. Paul Graham puts it this way in his essay on hackers and painters: “Nearly all makers have day jobs early in their careers. Painters [, musicians] and writers notoriously do. If you’re lucky you can get a day job that’s closely related to your real work.” Due to the use of their skills on personal time, many hackers are willing - perhaps even excited - to help other hackers develop software, or innovative solutions. This is really how open source software was born, and it now encompasses millions of lines of code, and in many ways is the driving factor of innovation in the computer industry.

It would be harder for a regular hacker to build upon the work Microsoft has put into Microsoft Word, unless they have the source code. For this reason hackers like open source, in that the source is opened freely to them with the specific intention of allowing another to extend ones own work. More than that, often the license will specify that any modifications (or innovations build upon the source) must be released (as source code) so that others may in turn build upon it further. This upward cycle where products are time and again extended and perfected is one of the beauties of open source. This process of hackers giving back to other hackers has lead to mature products like OpenOffice which are on par with Microsoft Word, and distributed for free.

That innovation comes from those giving their time freely (only for enjoyment, or just to cover their costs) should be expected rather than catch us by surprise. It is after-all the hacker community that has the skill to be innovative, and they often time do that in non-work related time. The exception where hackers are paid for doing what they love is dot.com startups and R&D labs. In both these cases, the chief purpose of the position is to come up with new and inovative ideas, which coincides exactly with the chief purpose of a hacker.

Beat that!

Quicker and simpler is the name of the game for hackers. An example of a hacker who took a commercial product which has undergone much development and evolution, and implemented the same thing in a days work is. In a single day Trevor Blackwell built the hardware, and wrote a program in python to perform the same task as a Segway. The amazing thing is that it works, and works well. Though not all things can be simplified to a days work, it illustrates the ability for a hacker to see the whole problem and implement it in a concise, efficient and simple manner. Many tools and programs have been developed by hackers which rival the products of huge corporations, and all done for free.

Simply avoiding the stereotype of a ‘hacker’ may be all that is needed to keep a hacker out of jail.

References

i Mitnick, Kevin http://www.theregister.co.uk/2003/01/13/chapter_one_kevin_mitnicks_story/print.html

ii Hackers and Painters, Paul Graham http://www.paulgraham.com/hp.html

iii Digital Millennium Copyright Act http://www.gseis.ucla.edu/iclp/dmca1.htm

iv Hackers and Painters, Paul Graham http://www.paulgraham.com/hp.html

v Building a Balancing Scooter, Trever Blackwell http://tlb.org/scooter.html

Subscribe via RSS ı Email
Jehiah Czebotar