In Dr Teodor Mitew's Counter-networks lecture he discussed hacktivism, whistleblowers and Wikileaks. Wikileaks is nothing new to me, though I didn't have quite the same picture of Julian Assange as The New Yorker. But the whole electronic frontier as a modern wild west idea really stuck with me (Mitew 2011). I imagine Assange as the Clint Eastwood to Lulsec's Lee Van Cleef a la' The Good, the Bad, and the Ugly.
White and Black hat cyber cowboys.
But even The Good have dark pasts. Mitew mentioned in the lectures and tutorials that retired or caught Black Hats (hacker badguys) are often employed for White Hat (hacker goodguys) for 'ethical' purposes, to test systems for weaknesses etc (2011). But what distinguishes a White Hat from a Black? Are they mutually exclusive and just how fine is the line between them?
Grey Hats: Cyberspace's answer to Two-Face?
The more you research hacking the more the term 'Ethical Hacker' arises. There seems to be a great amount of value placed on the skills of white hats in the security industry, so much so that there is now places, ebooks and DVDs that will train you to be a White Hat.
7 hours of hacker training for only $99.95 - What a bargain!
But even ethical hacking is not without its criticisms. In Danish Jamil and Muhammad Numan Ali Kha's article 'Is Ethical Hacking Ethical?' for the International Journal of Engineering Science and Technology they sum up the issue often raised when discussing ethical hackers: just how much can we trust them?
It can be argued that after working on a big projects with one of the countries big financial companies to find security flaws to help remedy problems, can help to reinforce the knowledge of a ethical hacker and sometime in the future out of curiosity or through spite breach his contract and sell his ideas to criminals. It was argued that this can be achieved and that this is one of the many problems ethical hacking faces (Jamil, D & Kha, M. N. A, 2011).
It sounds like a logical argument right? Rob Cotton expresses similar concerns in his article for ComputerWeekly.com stating
If you used to get your kicks from undermining national security, can you really be trusted to protect it? (2009)
Especially when paired with evidence like this. WIRED magazine ran an article in 2001 on 'Max Vision', a supposed White Hat FBI informant that was jailed for attacking military computer systems in 1998 (2001). Of course most of this criticism is aimed at the use of ex-Black Hats as ethical hackers but you could argue that the same risks/issues apply to security professionals and 'pure' White Hats too.
Further Reading (and sources on the other side of the 'ethical hacker' argument) :
Online Articles
Journal Articles
(access via UOW database)
(can be accessed via UOW database)
(access via UOW database)
(access via UOW database)
Sources:
Cotton, R, 2009, 'Recruiting Hackers to Defend the UK is Lunacy' ComputerWeekly.com, 30 June, accessed 7/10/2011. http://www.computerweekly.com/Articles/2009/06/30/236701/Recruiting-hackers-to-defend-the-UK-is-lunacy.htm
Delio, M, 2001 'A White Hat goes to Jail', Wired Magazine, 22 May, accessed 7/10/2011, http://www.wired.com/politics/law/news/2001/05/44007
Jamil, D & Kha, M. N. A, 2011 'Is Ethical Hacking Ethical?', International Journal of Engineering Science and Technology, vol. 3, issue 5, pp 3758-3763. accessed 7/10/2011 via University of Wollongong library database http://www.ijest.info/docs/IJEST11-03-05-186.pdf
Khatchadourian, R, 2010, 'No Secrets: Julian Assange's mission for total transparency', The New Yorker, June 7. http://www.newyorker.com/reporting/2010/06/07/100607fa_fact_khatchadourian
Mitew, T, 2011, Counter-networks: online activism, whistleblowers, and the dark side of the net. DIGC202 Global Networks, University of Wollongong, delivered 19th September.
Whilst reading your article and thinking about ethical hacking, I thought of a scene from the movie the Italian Job, where Charlize Theron was breaking into a safe. It looked like she was attempting to steal the contents, but she was in fact something like an ethical safe cracker, getting paid to test the difficulty of the safe for potential thieves.
ReplyDeleteI think that this is just like an example of ethical hacking (except for the fact she turns 'bad' in the movie and steals millions), as organisations need qualified individuals who are as capable as the real potential hackers, to test the software. This is why they hold Hacker contests like Pwn2Own (where contestants attempt to hack a specific system to take home a prize pool and the product). I think that companies need to test the potential of hackers otherwise how will they know what theyre up against? But I guess they really need to properly distinguish their white hats and their black hats...
There really is a fine line between ethical hacking and hacking for personal benefit. I agree that white hat hacking is valued, but there is something to think about when you think about the white hat hackers that used to be black hat. Can they be trusted to do a good job? Will they trick you and hack everything from inside the system?
ReplyDeleteI don't think there is such a concept as 'ethical hacking'. First of all, hacking still means that you are invading someone's privacy whether it is intentional or unintentional it is still unethical. Hackers only hack to retrieve information and remember information wants to be free but it also wants to be expensive. Some information gathered from hacking is sold to others for money, thus making information expensive. Again this is unethical as it is theft to take someone else's information and sell it for your own commercial benefit.
ReplyDeleteAlso as Kathleen said (above) who says ethical hacking exists, how do we know that these 'test' hackers cannot one day attack the company themselves?
It is an interesting point brought up with the use of black hats turn white. Can they be trusted. The be all and end all is yes. Why? Because money talks.
ReplyDeleteDespite enjoying when they successfully hack a system and take it down, it is a dangerous illegal game, especially if you get money involved. Rather the "grey hats" get paid to do what they like, mock attack a system and tests its limits. The question of whether ethical hacking is ethical is something different altogether.
Is hacking a government site covered by "freedom of information"? If we elect government officials and they are "our" government, should they have secrets from us?
I have to say that hiring those that undermine your system's security is genius. If there are people out there with a proven track record of finding and capitalising on the vulnerabilities in your system, what better way to find and fix them early then to have such people working for you rather than against you. However to do so you must have a system in place to prevent them from doing further damage. And I'm sure Apple have just that when they hired a hacker of their own.
ReplyDeletehttp://www.smh.com.au/digital-life/mobiles/iphone-hacker-golden-boy-hired-by-apple-20110830-1jj18.html