Fear and Loathing in Information Security
by Michael D. Bauer, author of Linux Server Security, 2nd Edition02/11/2005
If I were to tell you that I'm proud to be a hacker, would you wish I was dead? Last week I attended a speech by someone who just may, and while that speech was offensive on more levels than I can address in one editorial, I would like to talk about the demonization of hackers within the information security ("infosec") profession. In my opinion, the time has come for infosec professionals to stop fearing technology's boundary-pushers and for hackers to stop pretending there's any glory in the crimes most of them are too smart to want to commit in the first place.
The Speech
The speech that set me off took place at a local meeting of an information security professional organization, and the presenter represented a well-known vendor of intrusion-detection software. During his lengthy address this person called competing security researchers "ankle-biters," suggested most users in Brazil are "miscreants," and expressed a desire to use an Apache helicopter to "take all those morons out" (apparently meaning hackers in general). While he was at it he referred to Eastern Europe as a "country," ridiculed the weight problems of several young computer criminals, and generally displayed what struck me as truly remarkable levels of bigotry, anger, and ignorance.
I said I wasn't going to dwell on the specifics of this speech, outrageous though it was. But I'm sure that the gist of what he was saying, that is, that hackers are scum, resonated with some percentage of the audience, and that's the part I want to address here.
Over-the-top invective aside, it wasn't the first time I've been exposed to this attitude. Many people in my profession, even knowing that "hacker" doesn't mean "criminal" any more than "locksmith" means "burglar," nonetheless fear and mistrust hackers. In the interest of trying to do something about this rift, which I think serves no useful purpose, I'd like to discuss why infosec practitioners demonize hackers, and why that tendency is both irrational and counterproductive. As someone who identifies very closely with the hacker community, I'll also share some ideas on what hackers might do to help the situation.
Hacking Defined
I want to stress that the real problem here isn't one of vocabulary: it's one of culture. But just to be safe, let me clarify what I mean by "hackers": I mean people generally obsessed with solving problems with computers and with determining for themselves how things really work. These are people who see a computer or network not as a predictable, black-and-white system regulated by strict rules, but rather as a nearly infinite set of potentials limited only by its users' skills and imaginations.
|
Related Reading 
|
Hackers tend to employ unorthodox means of solving problems and learning things. In fact, the very definition of a "hack" is "something that isn't supposed to work but does." It therefore follows that whether they call themselves such or not, many of the world's greatest engineers and enterpreneurs throughout history have been hackers. Linux Torvalds is a hacker icon; Neal Stephenson has argued that Lord Kelvin was a hacker too. In summary, hackers are the world's boundary-pushers.
One quick note about where I fit in, since you'll notice I sometimes use the word "we" when describing the hacker community. I consider myself a member of both the hacker and professional infosec communities. I've presented at both Def Con (twice) and at the Computer Security Institute's Annual Conference, and while I am neither a programmer nor a penetration tester (which by some people's definition disqualifies me from ever being an elite hacker), I identify closely with the hacker values of creativity, curiosity, knowledge-sharing, and exploration. I have this "dual citizenship" in common with some of my most valued infosec colleagues. In no way do we condone any crime or consort with known criminals, but of course that's the whole point of this essay.
Boundary-Pushing: Sin or Virtue?
The reactionary element in information security understands this definition of "hacker as boundary-explorer," and is perfectly capable of distinguishing between people who live on the edge and people who cross the line. However, we seem to be sharply divided over whether (a) pushing boundaries is a good thing to be doing in the first place, and (b) it must inevitably lead to crime.
Consider the popular hacker pastime of security research (or, more precisely, vulnerability research). Security researchers attack, within the confines of their own lab systems, operating systems and software applications for the purpose of proactively identifying security vulnerabilities so they can be patched against or otherwise mitigated. There are, it seems, three prevailing points of view on security research.
Hackers, naturally, love security research: It's a constructive outlet for some of their darker impulses, one with tangible benefits to society. Such "full-disclosure" proponents believe we all benefit any time the "good guys" find a new vulnerability, give affected vendors fair notice to release a patch, and then notify the public so they can apply the patch or take other corrective action. This ethos is exemplified (most of the time) by the Bugtraq mailing list.
Vendors seem to have a somewhat more ambivalent attitude toward independent security research. On the one hand, it provides free third-party quality assurance testing. On the other hand, it can be really embarrassing, depending on how obvious or egregious a given vulnerability is and on how much advance notice the researcher truly gives.
Many people, however, including many information security professionals, think it's simply wrong to abuse any system or application for any purpose, even in a lab setting, unless it's conducted by whomever created that system or application. People with this attitude tend to be highly suspicious of the motivations of security researchers and tend to believe that "security research" is actually a euphemism for "mischief."
Granted, I'm intentionally dodging some subtle controversies of the full-disclosure movement, that is, precisely how much time a security researcher should give a vendor to respond and release a patch before the researcher publicizes a vulnerability, whether sample exploit code is ever justifiable, and so on. My point is simply that vulnerability research is an area that many people consider to be inherently conducive to abuse, regardless of its usefulness, and that many people are uncomfortable not so much with vulnerability testing's specific impact on Internet security, but rather with the general idea of people pushing limits in this fashion.
And here we come down to fundamentally opposite realities. There are people who think that vendors should be allowed exclusive control over security testing on their products, and should be trusted to both admit to and fix security problems whenever they find them. And there are people who think that (a) software nowadays is too complex and the threats too numerous for this to really work, and (b) it isn't necessarily in vendors' best interests to do so anyhow.
The infosec purist, in other words, wants to believe what vendors tell him, but the hacker wants to figure things out for herself. I believe this to be one of the main sources, if not the primary source, of discomfort with hackers.
The Corruptive Nature of Hacking
Perhaps less irrational than the fear of boundary-pushing is the belief that hacking leads to crime. If you become too fascinated by how network attacks work, the story goes, you'll eventually cave in to the temptation to conduct those attacks. And it is an incontrovertible fact that many people who commit computer crimes are hackers. But are they criminals because they're hackers, or do they have other problems? I'm convinced of the latter.
I have nothing more scientific to base this belief on than my own experience and observations (plus those of my friends), but as somebody who's spent a lot of time researching and experimenting with network hacking, not to mention securing large networks against intrusion, I think this counts for something.
I started out as a network engineer. Early on I learned how TCP/IP works, how Ethernet works, and how to use network diagnostic tools such as packet sniffers. Even in my first year doing this type of work, I knew how to eavesdrop on telnet sessions and to otherwise abuse the tools of my trade. But I didn't abuse them; I respected the rights of my users and understood the consequences of betraying my employer's trust.
After eight years of immersion in both information security and hacker circles, I humbly submit that this level of awareness and ethics is typical among hackers. Hackers who cross the line into illegal and unethical behavior are, in my opinion, outside the mainstream of hacker culture. I'm sure of this for two reasons.
First, anybody who understands how networks work knows that there's no such thing as privacy or anonymity on the Internet, and that those who mess with other people's systems will be caught eventually. Second, insofar as hacking involves increasing and sharing knowledge, it's an altruistic pursuit for most of its practioners; abusing that knowledge generally runs contrary to the hacker ethos.
So who, exactly, commits computer crimes? Mostly the very young or very ignorant, I think. These are people who don't understand the ramifications of what they're doing or how easily they can be caught. There are some bona fide sociopaths; the hacker community is no more free of these than any other segment of the human population. And yes, there is such a thing as an evil hacker mastermind; the world surely contains highly-skilled professional computer criminals who seldom if ever get caught. Most people I trust, however, believe there are relatively few hacker sociopaths and even fewer evil hacker geniuses.
Conventional wisdom nowadays is that the vast majority of people who commit computer crimes are in fact script kiddies, that is, people scarcely skilled or creative enough to even be called hackers. If this is the case, that the least skilled hackers are most prone to commit crimes, then can it really be said that acquiring hacker skills leads to crime? I don't think so. It seems to me that people who are inclined to commit computer crimes sometimes acquire (limited) hacker skills, not the other way around.
The Notoriety Thing
Okay, so people's discomfort with hacking is their own problem, and most hackers are in fact upstanding citizens. Then why do so many hackers like to dress and act provocatively, and why is Kevin Mitnick treated like royalty when he attends Def Con?
Personally, I think hackers' tendency to act out comes at least partly from their being treated like outcasts. Hackers have been so misunderstood for so long that we shouldn't be surprised when they cop a "to hell with mainstream society" attitude. If you're going to be treated like a misfit, then you may as well have some fun playing the part.
In this context, it becomes tempting even for otherwise-straight hacker types to sympathize with actual techno-outlaws, especially when it seems like the punishment meted out to them is disproportionate to their actual crimes. For example, most hackers knew Mitnick deserved jail time, but few felt he deserved to be held for four years, without bail, including eight months in solitary confinement, before he was even brought to trial. Personally, as I sat through that hate-filled speech last week, I found myself starting to feel sorry for the young, misguided, and yes, even stupid computer criminals whose photos the speaker ridiculed and excoriated; much as I deplore their transgressions, they're still human beings for whom I can't help but feel some compassion and even kinship. (There, but for a happy childhood and some crucial mentoring early on, go I...)
Still, clearly it's wrong when hackers do or say things that implicitly or explicitly condone illegal behavior. A few years ago a hacker named "Se7en" got a lot of attention for claiming to be on a crusade to infiltrate the systems of child pornographers for the purpose of shutting them down (though by all accounts, se7en's braggadoccio was disproportionate to his actual skill). More recently, the brilliant but misguided Adrian Lamo penetrated a series of high-profile corporate networks for the purpose of demonstrating their insecurity, and although in each case he worked with his "victims" to fix the problems he found, the last of these (The New York Times) pressed charges.
People like Mitnick, Se7en, and Lamo are, in real terms, well outside the mainstream of hacker culture: Most hackers simply don't approve of messing with other people's property, productivity, or freedom of speech. But hackers do sometimes idealize people like Lamo because of their talent, skill, or panache, and because of the aforementioned persecution thing.
This idealization is unfortunate. It impairs hackers' credibility and ultimately reinforces people's misconceptions about hackers. So what I suggest to the hacker community is this: Let's work a little harder to downplay the notoriety angle, and be a little more vocal in condemning the behavior of those few of us who cross the line from pushing boundaries to breaking laws.
This doesn't mean we need to ostracize those who fall from grace; giving up on people who make bad choices surely isn't any more altruistic than computer crime is. I'm not suggesting that Kevin Mitnick be barred from attending Def Con. In all honesty, I'm not entirely sure how to achieve what I'm suggesting. My point is that there's still a lot of skepticism out there with regard to the reality of hacker daily life, which for most of us emphatically excludes illegal and unethical behavior, and the hacker community must accept some responsibility for people's hesitating to give us the benefit of the doubt.
Conclusions
My esteemed colleague the hacker-philosopher Richard Thieme says that hackers, due to the very fact that they operate at the edges of what is known (and especially of what is thought to be possible), are destined to be misunderstood. Society has always treated innovators and whistle blowers with ambivalence. Information security professionals, however, tasked as we are with protecting critical infrastructures that everyone depends on, can't afford the mental laziness of demonizing this important segment of the technical community. For one thing, it's amply represented within our profession: "They" can't all be enemies, because so many of "them" are in fact "us." And that's a good thing. Hackers are arguably our biggest allies in neutralizing and catching real live computer criminals.
If more information security professionals would free themselves of the notion that the hacker mindset is morally wrong or that it inevitably leads to crime, they could borrow or even learn themselves how to use hackerly creativity and innovation in their efforts to protect and secure. Everyone would benefit from that; nobody benefits from narrow-mindedness.
Michael D. Bauer is Network Security Architect for a large financial services provider. He is also Security Editor for Linux Journal Magazine.
Return to the O'Reilly Network.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 15 of 15.
-
The need for an enemy
2005-02-18 10:58:07 oisinfeeley [Reply | View]
Excellent article. Don't forget that the "security professionals" benefit highly from the presence of a hyper demonized enemy. It's in their interests to exaggerate the threat from crackers:
1. It creates a market for their services
2. It lets them off the hook for their shoddy practices if they're facing über-kriminals
-
Hackers_How Great Thou Art
2005-02-16 08:29:32 Royce_Crocker [Reply | View]
Look, don't get me wrong. How could anyone not respect the ingenuity and intelligence of the real "hackers" of whom you speak. However, I think you glorify, at least, their motives.
First, as you point out most of the criminals are really not up to 'hacker' standards. They're not smart enough, they are 'script kiddies'!
Second, hackers, who explore the edges of technology, trying to break it to make it better, trying to clarify the faults--do something that most of the criminals cannot do.
Then, why the rush to publicize the faults to the world? If the criminals are incapable of finding the faults, at least as well as 'hackers' find the faults, it would seem to me that there is plenty of time to let the software developer or the company whose network is vulnerable make the needed correction(s) on their own schedule, not the do-gooder hacker's schedule. Why the necessity for speed? To make the world safer, to help rid the world of bad software or poor administration--all of which do exist and getting rid of them are probably excellent goals?
No, I think the fact is that the only people who would discover the faults (assuming your argument about the criminals capabilities are true) are other hackers. Now, if I as a hacker go to the company and say 'hey, I found a flaw in your software or operations and here's how to fix it...,' and then leave it at that. What if some other hacker finds the same flaw and doesn't go to the company, but broadcasts 'look what I found.' Who gets the credit for the 'hack?' And, I think that is what this is all about--credit for the discovery, credit for the hack, credit for the exposure.
Whistleblowers, more often than not, have tried many routes within an organization to get some information out. Having been frustrated time and again, they choose the not-so-pleasant road of whistleblower. Very few gain benefits for their efforts. They are often ostracized because they often, end up bringing harm to an organization, of which they are a part, and to people with whom they work.
Hackers, on the other hand, often gain, at least in terms of reputation among those who honor what they do. If a hacker attacked other hackers--again, specifically referring to those special creative people your article refers to, for doing unethical things or setting up an unethical system, that hacker would be like a whistleblower.
Making software better, making society better, improving computing for its own sake. Maybe a few, but, surely, a good number are in it for the rep, don't you think?
-
Ego's gone wild
2005-02-15 10:27:45 crash15139 [Reply | View]
I find it unimpressive when I meet some self proclaimed "hackers" that download someone else's tools & run them from a GUI. These pests seem to think that all admins hold the keys to all the doors, network security, etc in all situations & are quick to say you "deserve" to be hacked without the necessary precautions. Yes, if you are at the helm of all the doors, you should have all the keys, but for many business purposes, network, security, sysadmin are entirely independant & rely on communication & language each may/may not understand. So when a server gets hacked with a rootkit downloaded from some scriptie at 2am in Brazil; I wish for once I could have him/her in front of me explaining why they did it, then let me retort....
-
Hacking is excellence before the single authorship state dies.
2005-02-14 23:26:41 steve_nordquist [Reply | View]
Success has a thousand fathers, they say; failure but one. Taking this literally to heart, you'll quickly disparage your human friends and have few new ideas for company! There's a middle stage where the Lord Kelvins sought out and assigned attribution for notions under their brainchildren, made throwaway experiments to form decent scientific queries, and otherwise did groundwork past any homework that had ever was before.
Kelvin had a lot of help; everyone who wanted to know how something was scientific or not, without knowing a good science corpus or examining methods--or contrawise what science was before observations were examined and put to paper as (maybe) science--was impetus to stay quiet until quite prepared. As a result, most of his l33tspeak passes, even now, for refinement.
IT has shorter product lifecycles.
Marketing velocity just can't go fast enough, and products, slaved to human memes, have to go along or wash up in the whorls of mere linear business growth.
So hackers can't always take such refuge, exhibiting market discipline before empirical learning: Minor checks that a glass flask does not itself burn, and that embedded routers recover better with some ICMP traffic, must suffice.
However, it is criminal, to free capital, to create law that permits trading energy on its own full measure but unilaterally prosecutes informatic scrutiny. That was the soul of the Enron debacle; accounting deference to an inscrutable aside to innovation. It took leaked memos to suggest a just reason for scrutiny. Indeed we might still have a few popups now every second if a judge or 30 had soft-handed the notion of proprietary client-side javascript. A good hacker flossing balanced with reliable business capability is just what every business wants going on, unless they want to be a one-hack shop.
Hacking is about making good use of all resources.
Criminalizing it makes for short or slow trades and a catastrophe when your call comes.
-
Hacking
2005-02-11 17:00:25 coolspot [Reply | View]
Ok... you might think that hacking is all "boundary pushing" and "an infinite level of posibilities within networks" but c'mon man... thats not what hacking ACTUALLY means to people. Hacking is sending people viruses, creating worms, defacing websites, stealig personal info. Ther is no two ways about it... hacking is bad. You can shout your whit hat hacker rubbish till your blue in the face.. but face it, hacking is bad. Bad. fine the ocasional "nice" hacker (if there truely is such a thing) may discover a security flaw in a program or service ansd tell the company involved... but the only reason its an issue is because of hackers in the first place. If there were no hackers there would be no problem. (that day will never come)
im really quite bemused that you think you can just say hacking is ok because its deep and meaningfull, and networks are infinite and all that. Hacking is bad because people loose money, programs get screwed up, computers get damaged, information is lost and people are screwed over. THat is the plain hard facts of it.
Fine, hackers may not be weirdo geeky kids messing with other peoples trojans, causing trouble, or uber geeks stealing money off people, or total gits who just want to mess up peoples computer or websites, but lets be honest... most of them are. So fine, if your going to be a hacker, be a hacker... but expect no sympathy of those who have ther computers or websites hacked.
*apologies for spelling mistakes. Im not a retard because i cant type, its just late. -
Hacking - The Press/Media is the problem
2005-02-13 08:58:25 j.f.m. [Reply | View]
Just to repeat it once again. The term "Hacker" is far older than the first articles in mainstream papers, magazines or TV. Some ignorant (or lazy) journalists used the term in a too narrow or even wrong context when the first "prime time breakins" happened in the early 8ies. The correct term for people breaking into computer systems or circumventing protection mechanisms has always been "crackers" - it's as simple as that.
It just as moronic as when Nixon said "nucular" instead of "nuclear". Many people copied it because he was Prez at the time! You would not change your name because all people or the media get it wrong, or would you? -
Hacking
2005-02-11 18:24:53 Mick.Bauer [Reply | View]
You've missed two key points in my essay.
First, "hacker" doesn't mean "someone who tries to break stuff;" it's a very broad term that goes way beyond penetration-testing. I don't care to re-type the definition I devoted an entire paragraph to in the essay (see above), but suffice it to say that neither Linus Torvalds nor Lord Kelvin ever spent any appreciable time trying to break into systems, overflow buffers, etc.
To hack is to solve problems and expand one's knowledge; this may involve skills and pastimes that can be (ab)used to "hack into" computers, but more often it simply means figuring out elegant solutions to mundane computing problems not covered in the manual.
Second, I said that in my professional opinion, the vast majority of people who call themselves hackers (in the broad sense!) are not criminally inclined. Your experience may be different than mine, but I've been in this business for the better part of a decade, and my opinion is based on near-daily interactions with hackers who are both skilled and ethical. Again, many of them have no aptitude for or even interest in penetration testing, virus-writing, etc.; most of my hacker friends are in fact much more skilled at defending than attacking (myself included).
But hey, if you still prefer to fear all umpteen-thousand of us regardless of our actual behavior, I guess I can't stop you. -
Hacking
2005-02-12 03:33:22 coolspot [Reply | View]
Ok... if therer really is a different side to "hacking" a side which isnt harmfull, which dosent involve illegal stuff, which is productive and nice or whatever... then cant you call it something else. Because it simply dosent matter how many times, or to whom you speak it, saying hackig is nie wont work becuase hacking to almost everyone with a computer means bad. There is no way that anyone can change that now. I apologise for any bad sentiments toward you or other "hackers" who arent bad, from what you say your not and good for you, but hacker to most people means bad things for computers.
and about fearing hackers... you HAVE to. or atleast the effects of hackers. a firewall is an absolute must, dont even think about runing a computer without antivirus, and i have multiple anti spyware programs on my computer (i know its not QUITE the same thing, but it involves people knowing stuff about my computer i dont whant them to know) Security is extreemely important now, and this is simply because of hackers. or people writing worms, viruses and other evil crap. And im sorry, but hacker is synomenouse (spell?) with virus. A problem which needs to be guarded against.
so i do apologise to any "nice hackers" but, cant you change your name or something? i dont know... cracker... D.B.P (digital boundry pusher) SOMETHING but hacker will only get you odd looks and bad press. -
Hacking
2005-02-14 08:53:30 simmoril [Reply | View]
I don't think that people who have called themselves a 'hacker' for quite some time should be made to change their title because a few uninformed people have created a panic around the term. If the public has a bad view of the term hacker, then having hackers call themselves D.B.P.'s isn't going to help anymore than calling worms "self-propogating programs" would. The goal here should be to inform the public and change their uninformed view of hackers so that speeches like the one noted in the article aren't made again.
I agree that one must be aware of the exploits and vulnerabilities that hackers point out and make public. However, security is not simply a consequence of hackers. Security is a consequence of human nature. Banks don't just put your money in vaults because of safecrackers, they put your money in vaults because your average person will walk away with your money if they find it lying in the middle of the street.
'Hacker' is not synonymous with virus. One is a person. The other is a program. Yes, one is a problem to be guarded against. But a hacker is not a problem any more than a treasury agent familiar with counterfeiting is a 'problem' to the U.S. economy. Any belief to the otherwise is a gross oversimplification of the facts.
The issue here isn't the word. The issue here is getting 'most people' to change their personal meaning of the word. Odd looks and bad press are based on opinion, not fact. Opinions that don't HAVE to be set in stone. -
Hacking
2005-02-15 03:24:08 tommu [Reply | View]
It's a shame that people feel they need to change established terminology to make it easier for the lazy masses. In fact it's quite an ironic idea.. normally phrases for 'bad' things are changed by the spin doctors.. think of friendly fire, down sizing or (here in the UK) safety cameras instead of speed cameras.
On the subject of security.. if you lock your doors at night and keep your wallet well hidden then surely using a firewall et al should come as second nature and not a surprise? -
Hacking
2005-02-16 04:26:40 crash15139 [Reply | View]
So that is to say, if I leave the door to my house unlocked by accident, then I deserve to be killed in my sleep? If you walk by a store at 2am & see the front door is cracked open, it's not against the law to walk in and take what you want? ALL hacking is unethical & hiding in the underground of IRC only proves ALL hackers are cowards & criminals. -
Hacking
2005-02-17 10:33:22 Mick.Bauer [Reply | View]
No, no, no. The point of my essay is that most hackers are too ethical to hack into even the most poorly-secured system or network, unless they've been paid to do a penetration test or vulnerability assessment, by the system's/network's rightful owners. Most real hackers are too smart and too ethical to behave otherwise, in my experience.
To say "unsecured sites deserve to be hacked" is naive, immature, and unethical -- the police don't care, particularly, whether the person you mugged was 200 lbs and heavily armed, or 130 lbs and helpless. But the poster you're responding too isn't really saying otherwise -- I think the point instead is that like it or not, we need to pay attention to security, regardless of who we think the attackers are likely to be.
Also, we've still got some vocabulary-confusion, here. As I said in the essay, hacking is bigger than penetration-testing and virus proof-of-concept code; it's a mindset, a culture, and an approach to problem-solving, of which computer security is only a subset. (I know, most people don't know or care about this distinction, but the title of the essay is "Fear and Loathing in Information Security," NOT "Fear and Loathing in the Mainstream Media & Popular Consciousness.") -
Hacking
2005-05-11 12:56:41 crash15139 [Reply | View]
I "get" the point of our essay. And I come from a reference of having poked into a few systems in my day starting with the old Tandy's & AS400's. Even an old hacker like Steve Wozniak is a hero of mine & I get the mindset. Now, the culture part of it is your own opinion. My experience is that the crews I knew or ran with were not about solving problems, but about getting around the "rules" everyone else had to succumb to. You are making these people out to be more important than they are. If you really wanted to help, you would gather all these ethical hackers & petition Microsoft to stop binding every important process/service to TCP/IP, let's start there, & start knocking down why their OS is so vulnerable, why haven't any of your ethical hackers banded together to do this?? I'll tell you why, they need Mircosoft to be a step behind, oh yeah, for their own curiosity.....
So once again it seems the real issue comes down to a word or name and who defines it. And who we want to fear..