Fear and Loathing in Information Security

If I were to tell you that I'm proud to be a hacker, would you wish I was dead? Last week I attended a speech by someone who just may, and while that speech was offensive on more levels than I can address in one editorial, I would like to talk about the demonization of hackers within the information security ("infosec") profession. In my opinion, the time has come for infosec professionals to stop fearing technology's boundary-pushers and for hackers to stop pretending there's any glory in the crimes most of them are too smart to want to commit in the first place.

The Speech

The speech that set me off took place at a local meeting of an information security professional organization, and the presenter represented a well-known vendor of intrusion-detection software. During his lengthy address this person called competing security researchers "ankle-biters," suggested most users in Brazil are "miscreants," and expressed a desire to use an Apache helicopter to "take all those morons out" (apparently meaning hackers in general). While he was at it he referred to Eastern Europe as a "country," ridiculed the weight problems of several young computer criminals, and generally displayed what struck me as truly remarkable levels of bigotry, anger, and ignorance.

I said I wasn't going to dwell on the specifics of this speech, outrageous though it was. But I'm sure that the gist of what he was saying, that is, that hackers are scum, resonated with some percentage of the audience, and that's the part I want to address here.

Over-the-top invective aside, it wasn't the first time I've been exposed to this attitude. Many people in my profession, even knowing that "hacker" doesn't mean "criminal" any more than "locksmith" means "burglar," nonetheless fear and mistrust hackers. In the interest of trying to do something about this rift, which I think serves no useful purpose, I'd like to discuss why infosec practitioners demonize hackers, and why that tendency is both irrational and counterproductive. As someone who identifies very closely with the hacker community, I'll also share some ideas on what hackers might do to help the situation.

Hacking Defined

I want to stress that the real problem here isn't one of vocabulary: it's one of culture. But just to be safe, let me clarify what I mean by "hackers": I mean people generally obsessed with solving problems with computers and with determining for themselves how things really work. These are people who see a computer or network not as a predictable, black-and-white system regulated by strict rules, but rather as a nearly infinite set of potentials limited only by its users' skills and imaginations.

Related Reading Linux Server Security By Michael D. Bauer

Hackers tend to employ unorthodox means of solving problems and learning things. In fact, the very definition of a "hack" is "something that isn't supposed to work but does." It therefore follows that whether they call themselves such or not, many of the world's greatest engineers and enterpreneurs throughout history have been hackers. Linux Torvalds is a hacker icon; Neal Stephenson has argued that Lord Kelvin was a hacker too. In summary, hackers are the world's boundary-pushers.

One quick note about where I fit in, since you'll notice I sometimes use the word "we" when describing the hacker community. I consider myself a member of both the hacker and professional infosec communities. I've presented at both Def Con (twice) and at the Computer Security Institute's Annual Conference, and while I am neither a programmer nor a penetration tester (which by some people's definition disqualifies me from ever being an elite hacker), I identify closely with the hacker values of creativity, curiosity, knowledge-sharing, and exploration. I have this "dual citizenship" in common with some of my most valued infosec colleagues. In no way do we condone any crime or consort with known criminals, but of course that's the whole point of this essay.

Boundary-Pushing: Sin or Virtue?

The reactionary element in information security understands this definition of "hacker as boundary-explorer," and is perfectly capable of distinguishing between people who live on the edge and people who cross the line. However, we seem to be sharply divided over whether (a) pushing boundaries is a good thing to be doing in the first place, and (b) it must inevitably lead to crime.

Consider the popular hacker pastime of security research (or, more precisely, vulnerability research). Security researchers attack, within the confines of their own lab systems, operating systems and software applications for the purpose of proactively identifying security vulnerabilities so they can be patched against or otherwise mitigated. There are, it seems, three prevailing points of view on security research.

Hackers, naturally, love security research: It's a constructive outlet for some of their darker impulses, one with tangible benefits to society. Such "full-disclosure" proponents believe we all benefit any time the "good guys" find a new vulnerability, give affected vendors fair notice to release a patch, and then notify the public so they can apply the patch or take other corrective action. This ethos is exemplified (most of the time) by the Bugtraq mailing list.

Vendors seem to have a somewhat more ambivalent attitude toward independent security research. On the one hand, it provides free third-party quality assurance testing. On the other hand, it can be really embarrassing, depending on how obvious or egregious a given vulnerability is and on how much advance notice the researcher truly gives.

Many people, however, including many information security professionals, think it's simply wrong to abuse any system or application for any purpose, even in a lab setting, unless it's conducted by whomever created that system or application. People with this attitude tend to be highly suspicious of the motivations of security researchers and tend to believe that "security research" is actually a euphemism for "mischief."

Granted, I'm intentionally dodging some subtle controversies of the full-disclosure movement, that is, precisely how much time a security researcher should give a vendor to respond and release a patch before the researcher publicizes a vulnerability, whether sample exploit code is ever justifiable, and so on. My point is simply that vulnerability research is an area that many people consider to be inherently conducive to abuse, regardless of its usefulness, and that many people are uncomfortable not so much with vulnerability testing's specific impact on Internet security, but rather with the general idea of people pushing limits in this fashion.

And here we come down to fundamentally opposite realities. There are people who think that vendors should be allowed exclusive control over security testing on their products, and should be trusted to both admit to and fix security problems whenever they find them. And there are people who think that (a) software nowadays is too complex and the threats too numerous for this to really work, and (b) it isn't necessarily in vendors' best interests to do so anyhow.

The infosec purist, in other words, wants to believe what vendors tell him, but the hacker wants to figure things out for herself. I believe this to be one of the main sources, if not the primary source, of discomfort with hackers.

The Corruptive Nature of Hacking

Perhaps less irrational than the fear of boundary-pushing is the belief that hacking leads to crime. If you become too fascinated by how network attacks work, the story goes, you'll eventually cave in to the temptation to conduct those attacks. And it is an incontrovertible fact that many people who commit computer crimes are hackers. But are they criminals because they're hackers, or do they have other problems? I'm convinced of the latter.

I have nothing more scientific to base this belief on than my own experience and observations (plus those of my friends), but as somebody who's spent a lot of time researching and experimenting with network hacking, not to mention securing large networks against intrusion, I think this counts for something.

I started out as a network engineer. Early on I learned how TCP/IP works, how Ethernet works, and how to use network diagnostic tools such as packet sniffers. Even in my first year doing this type of work, I knew how to eavesdrop on telnet sessions and to otherwise abuse the tools of my trade. But I didn't abuse them; I respected the rights of my users and understood the consequences of betraying my employer's trust.

After eight years of immersion in both information security and hacker circles, I humbly submit that this level of awareness and ethics is typical among hackers. Hackers who cross the line into illegal and unethical behavior are, in my opinion, outside the mainstream of hacker culture. I'm sure of this for two reasons.

First, anybody who understands how networks work knows that there's no such thing as privacy or anonymity on the Internet, and that those who mess with other people's systems will be caught eventually. Second, insofar as hacking involves increasing and sharing knowledge, it's an altruistic pursuit for most of its practioners; abusing that knowledge generally runs contrary to the hacker ethos.

So who, exactly, commits computer crimes? Mostly the very young or very ignorant, I think. These are people who don't understand the ramifications of what they're doing or how easily they can be caught. There are some bona fide sociopaths; the hacker community is no more free of these than any other segment of the human population. And yes, there is such a thing as an evil hacker mastermind; the world surely contains highly-skilled professional computer criminals who seldom if ever get caught. Most people I trust, however, believe there are relatively few hacker sociopaths and even fewer evil hacker geniuses.

Conventional wisdom nowadays is that the vast majority of people who commit computer crimes are in fact script kiddies, that is, people scarcely skilled or creative enough to even be called hackers. If this is the case, that the least skilled hackers are most prone to commit crimes, then can it really be said that acquiring hacker skills leads to crime? I don't think so. It seems to me that people who are inclined to commit computer crimes sometimes acquire (limited) hacker skills, not the other way around.

The Notoriety Thing

Okay, so people's discomfort with hacking is their own problem, and most hackers are in fact upstanding citizens. Then why do so many hackers like to dress and act provocatively, and why is Kevin Mitnick treated like royalty when he attends Def Con?

Personally, I think hackers' tendency to act out comes at least partly from their being treated like outcasts. Hackers have been so misunderstood for so long that we shouldn't be surprised when they cop a "to hell with mainstream society" attitude. If you're going to be treated like a misfit, then you may as well have some fun playing the part.

In this context, it becomes tempting even for otherwise-straight hacker types to sympathize with actual techno-outlaws, especially when it seems like the punishment meted out to them is disproportionate to their actual crimes. For example, most hackers knew Mitnick deserved jail time, but few felt he deserved to be held for four years, without bail, including eight months in solitary confinement, before he was even brought to trial. Personally, as I sat through that hate-filled speech last week, I found myself starting to feel sorry for the young, misguided, and yes, even stupid computer criminals whose photos the speaker ridiculed and excoriated; much as I deplore their transgressions, they're still human beings for whom I can't help but feel some compassion and even kinship. (There, but for a happy childhood and some crucial mentoring early on, go I...)

Still, clearly it's wrong when hackers do or say things that implicitly or explicitly condone illegal behavior. A few years ago a hacker named "Se7en" got a lot of attention for claiming to be on a crusade to infiltrate the systems of child pornographers for the purpose of shutting them down (though by all accounts, se7en's braggadoccio was disproportionate to his actual skill). More recently, the brilliant but misguided Adrian Lamo penetrated a series of high-profile corporate networks for the purpose of demonstrating their insecurity, and although in each case he worked with his "victims" to fix the problems he found, the last of these (The New York Times) pressed charges.

People like Mitnick, Se7en, and Lamo are, in real terms, well outside the mainstream of hacker culture: Most hackers simply don't approve of messing with other people's property, productivity, or freedom of speech. But hackers do sometimes idealize people like Lamo because of their talent, skill, or panache, and because of the aforementioned persecution thing.

This idealization is unfortunate. It impairs hackers' credibility and ultimately reinforces people's misconceptions about hackers. So what I suggest to the hacker community is this: Let's work a little harder to downplay the notoriety angle, and be a little more vocal in condemning the behavior of those few of us who cross the line from pushing boundaries to breaking laws.

This doesn't mean we need to ostracize those who fall from grace; giving up on people who make bad choices surely isn't any more altruistic than computer crime is. I'm not suggesting that Kevin Mitnick be barred from attending Def Con. In all honesty, I'm not entirely sure how to achieve what I'm suggesting. My point is that there's still a lot of skepticism out there with regard to the reality of hacker daily life, which for most of us emphatically excludes illegal and unethical behavior, and the hacker community must accept some responsibility for people's hesitating to give us the benefit of the doubt.

Conclusions

My esteemed colleague the hacker-philosopher Richard Thieme says that hackers, due to the very fact that they operate at the edges of what is known (and especially of what is thought to be possible), are destined to be misunderstood. Society has always treated innovators and whistle blowers with ambivalence. Information security professionals, however, tasked as we are with protecting critical infrastructures that everyone depends on, can't afford the mental laziness of demonizing this important segment of the technical community. For one thing, it's amply represented within our profession: "They" can't all be enemies, because so many of "them" are in fact "us." And that's a good thing. Hackers are arguably our biggest allies in neutralizing and catching real live computer criminals.

If more information security professionals would free themselves of the notion that the hacker mindset is morally wrong or that it inevitably leads to crime, they could borrow or even learn themselves how to use hackerly creativity and innovation in their efforts to protect and secure. Everyone would benefit from that; nobody benefits from narrow-mindedness.

Michael D. Bauer is Network Security Architect for a large financial services provider. He is also Security Editor for Linux Journal Magazine.

Return to the O'Reilly Network.

Share your view of the hacker role with us.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 6 of 6.

• fish
  2005-02-23 21:53:06  Porcustal [Reply | View]
  
  
  If i was to call a hacker a logger, a cracker a saltine, and a reporter a stoker would i be right? What if the named reporter misunderstood me and called a logger a stoker would that make the "stoker" a hacker? And then what if people reading his article all over the universe started calling hackers fish sales-men, due to another random misunderstanding in galactic language. Who would have it right? Would that mean we were all to fear fish sales-men? or hackers? or saltines?
  
  So once again it seems the real issue comes down to a word or name and who defines it. And who we want to fear..

• The need for an enemy
  2005-02-18 10:58:07  oisinfeeley [Reply | View]
  
  
  Excellent article. Don't forget that the "security professionals" benefit highly from the presence of a hyper demonized enemy. It's in their interests to exaggerate the threat from crackers:
  
  1. It creates a market for their services
  2. It lets them off the hook for their shoddy practices if they're facing über-kriminals

• Hackers_How Great Thou Art
  2005-02-16 08:29:32  Royce_Crocker [Reply | View]
  
  
  Look, don't get me wrong. How could anyone not respect the ingenuity and intelligence of the real "hackers" of whom you speak. However, I think you glorify, at least, their motives.
  
  First, as you point out most of the criminals are really not up to 'hacker' standards. They're not smart enough, they are 'script kiddies'!
  
  Second, hackers, who explore the edges of technology, trying to break it to make it better, trying to clarify the faults--do something that most of the criminals cannot do.
  
  Then, why the rush to publicize the faults to the world? If the criminals are incapable of finding the faults, at least as well as 'hackers' find the faults, it would seem to me that there is plenty of time to let the software developer or the company whose network is vulnerable make the needed correction(s) on their own schedule, not the do-gooder hacker's schedule. Why the necessity for speed? To make the world safer, to help rid the world of bad software or poor administration--all of which do exist and getting rid of them are probably excellent goals?
  
  No, I think the fact is that the only people who would discover the faults (assuming your argument about the criminals capabilities are true) are other hackers. Now, if I as a hacker go to the company and say 'hey, I found a flaw in your software or operations and here's how to fix it...,' and then leave it at that. What if some other hacker finds the same flaw and doesn't go to the company, but broadcasts 'look what I found.' Who gets the credit for the 'hack?' And, I think that is what this is all about--credit for the discovery, credit for the hack, credit for the exposure.
  
  Whistleblowers, more often than not, have tried many routes within an organization to get some information out. Having been frustrated time and again, they choose the not-so-pleasant road of whistleblower. Very few gain benefits for their efforts. They are often ostracized because they often, end up bringing harm to an organization, of which they are a part, and to people with whom they work.
  
  Hackers, on the other hand, often gain, at least in terms of reputation among those who honor what they do. If a hacker attacked other hackers--again, specifically referring to those special creative people your article refers to, for doing unethical things or setting up an unethical system, that hacker would be like a whistleblower.
  
  Making software better, making society better, improving computing for its own sake. Maybe a few, but, surely, a good number are in it for the rep, don't you think?

• Ego's gone wild
  2005-02-15 10:27:45  crash15139 [Reply | View]
  
  
  I find it unimpressive when I meet some self proclaimed "hackers" that download someone else's tools & run them from a GUI. These pests seem to think that all admins hold the keys to all the doors, network security, etc in all situations & are quick to say you "deserve" to be hacked without the necessary precautions. Yes, if you are at the helm of all the doors, you should have all the keys, but for many business purposes, network, security, sysadmin are entirely independant & rely on communication & language each may/may not understand. So when a server gets hacked with a rootkit downloaded from some scriptie at 2am in Brazil; I wish for once I could have him/her in front of me explaining why they did it, then let me retort....

• Hacking is excellence before the single authorship state dies.
  2005-02-14 23:26:41  steve_nordquist [Reply | View]
  
  
  Success has a thousand fathers, they say; failure but one. Taking this literally to heart, you'll quickly disparage your human friends and have few new ideas for company! There's a middle stage where the Lord Kelvins sought out and assigned attribution for notions under their brainchildren, made throwaway experiments to form decent scientific queries, and otherwise did groundwork past any homework that had ever was before.
  Kelvin had a lot of help; everyone who wanted to know how something was scientific or not, without knowing a good science corpus or examining methods--or contrawise what science was before observations were examined and put to paper as (maybe) science--was impetus to stay quiet until quite prepared. As a result, most of his l33tspeak passes, even now, for refinement.
  IT has shorter product lifecycles.
  Marketing velocity just can't go fast enough, and products, slaved to human memes, have to go along or wash up in the whorls of mere linear business growth.
  So hackers can't always take such refuge, exhibiting market discipline before empirical learning: Minor checks that a glass flask does not itself burn, and that embedded routers recover better with some ICMP traffic, must suffice.
  
  However, it is criminal, to free capital, to create law that permits trading energy on its own full measure but unilaterally prosecutes informatic scrutiny. That was the soul of the Enron debacle; accounting deference to an inscrutable aside to innovation. It took leaked memos to suggest a just reason for scrutiny. Indeed we might still have a few popups now every second if a judge or 30 had soft-handed the notion of proprietary client-side javascript. A good hacker flossing balanced with reliable business capability is just what every business wants going on, unless they want to be a one-hack shop.
  
  Hacking is about making good use of all resources.
  Criminalizing it makes for short or slow trades and a catastrophe when your call comes.
  

• Hacking
  2005-02-11 17:00:25  coolspot [Reply | View]
  
  
  Ok... you might think that hacking is all "boundary pushing" and "an infinite level of posibilities within networks" but c'mon man... thats not what hacking ACTUALLY means to people. Hacking is sending people viruses, creating worms, defacing websites, stealig personal info. Ther is no two ways about it... hacking is bad. You can shout your whit hat hacker rubbish till your blue in the face.. but face it, hacking is bad. Bad. fine the ocasional "nice" hacker (if there truely is such a thing) may discover a security flaw in a program or service ansd tell the company involved... but the only reason its an issue is because of hackers in the first place. If there were no hackers there would be no problem. (that day will never come)
  
  im really quite bemused that you think you can just say hacking is ok because its deep and meaningfull, and networks are infinite and all that. Hacking is bad because people loose money, programs get screwed up, computers get damaged, information is lost and people are screwed over. THat is the plain hard facts of it.
  
  Fine, hackers may not be weirdo geeky kids messing with other peoples trojans, causing trouble, or uber geeks stealing money off people, or total gits who just want to mess up peoples computer or websites, but lets be honest... most of them are. So fine, if your going to be a hacker, be a hacker... but expect no sympathy of those who have ther computers or websites hacked.
  
  *apologies for spelling mistakes. Im not a retard because i cant type, its just late.