Longtime reader/commenter Joseph asked two questions yesterday: What’s the boundary between gray and black-hat hacking, and is it moral to pick and choose between moral and immoral laws?
The first question is easier than the second. So I’ll tackle that one first.
Two things definitely cross you over the line into black: Viewing data you shouldn’t view (something that you even suspect might contain a social security number, bank account number, credit card number, or the like), or changing data irreversibly. Some would draw the line at changing any data at all.
I’m more interested in intent than I am in specifics, since it’s very difficult to interact with a foreign system at all without viewing or creating any data. If you have no intent to do harm, and you know how to connect to and check out the system without doing any harm accidentally, you’re not a black-hat.
Furthermore, if you own the system that you’re testing, you’re free to hack it however you want. And if you’re a contractor or an employee being paid to perform a security assessment, you’re in the clear so long as you stay within the boundaries of the contract and professional standards. That’s the nice thing about being assessed by someone who has accreditation–someone with a CISSP, CEH, or both has not only passed a test, but has also agreed to abide by an ethical code, and violating that code will result in the loss of an expensive certification.
What about the line between white and gray? If I view no data at all, I’m definitely white-hat. If I connect to my neighbor’s unsecured wireless network and show the neighbor the directory listing of the files on his Windows desktop, then I’m definitely gray hat. But the neighbor will take my statement that he has a problem much more seriously if I do that, won’t he?
I know someone who used to live in an apartment complex and did exactly that: the girl next door had an unsecured Windows network running on an unsecured wireless network. He connected to the network and spotted two unsecured Windows boxes. So he walked next door and showed her what he found: “Here’s your Windows desktop. I see your resume there, and a file that says it stores all your credit cards. Here’s all your Internet Explorer bookmarks.” I’m sure he got her attention. Much more so than if he’s just knocked on her door and said, “Hey, you need to secure your wireless.”
That’s why my coworker called white-hats useless. Without at least a little bit of shock and awe, most people pay no attention to those security people. Without a demonstration, most people assume the security guys are overreacting.
Back to yesterday’s story: In this case, the student tested against a test server, so he neither viewed nor altered any meaningful data–he did no harm whatsoever–and then he went to the vendor and told the vendor what he found. That’s precisely what an ethical security researcher does. He did what the research arm of virtually every large technology company does every single day. You better believe that Adobe, Apple, Google and Microsoft are hacking one another’s products and telling each other what they find. Microsoft admits as much in the writeups of its monthly security patches. They’re competitors, but they also know that they depend on one another.
Assuming the account in the story is accurate, the student didn’t cross into black-hat territory. Some might say he crossed into gray-hat territory, but some would argue he stayed on the white-hat side.
So now let’s talk about laws.
Picking and choosing laws is, as you know, a murkier area. It’s legal to rip an MP3 and store a copy of the Pixar Cars Soundtrack CD on my tablet or MP3 player. It’s illegal for me to rip a copy of the Pixar Cars DVD movie on my tablet. Ripping the movie is illegal under current law because it requires circumventing a copy prevention scheme. As long as I don’t give away either the copies or the original disc, there’s no difference morally–everyone got paid. But there is a difference legally.
So, is it moral for me to break the law and rip a DVD? Well, it’s illegal, so perhaps it’s immoral too. But there’s very little difference between the legal and illegal activity, especially to an end user who doesn’t know what’s going on and is only running software that does all of the work for them. The laws aren’t consistent at all, and that reflects a lack of understanding of the technology involved on the part of the lawmakers. I’m not convinced either of my senators could tell me whether ripping a DVD is illegal, let alone why.
But here’s another tricky case. Watching a DVD under Linux is illegal in the United States because of the way the software works. I have a real problem with the idea that watching a DVD on a computer running Windows or OS X is moral but doing the exact same thing on a computer running Linux is immoral. Who am I hurting?
On the flip side, I can think of a long list of things that would be perfectly legal to do, but immoral. There are conditions under which underage drinking can be legal. Different people draw the line of whether it’s immoral in different places. When I was in college, I knew a guy who thought it was perfectly OK to let his 14-year-old son drink as much as he wanted, and attempt to seduce as many 18-year-old girls as he wanted. Some people will see nothing wrong with any of that, and others would be absolutely horrified. I thought the guy was out of line for encouraging that behavior. Had the son gotten drunk and succeeded at impregnating an 18- or 19-year-old, there would have been clear harm.
The university, in its canned statement containing the words “reasonable laws,” is standing on much shakier ground than it thinks. Shakier ground than the student they expelled.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
Great write-up! I love your articles and this one helps explain some topics I have a hard time explaining.
“But here’s another tricky case. Watching a DVD under Linux is illegal in the United States because of the way the software works. I have a real problem with the idea that watching a DVD on a computer running Windows or OS X is moral but doing the exact same thing on a computer running Linux is immoral. Who am I hurting?”
….
You have intrigued me.
Why is it illegal to view a DVD? I’ve used Linux since 1998 and I didn’t know that I could be violating any laws by just viewing. Ripping yes. Viewing?
Yes, because the library that decrypts the DVD for viewing isn’t licensed by anyone. In the absence of a licensed key, it brute-forces the encryption, and the way the DMCA is written, that’s illegal, whether the intent is to copy the media, or simply view it. The courts have repeatedly said, “Well, just watch movies under Windows, then. There aren’t enough Linux users to worry about this.”
Asinine.
I’ve been downloading and using libdvdcss and other components for years, but never really thought it through. To rip you must see. To see, you must have the components to rip. Another way to see what’s before your very eyes,
Thanks.
Exactly. Immoral? Absolutely not. Illegal? Yes, not that they’re likely to ever prosecute, because then they’ll find out exactly how many Linux users there are, and no judge wants to find it out that way. Just another case of lawmakers not understanding the implications of the laws they make. It happens a lot when technology is involved.