Sunday, August 08, 2010

Hacking and IT Culture

IT Culture has come into the limelight in recent weeks due to Byron Sonne's arrest just prior to the G20 Summit in Toronto.

Byron Sonne is part of the IT Hacker community in Toronto and a Security professional although the claim of professionalism has been challenged by at least one blogger on BelchSpeak.

So, perhaps this is a good time to enlighten the public on IT Culture, what it is and what constitutes standard practice.

Hacking (exposing vulnerabilities in computer hardware and software systems) is part of our IT culture and not an uncommon practice.

Is it illegal? Technically speaking, yes it is and always has been.

However, in it's defense and in my personal opinion, the problems with hacking isn't so much that it's done but what the motivation is. This motivation can be determined by observing what occurs as a result of it's being done.

For example, if a person hacks a system in order to set it up to:
  1. participate in a DNS attack,
  2. load a virus or other maliciously destructive software,
  3. violate the privacy of an individual, group, corporation, etc. they've targeted, 
  4. steal and/or tamper with data or software code,
amongst many other things....

They've committed an illegal act and should be held accountable including prison time.

The criminal act, in my opinion, was what occurred when the person accessed the system, not the access to the system.

On the other hand, if someone is Black Box Testing a system in order to expose vulnerabilities, but does no harm to the system and/or reports the vulnerabilities to the target so that they can improve their security, I (and I would argue that most IT people) don't see this as a problem, never mind a criminal act.

Historically, this has been the role of the White Hat Hacker and one that many corporations have appreciated and benefited from.

Why has this become part of IT Culture?

In order to protect systems and keep them secure, we need to know how to break them first and this gives us the information we need to secure them.

As a Web and Software Developer, if I don't understand how SQL Injection or Cross-site posting works I can't develop software which blocks these kinds of attacks.

This is one of the key purposes behind Black Box Testing. It gives the IT professional the information they need to either write secure code or implement configuration changes to hardware for the purpose of securing the system against malicious hacking.

Black Box Testing is an IT methodology where the tester doesn't know the internal workings of a software or hardware system but will poke it, both see if they can bypass it's security and expose any  vulnerabilities in the system.

It's generally a constructive activity which contributes to ensuring that IT hardware and software systems and therefore the privacy and security of those who use these systems is protected.

A key principle behind this type of hacking is that no harm must be done to the system being probed or with information garnered.

As soon as harm is done, it crosses the line from White Hat Hacking into malicious hacking also known as Black Hat Hacking.

So, what then constitutes harm?

In my opinion, just noting that one was able to access private information, particularly if this access is then reported to the appropriate parties, does not constitute doing harm.

Why?

Because no negative act occurred as a result of this violation, and if it was reported, the violation is offset by the reporting which will result in a more secure system.

Accessing private information and then using it for blackmail purposes would constitute doing harm, would be malicious hacking and of course the person who committed such an act belongs in jail.

That said, let me just make the critical point that the vast majority of IT people who do this are not malicious hackers and it's because of them that we have far more secure systems today than even five years ago.

The IT Community, particularly the IT Security Community, which consists of numerous White Hat Hackers, should be commended and not demonized, for their constructive contributions to the IT Security field and industry.

Irrespective of whether Byron Sonne turns out to be a White Hat, Black Hat, or possibly a Grey Hat Hacker.

Something which remains to be seen.

I don't know him, but what little information I've been able to pick up on his activities through Internet searches gives me serious cause for concern, despite the confidence displayed by his friends.

Friends who, while I'm sure they're nice and for the most part honest, sincere and caring people, obviously have an emotional stake in this cause and are unlikely to be able to see this situation as objectively as an outsider would.

That said, there is a concept held by some hackers, called Full Disclosure which could have an impact and which I'll be discussing in another blog.

One of the difficulties in the Byron Sonne situation is that the Bail Hearing was held under a publication ban at Sonne's lawyers request.

So it's currently impossible to make a rational decision based on actual facts, regarding whether or not Sonne's actions were reasonable in the context of IT culture and based on the facts that I do have I can't in good conscience defend his actions.

Background information:

Hacking Wiki

Originally published July 24 (8:54AM). Republished August 8 with revisions.

Monday, August 02, 2010

In Defense Of Richard Silverstein And Free Speech

The following was posted on a blog called Medawar's Cornflakes. I am reproducing it here for the same reasons that Medawar indicated that he posted it.

While I may or may not agree with everything Mr Silverstein says, he has the right to say it without being harassed and being the victim of malicious DOS attacks attempting to bring down his site and by doing so, suppress his Right To Free Speech.

Medawar's Cornflakes
The following is reproduced from Richard Silverstein's blog, "Tikun Olam" simply because it would appear to be the trigger for a sustained denial of service attack against his site. Reproduction shouldn't be taken as an endorsement of all of Mr Silverstein's views and actions (Lord knows: he might have done all sorts of bad stuff that Medawar doesn't know about.) But DOS attacks, particularly when it seems as if Israeli police computers may have been hacked or infected in order to launch it, are as threatening to modern society as piracy on the High Seas and Cash in Transit Robberies. Medawar hasn't reproduced any of the comments that were on the blog, because it is impossible to assume the commentator's permission and some of them were obscene.

The article was headed by a picture of an alleged Israeli torturer, which was obtained by Mr Silverstein in the pixellated condition you see below. A lot of the embedded links below seem to work now: presumably the URL information got copied across with them? Medawar is a bit surprised, but not complaining!

Identity of Former IDF Torturer Exposed, ‘Captain George’ is Doron Zahavi

doron zahavi captain george
Alleged Arab torturer Doron Zahavi aka 'Captain George' (Haaretz)

Yesterday, I reported here on a Haaretz story about the notorious “Captain George,” an IDF military intelligence interrogator accused in 2004 of sodomizing a Lebanese kidnap victim in order to secure information about the location of IDF officer, Ron Arad. Among the things I wrote was my complaint that Haaretz was protecting the real identity of George even though he no longer served in military intelligence.
With the help of a diligent Israeli researcher, I can now expose George’s real identity. He is Doron Zahavi, currently the Arab affairs liaison for the Jerusalem police. His job, as I noted yesterday, is to direct community relations and liaison efforts between the police and Jerusalem’s Arab residents.

In discussing the parameters of Zahavi’s job, a police spokesperson told Haaretz:
“The adviser must be an accepted and welcome figure in the Arab community, with excellent interpersonal skills – someone they feel they can trust, otherwise he cannot succeed in the job,” a senior police officer said.
doron zahavi exposed
ACRI complaint identifies Doron Zahavi by name

Apparently, Zahavi has performed his job so well he’s garnering rave reviews right and left from his Arab interlocutors. One, Jouad Siam, complained that in a February, 2010 interrogation, Zahavi threatened to destroy his home (Hebrew source) unless he disbanded a Silwan information center Siam had founded to counter the building efforts of settlers in his neigborhood. Here is how the ex-torturer now conducts himself. I’ll let you be the judge whether the leopard has changed his spots:
He [Zahavi] told us we were making problems and we had to close the center. I told him: “I thought we are in a democracy.” This raised the ire of ‘George,’ who said: “We Jews are fools. We treat you too well. I thought you would behave yourself.” ’George’ threatened that he would draw up a demolition order for his home if he refused to close the center.
According to Siam, “The entire conversation was conducted in shouts. He didn’t let me speak. He would ask and answer his own questions [without allowing Siam to respond]. At the end of the discussion, he told me to go home and behave myself.
Last February, the Association for Civil Right in Israel registered a formal complaint against Zahavi for his outburst. Among the claims listed was that Zahavi called Siam a “criminal” and said that the latter would be held responsible for everything that happened in Silwan. The interrogator asked about the source of Siam’s income and told him he would intervene with his boss. At the end of the meeting, Zahavi attempted to enlist Siam as an informant.

The police replied formally to the complaint claiming laughably that Zahavi had merely invited Siam to a “get to know you” meeting in which the police advisor sought to discover what issues particularly troubled the local Arab population. In the course of the meeting, Zahavi felt it necessary to inform his Arab interlocutor about activities in which he was engaged that violated the law. No mention in the police reply how founding an information center was a violation of law.

The publicly available ACRI complaint lists Zahavi’s real name. In that case, why would Haaretz not be able to use it? The whole situation baffles me. At any rate, thank God we’re not bound by any such nonsense and we offer the real Doron Zahavi to the world in all his glory. If a reader has a picture of Zahavi, please let me know.