Last Updated on December 3, 2018 by Dave Farquhar
I saw this on Slashdot today: A computer science student was expelled from a Canadian university for practicing what most people would call white-hat hacking.
Their reasoning: “Schools are supposed to teach best practice, which includes ethics and adherence to reasonable laws.” But there is such thing as ethical hacking.There are also security laws on the books, in multiple countries. This week the United Kingdom fined Sony $395K for not securing its systems and allowing it to get hacked. I’m actually surprised that the fine was that low.
The laws may be different in Canada, but in the United States there are laws that corporations and citizens must obey, including the Federal Sentencing Guidelines of 1991, which puts executives on the hook for up to $290 million if they don’t observe reasonable security practices.
Yes, that date is correct–these guidelines are more than 20 years old. The enforcement definitely appears to be selective at best, but the risk is there. It’s one of the first things a CISSP candidate learns.
The article is right, that people in the real world expect software architects to deal with a hostile environment, the same way building architects deal with hurricanes and earthquakes.
Schools that realize this and teach its software architects to deal with this hostile environment stand to do well in these troubled times. Schools that stay stuck in 1982 will eventually be left behind. Indeed, there’s pressure to teach hacking in school.
Here’s a true story from my world. When a potential client or employer interviews me, I pretty much expect the interviewer to ask, “Have you ever hacked into anything?” Of course the interviewer expects me to say yes.
I expect that question to soon evolve into, “Tell me about the last time you hacked into something.” And I expect the person with the best story to get the job. White-hat hacking isn’t just acceptable, it’s expected. I’ve even heard fellow CISSPs say white-hat hacking doesn’t go far enough. One went so far as to call white hats “useless,” and say you need someone who crosses a line from time to time–but stops short of doing any harm–to have someone who really knows something. This particular student may have strayed into gray-hat territory, but one colleague I respect greatly would argue there’s absolutely nothing wrong with that.
That’s the world college graduates are going to have to live and work in. Universities can’t wish it away, just like they can’t wish away earthquakes and tornadoes and hurricanes.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
Where does grey stop and black begin?
Just what is a reasonable law and is it moral to pick and choose?
…..
“I’m still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization.”
Kevin Mitnick
Sounds like a blog post to me, but the short answer is viewing or changing data that would do harm is definitely black-hat. This student ran his test against a test server, then went to the vendor, so I have a hard time seeing how the student even crossed the line from white hat hacking into gray–let alone from gray into black. He harmed no data, and didn’t disclose the vulnerability to anyone who would misuse it.
You’re right that the university’s own words are on shaky legal ground. I think I can argue either side regarding the moral ground–that’s why I think that’s more appropriate as a blog post than as a comment. I’ll post that tomorrow. Thanks for the idea!