Sunday, August 08, 2010

Hacking and IT Culture

IT Culture has come into the limelight in recent weeks due to Byron Sonne's arrest just prior to the G20 Summit in Toronto.

Byron Sonne is part of the IT Hacker community in Toronto and a Security professional although the claim of professionalism has been challenged by at least one blogger on BelchSpeak.

So, perhaps this is a good time to enlighten the public on IT Culture, what it is and what constitutes standard practice.

Hacking (exposing vulnerabilities in computer hardware and software systems) is part of our IT culture and not an uncommon practice.

Is it illegal? Technically speaking, yes it is and always has been.

However, in it's defense and in my personal opinion, the problems with hacking isn't so much that it's done but what the motivation is. This motivation can be determined by observing what occurs as a result of it's being done.

For example, if a person hacks a system in order to set it up to:
  1. participate in a DNS attack,
  2. load a virus or other maliciously destructive software,
  3. violate the privacy of an individual, group, corporation, etc. they've targeted, 
  4. steal and/or tamper with data or software code,
amongst many other things....

They've committed an illegal act and should be held accountable including prison time.

The criminal act, in my opinion, was what occurred when the person accessed the system, not the access to the system.

On the other hand, if someone is Black Box Testing a system in order to expose vulnerabilities, but does no harm to the system and/or reports the vulnerabilities to the target so that they can improve their security, I (and I would argue that most IT people) don't see this as a problem, never mind a criminal act.

Historically, this has been the role of the White Hat Hacker and one that many corporations have appreciated and benefited from.

Why has this become part of IT Culture?

In order to protect systems and keep them secure, we need to know how to break them first and this gives us the information we need to secure them.

As a Web and Software Developer, if I don't understand how SQL Injection or Cross-site posting works I can't develop software which blocks these kinds of attacks.

This is one of the key purposes behind Black Box Testing. It gives the IT professional the information they need to either write secure code or implement configuration changes to hardware for the purpose of securing the system against malicious hacking.

Black Box Testing is an IT methodology where the tester doesn't know the internal workings of a software or hardware system but will poke it, both see if they can bypass it's security and expose any  vulnerabilities in the system.

It's generally a constructive activity which contributes to ensuring that IT hardware and software systems and therefore the privacy and security of those who use these systems is protected.

A key principle behind this type of hacking is that no harm must be done to the system being probed or with information garnered.

As soon as harm is done, it crosses the line from White Hat Hacking into malicious hacking also known as Black Hat Hacking.

So, what then constitutes harm?

In my opinion, just noting that one was able to access private information, particularly if this access is then reported to the appropriate parties, does not constitute doing harm.

Why?

Because no negative act occurred as a result of this violation, and if it was reported, the violation is offset by the reporting which will result in a more secure system.

Accessing private information and then using it for blackmail purposes would constitute doing harm, would be malicious hacking and of course the person who committed such an act belongs in jail.

That said, let me just make the critical point that the vast majority of IT people who do this are not malicious hackers and it's because of them that we have far more secure systems today than even five years ago.

The IT Community, particularly the IT Security Community, which consists of numerous White Hat Hackers, should be commended and not demonized, for their constructive contributions to the IT Security field and industry.

Irrespective of whether Byron Sonne turns out to be a White Hat, Black Hat, or possibly a Grey Hat Hacker.

Something which remains to be seen.

I don't know him, but what little information I've been able to pick up on his activities through Internet searches gives me serious cause for concern, despite the confidence displayed by his friends.

Friends who, while I'm sure they're nice and for the most part honest, sincere and caring people, obviously have an emotional stake in this cause and are unlikely to be able to see this situation as objectively as an outsider would.

That said, there is a concept held by some hackers, called Full Disclosure which could have an impact and which I'll be discussing in another blog.

One of the difficulties in the Byron Sonne situation is that the Bail Hearing was held under a publication ban at Sonne's lawyers request.

So it's currently impossible to make a rational decision based on actual facts, regarding whether or not Sonne's actions were reasonable in the context of IT culture and based on the facts that I do have I can't in good conscience defend his actions.

Background information:

Hacking Wiki

Originally published July 24 (8:54AM). Republished August 8 with revisions.

No comments: