Fear and Loathing in Information Securityby Michael D. (Mick) Bauer, author of Linux Server Security, 2nd Edition
If I were to tell you that I'm proud to be a hacker, would you wish I was dead? Last week I attended a speech by someone who just may, and while that speech was offensive on more levels than I can address in one editorial, I would like to talk about the demonization of hackers within the information security ("infosec") profession. In my opinion, the time has come for infosec professionals to stop fearing technology's boundary-pushers and for hackers to stop pretending there's any glory in the crimes most of them are too smart to want to commit in the first place.
The speech that set me off took place at a local meeting of an information security professional organization, and the presenter represented a well-known vendor of intrusion-detection software. During his lengthy address this person called competing security researchers "ankle-biters," suggested most users in Brazil are "miscreants," and expressed a desire to use an Apache helicopter to "take all those morons out" (apparently meaning hackers in general). While he was at it he referred to Eastern Europe as a "country," ridiculed the weight problems of several young computer criminals, and generally displayed what struck me as truly remarkable levels of bigotry, anger, and ignorance.
I said I wasn't going to dwell on the specifics of this speech, outrageous though it was. But I'm sure that the gist of what he was saying, that is, that hackers are scum, resonated with some percentage of the audience, and that's the part I want to address here.
Over-the-top invective aside, it wasn't the first time I've been exposed to this attitude. Many people in my profession, even knowing that "hacker" doesn't mean "criminal" any more than "locksmith" means "burglar," nonetheless fear and mistrust hackers. In the interest of trying to do something about this rift, which I think serves no useful purpose, I'd like to discuss why infosec practitioners demonize hackers, and why that tendency is both irrational and counterproductive. As someone who identifies very closely with the hacker community, I'll also share some ideas on what hackers might do to help the situation.
I want to stress that the real problem here isn't one of vocabulary: it's one of culture. But just to be safe, let me clarify what I mean by "hackers": I mean people generally obsessed with solving problems with computers and with determining for themselves how things really work. These are people who see a computer or network not as a predictable, black-and-white system regulated by strict rules, but rather as a nearly infinite set of potentials limited only by its users' skills and imaginations.
Hackers tend to employ unorthodox means of solving problems and learning things. In fact, the very definition of a "hack" is "something that isn't supposed to work but does." It therefore follows that whether they call themselves such or not, many of the world's greatest engineers and enterpreneurs throughout history have been hackers. Linux Torvalds is a hacker icon; Neal Stephenson has argued that Lord Kelvin was a hacker too. In summary, hackers are the world's boundary-pushers.
One quick note about where I fit in, since you'll notice I sometimes use the word "we" when describing the hacker community. I consider myself a member of both the hacker and professional infosec communities. I've presented at both Def Con (twice) and at the Computer Security Institute's Annual Conference, and while I am neither a programmer nor a penetration tester (which by some people's definition disqualifies me from ever being an elite hacker), I identify closely with the hacker values of creativity, curiosity, knowledge-sharing, and exploration. I have this "dual citizenship" in common with some of my most valued infosec colleagues. In no way do we condone any crime or consort with known criminals, but of course that's the whole point of this essay.
Boundary-Pushing: Sin or Virtue?
The reactionary element in information security understands this definition of "hacker as boundary-explorer," and is perfectly capable of distinguishing between people who live on the edge and people who cross the line. However, we seem to be sharply divided over whether (a) pushing boundaries is a good thing to be doing in the first place, and (b) it must inevitably lead to crime.
Consider the popular hacker pastime of security research (or, more precisely, vulnerability research). Security researchers attack, within the confines of their own lab systems, operating systems and software applications for the purpose of proactively identifying security vulnerabilities so they can be patched against or otherwise mitigated. There are, it seems, three prevailing points of view on security research.
Hackers, naturally, love security research: It's a constructive outlet for some of their darker impulses, one with tangible benefits to society. Such "full-disclosure" proponents believe we all benefit any time the "good guys" find a new vulnerability, give affected vendors fair notice to release a patch, and then notify the public so they can apply the patch or take other corrective action. This ethos is exemplified (most of the time) by the Bugtraq mailing list.
Vendors seem to have a somewhat more ambivalent attitude toward independent security research. On the one hand, it provides free third-party quality assurance testing. On the other hand, it can be really embarrassing, depending on how obvious or egregious a given vulnerability is and on how much advance notice the researcher truly gives.
Many people, however, including many information security professionals, think it's simply wrong to abuse any system or application for any purpose, even in a lab setting, unless it's conducted by whomever created that system or application. People with this attitude tend to be highly suspicious of the motivations of security researchers and tend to believe that "security research" is actually a euphemism for "mischief."
Granted, I'm intentionally dodging some subtle controversies of the full-disclosure movement, that is, precisely how much time a security researcher should give a vendor to respond and release a patch before the researcher publicizes a vulnerability, whether sample exploit code is ever justifiable, and so on. My point is simply that vulnerability research is an area that many people consider to be inherently conducive to abuse, regardless of its usefulness, and that many people are uncomfortable not so much with vulnerability testing's specific impact on Internet security, but rather with the general idea of people pushing limits in this fashion.
And here we come down to fundamentally opposite realities. There are people who think that vendors should be allowed exclusive control over security testing on their products, and should be trusted to both admit to and fix security problems whenever they find them. And there are people who think that (a) software nowadays is too complex and the threats too numerous for this to really work, and (b) it isn't necessarily in vendors' best interests to do so anyhow.
The infosec purist, in other words, wants to believe what vendors tell him, but the hacker wants to figure things out for herself. I believe this to be one of the main sources, if not the primary source, of discomfort with hackers.
The Corruptive Nature of Hacking
Perhaps less irrational than the fear of boundary-pushing is the belief that hacking leads to crime. If you become too fascinated by how network attacks work, the story goes, you'll eventually cave in to the temptation to conduct those attacks. And it is an incontrovertible fact that many people who commit computer crimes are hackers. But are they criminals because they're hackers, or do they have other problems? I'm convinced of the latter.
I have nothing more scientific to base this belief on than my own experience and observations (plus those of my friends), but as somebody who's spent a lot of time researching and experimenting with network hacking, not to mention securing large networks against intrusion, I think this counts for something.
I started out as a network engineer. Early on I learned how TCP/IP works, how Ethernet works, and how to use network diagnostic tools such as packet sniffers. Even in my first year doing this type of work, I knew how to eavesdrop on telnet sessions and to otherwise abuse the tools of my trade. But I didn't abuse them; I respected the rights of my users and understood the consequences of betraying my employer's trust.
After eight years of immersion in both information security and hacker circles, I humbly submit that this level of awareness and ethics is typical among hackers. Hackers who cross the line into illegal and unethical behavior are, in my opinion, outside the mainstream of hacker culture. I'm sure of this for two reasons.
First, anybody who understands how networks work knows that there's no such thing as privacy or anonymity on the Internet, and that those who mess with other people's systems will be caught eventually. Second, insofar as hacking involves increasing and sharing knowledge, it's an altruistic pursuit for most of its practioners; abusing that knowledge generally runs contrary to the hacker ethos.
So who, exactly, commits computer crimes? Mostly the very young or very ignorant, I think. These are people who don't understand the ramifications of what they're doing or how easily they can be caught. There are some bona fide sociopaths; the hacker community is no more free of these than any other segment of the human population. And yes, there is such a thing as an evil hacker mastermind; the world surely contains highly-skilled professional computer criminals who seldom if ever get caught. Most people I trust, however, believe there are relatively few hacker sociopaths and even fewer evil hacker geniuses.
Conventional wisdom nowadays is that the vast majority of people who commit computer crimes are in fact script kiddies, that is, people scarcely skilled or creative enough to even be called hackers. If this is the case, that the least skilled hackers are most prone to commit crimes, then can it really be said that acquiring hacker skills leads to crime? I don't think so. It seems to me that people who are inclined to commit computer crimes sometimes acquire (limited) hacker skills, not the other way around.
The Notoriety Thing
Okay, so people's discomfort with hacking is their own problem, and most hackers are in fact upstanding citizens. Then why do so many hackers like to dress and act provocatively, and why is Kevin Mitnick treated like royalty when he attends Def Con?
Personally, I think hackers' tendency to act out comes at least partly from their being treated like outcasts. Hackers have been so misunderstood for so long that we shouldn't be surprised when they cop a "to hell with mainstream society" attitude. If you're going to be treated like a misfit, then you may as well have some fun playing the part.
In this context, it becomes tempting even for otherwise-straight hacker types to sympathize with actual techno-outlaws, especially when it seems like the punishment meted out to them is disproportionate to their actual crimes. For example, most hackers knew Mitnick deserved jail time, but few felt he deserved to be held for four years, without bail, including eight months in solitary confinement, before he was even brought to trial. Personally, as I sat through that hate-filled speech last week, I found myself starting to feel sorry for the young, misguided, and yes, even stupid computer criminals whose photos the speaker ridiculed and excoriated; much as I deplore their transgressions, they're still human beings for whom I can't help but feel some compassion and even kinship. (There, but for a happy childhood and some crucial mentoring early on, go I...)
Still, clearly it's wrong when hackers do or say things that implicitly or explicitly condone illegal behavior. A few years ago a hacker named "Se7en" got a lot of attention for claiming to be on a crusade to infiltrate the systems of child pornographers for the purpose of shutting them down (though by all accounts, se7en's braggadoccio was disproportionate to his actual skill). More recently, the brilliant but misguided Adrian Lamo penetrated a series of high-profile corporate networks for the purpose of demonstrating their insecurity, and although in each case he worked with his "victims" to fix the problems he found, the last of these (The New York Times) pressed charges.
People like Mitnick, Se7en, and Lamo are, in real terms, well outside the mainstream of hacker culture: Most hackers simply don't approve of messing with other people's property, productivity, or freedom of speech. But hackers do sometimes idealize people like Lamo because of their talent, skill, or panache, and because of the aforementioned persecution thing.
This idealization is unfortunate. It impairs hackers' credibility and ultimately reinforces people's misconceptions about hackers. So what I suggest to the hacker community is this: Let's work a little harder to downplay the notoriety angle, and be a little more vocal in condemning the behavior of those few of us who cross the line from pushing boundaries to breaking laws.
This doesn't mean we need to ostracize those who fall from grace; giving up on people who make bad choices surely isn't any more altruistic than computer crime is. I'm not suggesting that Kevin Mitnick be barred from attending Def Con. In all honesty, I'm not entirely sure how to achieve what I'm suggesting. My point is that there's still a lot of skepticism out there with regard to the reality of hacker daily life, which for most of us emphatically excludes illegal and unethical behavior, and the hacker community must accept some responsibility for people's hesitating to give us the benefit of the doubt.
My esteemed colleague the hacker-philosopher Richard Thieme says that hackers, due to the very fact that they operate at the edges of what is known (and especially of what is thought to be possible), are destined to be misunderstood. Society has always treated innovators and whistle blowers with ambivalence. Information security professionals, however, tasked as we are with protecting critical infrastructures that everyone depends on, can't afford the mental laziness of demonizing this important segment of the technical community. For one thing, it's amply represented within our profession: "They" can't all be enemies, because so many of "them" are in fact "us." And that's a good thing. Hackers are arguably our biggest allies in neutralizing and catching real live computer criminals.
If more information security professionals would free themselves of the notion that the hacker mindset is morally wrong or that it inevitably leads to crime, they could borrow or even learn themselves how to use hackerly creativity and innovation in their efforts to protect and secure. Everyone would benefit from that; nobody benefits from narrow-mindedness.
Michael D. (Mick) Bauer is Network Security Architect for a large financial services provider. He is also Security Editor for Linux Journal Magazine.
Return to the O'Reilly Network.