Longtime reader/commenter Joseph asked two questions yesterday: What’s the boundary between gray and black-hat hacking, and is it moral to pick and choose between moral and immoral laws?
The first question is easier than the second. So I’ll tackle that one first.
Two things definitely cross you over the line into black: Viewing data you shouldn’t view (something that you even suspect might contain a social security number, bank account number, credit card number, or the like), or changing data irreversibly. Some would draw the line at changing any data at all.
I’m more interested in intent than I am in specifics, since it’s very difficult to interact with a foreign system at all without viewing or creating any data. If you have no intent to do harm, and you know how to connect to and check out the system without doing any harm accidentally, you’re not a black-hat.
Furthermore, if you own the system that you’re testing, you’re free to hack it however you want. And if you’re a contractor or an employee being paid to perform a security assessment, you’re in the clear so long as you stay within the boundaries of the contract and professional standards. That’s the nice thing about being assessed by someone who has accreditation–someone with a CISSP, CEH, or both has not only passed a test, but has also agreed to abide by an ethical code, and violating that code will result in the loss of an expensive certification.
What about the line between white and gray? If I view no data at all, I’m definitely white-hat. If I connect to my neighbor’s unsecured wireless network and show the neighbor the directory listing of the files on his Windows desktop, then I’m definitely gray hat. But the neighbor will take my statement that he has a problem much more seriously if I do that, won’t he?
I know someone who used to live in an apartment complex and did exactly that: the girl next door had an unsecured Windows network running on an unsecured wireless network. He connected to the network and spotted two unsecured Windows boxes. So he walked next door and showed her what he found: “Here’s your Windows desktop. I see your resume there, and a file that says it stores all your credit cards. Here’s all your Internet Explorer bookmarks.” I’m sure he got her attention. Much more so than if he’s just knocked on her door and said, “Hey, you need to secure your wireless.”
That’s why my coworker called white-hats useless. Without at least a little bit of shock and awe, most people pay no attention to those security people. Without a demonstration, most people assume the security guys are overreacting.
Back to yesterday’s story: In this case, the student tested against a test server, so he neither viewed nor altered any meaningful data–he did no harm whatsoever–and then he went to the vendor and told the vendor what he found. That’s precisely what an ethical security researcher does. He did what the research arm of virtually every large technology company does every single day. You better believe that Adobe, Apple, Google and Microsoft are hacking one another’s products and telling each other what they find. Microsoft admits as much in the writeups of its monthly security patches. They’re competitors, but they also know that they depend on one another.
Assuming the account in the story is accurate, the student didn’t cross into black-hat territory. Some might say he crossed into gray-hat territory, but some would argue he stayed on the white-hat side.
So now let’s talk about laws.
Picking and choosing laws is, as you know, a murkier area. It’s legal to rip an MP3 and store a copy of the Pixar Cars Soundtrack CD on my tablet or MP3 player. It’s illegal for me to rip a copy of the Pixar Cars DVD movie on my tablet. Ripping the movie is illegal under current law because it requires circumventing a copy prevention scheme. As long as I don’t give away either the copies or the original disc, there’s no difference morally–everyone got paid. But there is a difference legally.
So, is it moral for me to break the law and rip a DVD? Well, it’s illegal, so perhaps it’s immoral too. But there’s very little difference between the legal and illegal activity, especially to an end user who doesn’t know what’s going on and is only running software that does all of the work for them. The laws aren’t consistent at all, and that reflects a lack of understanding of the technology involved on the part of the lawmakers. I’m not convinced either of my senators could tell me whether ripping a DVD is illegal, let alone why.
But here’s another tricky case. Watching a DVD under Linux is illegal in the United States because of the way the software works. I have a real problem with the idea that watching a DVD on a computer running Windows or OS X is moral but doing the exact same thing on a computer running Linux is immoral. Who am I hurting?
On the flip side, I can think of a long list of things that would be perfectly legal to do, but immoral. There are conditions under which underage drinking can be legal. Different people draw the line of whether it’s immoral in different places. When I was in college, I knew a guy who thought it was perfectly OK to let his 14-year-old son drink as much as he wanted, and attempt to seduce as many 18-year-old girls as he wanted. Some people will see nothing wrong with any of that, and others would be absolutely horrified. I thought the guy was out of line for encouraging that behavior. Had the son gotten drunk and succeeded at impregnating an 18- or 19-year-old, there would have been clear harm.
The university, in its canned statement containing the words “reasonable laws,” is standing on much shakier ground than it thinks. Shakier ground than the student they expelled.