Fear and Loathing in Information Security
by Michael D. Bauer, author of Linux Server Security, 2nd Edition
02/11/2005
http://www.oreillynet.com/lpt/a/5624
If I were to tell you that I'm proud to be a hacker, would you wish I was
dead? Last week I attended a speech by someone who just may, and while that
speech was offensive on more levels than I can address in one editorial, I
would like to talk about the demonization of hackers within the information
security ("infosec") profession. In my opinion, the time has come for
infosec professionals to stop fearing technology's boundary-pushers and for
hackers to stop pretending there's any glory in the crimes most of them are
too smart to want to commit in the first place.
The Speech
The speech that set me off took place at a local meeting of an information
security professional organization, and the presenter represented a
well-known vendor of intrusion-detection software. During his lengthy
address this person called competing security researchers "ankle-biters,"
suggested most users in Brazil are "miscreants," and expressed a desire to
use an Apache helicopter to "take all those morons out" (apparently meaning
hackers in general). While he was at it he referred to Eastern Europe as a
"country," ridiculed the weight problems of several young computer
criminals, and generally displayed what struck me as truly remarkable levels
of bigotry, anger, and ignorance.
I said I wasn't going to dwell on the specifics of this speech, outrageous
though it was. But I'm sure that the gist of what he was saying, that is,
that hackers are scum, resonated with some percentage of the audience, and
that's the part I want to address here.
Over-the-top invective aside, it wasn't the first time I've been exposed to
this attitude. Many people in my profession, even knowing that "hacker"
doesn't mean "criminal" any more than "locksmith" means "burglar,"
nonetheless fear and mistrust hackers. In the interest of trying to do
something about this rift, which I think serves no useful purpose, I'd like
to discuss why infosec practitioners demonize hackers, and why that tendency
is both irrational and counterproductive. As someone who identifies very
closely with the hacker community, I'll also share some ideas on what
hackers might do to help the situation.
Hacking Defined
I want to stress that the real problem here isn't one of vocabulary: it's
one of culture. But just to be safe, let me clarify what I mean by
"hackers": I mean people generally obsessed with solving problems with
computers and with determining for themselves how things really work. These
are people who see a computer or network not as a predictable,
black-and-white system regulated by strict rules, but rather as a nearly
infinite set of potentials limited only by its users' skills and
imaginations.
Related Reading
Linux Server Security, 2nd Edition
Linux Server Security, 2nd Edition
By Michael D. Bauer
Table of Contents
Index
Sample Chapter
Read Online--Safari Search this book on Safari:
Code Fragments only
Hackers tend to employ unorthodox means of solving problems and learning
things. In fact, the very definition of a "hack" is "something that isn't
supposed to work but does." It therefore follows that whether they call
themselves such or not, many of the world's greatest engineers and
enterpreneurs throughout history have been hackers. Linux Torvalds is a
hacker icon; Neal Stephenson has argued that Lord Kelvin was a hacker too.
In summary, hackers are the world's boundary-pushers.
One quick note about where I fit in, since you'll notice I sometimes use the
word "we" when describing the hacker community. I consider myself a member
of both the hacker and professional infosec communities. I've presented at
both Def Con (twice) and at the Computer Security Institute's Annual
Conference, and while I am neither a programmer nor a penetration tester
(which by some people's definition disqualifies me from ever being an elite
hacker), I identify closely with the hacker values of creativity, curiosity,
knowledge-sharing, and exploration. I have this "dual citizenship" in common
with some of my most valued infosec colleagues. In no way do we condone any
crime or consort with known criminals, but of course that's the whole point
of this essay.
Boundary-Pushing: Sin or Virtue?
The reactionary element in information security understands this definition
of "hacker as boundary-explorer," and is perfectly capable of distinguishing
between people who live on the edge and people who cross the line. However,
we seem to be sharply divided over whether (a) pushing boundaries is a good
thing to be doing in the first place, and (b) it must inevitably lead to
crime.
Consider the popular hacker pastime of security research (or, more
precisely, vulnerability research). Security researchers attack, within the
confines of their own lab systems, operating systems and software
applications for the purpose of proactively identifying security
vulnerabilities so they can be patched against or otherwise mitigated. There
are, it seems, three prevailing points of view on security research.
Hackers, naturally, love security research: It's a constructive outlet for
some of their darker impulses, one with tangible benefits to society. Such
"full-disclosure" proponents believe we all benefit any time the "good guys"
find a new vulnerability, give affected vendors fair notice to release a
patch, and then notify the public so they can apply the patch or take other
corrective action. This ethos is exemplified (most of the time) by the
Bugtraq mailing list.
Vendors seem to have a somewhat more ambivalent attitude toward independent
security research. On the one hand, it provides free third-party quality
assurance testing. On the other hand, it can be really embarrassing,
depending on how obvious or egregious a given vulnerability is and on how
much advance notice the researcher truly gives.
Many people, however, including many information security professionals,
think it's simply wrong to abuse any system or application for any purpose,
even in a lab setting, unless it's conducted by whomever created that system
or application. People with this attitude tend to be highly suspicious of
the motivations of security researchers and tend to believe that "security
research" is actually a euphemism for "mischief."
Granted, I'm intentionally dodging some subtle controversies of the
full-disclosure movement, that is, precisely how much time a security
researcher should give a vendor to respond and release a patch before the
researcher publicizes a vulnerability, whether sample exploit code is ever
justifiable, and so on. My point is simply that vulnerability research is an
area that many people consider to be inherently conducive to abuse,
regardless of its usefulness, and that many people are uncomfortable not so
much with vulnerability testing's specific impact on Internet security, but
rather with the general idea of people pushing limits in this fashion.
And here we come down to fundamentally opposite realities. There are people
who think that vendors should be allowed exclusive control over security
testing on their products, and should be trusted to both admit to and fix
security problems whenever they find them. And there are people who think
that (a) software nowadays is too complex and the threats too numerous for
this to really work, and (b) it isn't necessarily in vendors' best interests
to do so anyhow.
The infosec purist, in other words, wants to believe what vendors tell him,
but the hacker wants to figure things out for herself. I believe this to be
one of the main sources, if not the primary source, of discomfort with
hackers.
The Corruptive Nature of Hacking
Perhaps less irrational than the fear of boundary-pushing is the belief that
hacking leads to crime. If you become too fascinated by how network attacks
work, the story goes, you'll eventually cave in to the temptation to conduct
those attacks. And it is an incontrovertible fact that many people who
commit computer crimes are hackers. But are they criminals because they're
hackers, or do they have other problems? I'm convinced of the latter.
I have nothing more scientific to base this belief on than my own experience
and observations (plus those of my friends), but as somebody who's spent a
lot of time researching and experimenting with network hacking, not to
mention securing large networks against intrusion, I think this counts for
something.
I started out as a network engineer. Early on I learned how TCP/IP works,
how Ethernet works, and how to use network diagnostic tools such as packet
sniffers. Even in my first year doing this type of work, I knew how to
eavesdrop on telnet sessions and to otherwise abuse the tools of my trade.
But I didn't abuse them; I respected the rights of my users and understood
the consequences of betraying my employer's trust.
After eight years of immersion in both information security and hacker
circles, I humbly submit that this level of awareness and ethics is typical
among hackers. Hackers who cross the line into illegal and unethical
behavior are, in my opinion, outside the mainstream of hacker culture. I'm
sure of this for two reasons.
First, anybody who understands how networks work knows that there's no such
thing as privacy or anonymity on the Internet, and that those who mess with
other people's systems will be caught eventually. Second, insofar as hacking
involves increasing and sharing knowledge, it's an altruistic pursuit for
most of its practioners; abusing that knowledge generally runs contrary to
the hacker ethos.
So who, exactly, commits computer crimes? Mostly the very young or very
ignorant, I think. These are people who don't understand the ramifications
of what they're doing or how easily they can be caught. There are some bona
fide sociopaths; the hacker community is no more free of these than any
other segment of the human population. And yes, there is such a thing as an
evil hacker mastermind; the world surely contains highly-skilled
professional computer criminals who seldom if ever get caught. Most people I
trust, however, believe there are relatively few hacker sociopaths and even
fewer evil hacker geniuses.
Conventional wisdom nowadays is that the vast majority of people who commit
computer crimes are in fact script kiddies, that is, people scarcely skilled
or creative enough to even be called hackers. If this is the case, that the
least skilled hackers are most prone to commit crimes, then can it really be
said that acquiring hacker skills leads to crime? I don't think so. It seems
to me that people who are inclined to commit computer crimes sometimes
acquire (limited) hacker skills, not the other way around.
The Notoriety Thing
Okay, so people's discomfort with hacking is their own problem, and most
hackers are in fact upstanding citizens. Then why do so many hackers like to
dress and act provocatively, and why is Kevin Mitnick treated like royalty
when he attends Def Con?
Personally, I think hackers' tendency to act out comes at least partly from
their being treated like outcasts. Hackers have been so misunderstood for so
long that we shouldn't be surprised when they cop a "to hell with mainstream
society" attitude. If you're going to be treated like a misfit, then you may
as well have some fun playing the part.
In this context, it becomes tempting even for otherwise-straight hacker
types to sympathize with actual techno-outlaws, especially when it seems
like the punishment meted out to them is disproportionate to their actual
crimes. For example, most hackers knew Mitnick deserved jail time, but few
felt he deserved to be held for four years, without bail, including eight
months in solitary confinement, before he was even brought to trial.
Personally, as I sat through that hate-filled speech last week, I found
myself starting to feel sorry for the young, misguided, and yes, even stupid
computer criminals whose photos the speaker ridiculed and excoriated; much
as I deplore their transgressions, they're still human beings for whom I
can't help but feel some compassion and even kinship. (There, but for a
happy childhood and some crucial mentoring early on, go I...)
Still, clearly it's wrong when hackers do or say things that implicitly or
explicitly condone illegal behavior. A few years ago a hacker named "Se7en"
got a lot of attention for claiming to be on a crusade to infiltrate the
systems of child pornographers for the purpose of shutting them down (though
by all accounts, se7en's braggadoccio was disproportionate to his actual
skill). More recently, the brilliant but misguided Adrian Lamo penetrated a
series of high-profile corporate networks for the purpose of demonstrating
their insecurity, and although in each case he worked with his "victims" to
fix the problems he found, the last of these (The New York Times) pressed
charges.
People like Mitnick, Se7en, and Lamo are, in real terms, well outside the
mainstream of hacker culture: Most hackers simply don't approve of messing
with other people's property, productivity, or freedom of speech. But
hackers do sometimes idealize people like Lamo because of their talent,
skill, or panache, and because of the aforementioned persecution thing.
This idealization is unfortunate. It impairs hackers' credibility and
ultimately reinforces people's misconceptions about hackers. So what I
suggest to the hacker community is this: Let's work a little harder to
downplay the notoriety angle, and be a little more vocal in condemning the
behavior of those few of us who cross the line from pushing boundaries to
breaking laws.
This doesn't mean we need to ostracize those who fall from grace; giving up
on people who make bad choices surely isn't any more altruistic than
computer crime is. I'm not suggesting that Kevin Mitnick be barred from
attending Def Con. In all honesty, I'm not entirely sure how to achieve what
I'm suggesting. My point is that there's still a lot of skepticism out there
with regard to the reality of hacker daily life, which for most of us
emphatically excludes illegal and unethical behavior, and the hacker
community must accept some responsibility for people's hesitating to give us
the benefit of the doubt.
Conclusions
My esteemed colleague the hacker-philosopher Richard Thieme says that
hackers, due to the very fact that they operate at the edges of what is
known (and especially of what is thought to be possible), are destined to be
misunderstood. Society has always treated innovators and whistle blowers
with ambivalence. Information security professionals, however, tasked as we
are with protecting critical infrastructures that everyone depends on, can't
afford the mental laziness of demonizing this important segment of the
technical community. For one thing, it's amply represented within our
profession: "They" can't all be enemies, because so many of "them" are in
fact "us." And that's a good thing. Hackers are arguably our biggest allies
in neutralizing and catching real live computer criminals.
If more information security professionals would free themselves of the
notion that the hacker mindset is morally wrong or that it inevitably leads
to crime, they could borrow or even learn themselves how to use hackerly
creativity and innovation in their efforts to protect and secure. Everyone
would benefit from that; nobody benefits from narrow-mindedness.
Michael D. Bauer is Network Security Architect for a large financial
services provider. He is also Security Editor for Linux Journal Magazine.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
