In his introduction for the book Secrets of a super hacker, Writer Gareth Branwyn talks of the different images that hackers have had throughout thirty-so years prior to the book's publication. He mentions how in the 60s and 70s hackers had the profile of "independent scientists." Their ethics centered around the belief that every hacker should have access to the information and tools that would help them improve society. This benevolent goal is reflected in the first meaning of hacking, used by engineering students, which was to find out the way to optimize the technology under study.
Well-intentioned hackers not only worked with their entitlement to information in mind but also with mankind's. In the book, authored by the hacker known as The Knightmare, ideals of human rights regarding the free flow of information are mentioned. These include that everyone be made aware of the information that exists, be given free access to it and have their ideas and questions heard. And each individual should be able to control how their own personal information is used. The author then provides a definition of hacking as the pursuit of these and related ideals by using computers. It's easy for us now to see the attitude of early hackers present in the Cyberpunk and the Anonymous manifestos.
Branwyn explores the different myths that have fueled hacker fantasies of being tech-enabled nomads in an unforgiving world, such as the hacker as a cowboy, pirate or cyborg. I would expect you also find the image of the hacker hero as most compelling. In a society where those having the brains are mocked and hurt by those having the brawn, the computer "nerd" finds in cyberspace a place where they are allowed to be the badass that defeats the latter to help people regain their freedom.
Still, the actions of hacktivists and the like spark mixed feelings in people. Feelings kindled by the media and perhaps matching people's own political inclinations. But what may cause less divisive opinions are the crimes committed by malicious hackers. It's in the 80s and 90s that the prosecution and waves of arrests of computer-savvy individuals with less-than-honorable intentions started in earnest.
In the book, it was previsioned that in the future computer terrorism would present itself in a significant way. It has, alright. Today we've already heard many different names of ransomware gangs and know that cyberattacks of many kinds are happening worldwide at this very moment, representing a considerable cost to victims. Meanwhile, cybersecurity is ever trying to counteract the force of cybercrime.
To fight against malicious threat actors, the best bet has been to test system security preventively through the eyes of the attacker. Luckily for cyber security, hacking can be done legally today. Regular readers of this blog may remember our post "Think like a hacker!" There, we urge organizations to understand how malicious hackers work, as well as hire professionals to try and penetrate the organizations' defenses and inform of the detected weaknesses. The strategy of hiring well-meaning hackers to do good is far from new. And it was striking to me, as it might be to you too, learning that in the beginning these hackers were often cybercriminals who had cleaned up their act. The hired hackers formed "tiger teams" and helped governments and agencies improve their cybersecurity. Also from the beginning, there have been hackers who work as self-appointed security checkers and tip off firms about security problems in their systems.
With so much information and gratification to be gained from hacking into systems, it is a great feat of white hat hackers that they do not let curiosity get the better of them and instead abide by some code of ethics. Yet we could wonder whether such a code is one that needs to be expressively spelled out in, say, official documents. Actually, as Journalist Stephen Levy wrote in a book chapter titled "The hacker ethic," no manifestos nor missionaries had to drill principles into the early hacker community but rather "[t]he computer did the converting." It's possible to relate this to what some authors argue, namely, that as computing expertise develops so grows the respect for computers and information, and that lacking ability and respect toward the integrity of systems is looked down upon by white hat hackers.
But a problem which may justify formulating ethics of hacking is that the work of malicious hackers and ethical hackers each demands the same aptitudes. We have sketched elsewhere the behavior that both groups demonstrate: patience, determination, cleverness and curiosity during exploration and exploitation processes. A reinforcer of these behaviors may be the pleasure present in complex feelings of pride in oneself and recognition (both apparent in the narrations of The Knightmare). Where do we draw the line? Well, one commonly referenced trigger of computer criminal behavior appears to be greed. And this aligns with the primary motivation of cyberattacks, which is most often monetary gain. Other than that, considering motivations like political dissatisfaction, risk-taking, building a reputation, war, seem to take us back to square one. The stark difference may be found instead in the effects of each group's practices. Ethics enters the stage then to regulate hackers in this regard.
Fortunately, we're not short of codes of ethics to choose from. Most conveniently, The Knightmare's is appropriate here, as it considers the effects of hacker practice. It states the principles that I put here just paraphrasing the author:
A hacker should never willfully harm, alter or damage any technology or person.
In case that damage has been done, the hacker should correct it and then avoid doing the same damage again.
A hacker should not profit unfairly from a hack and should not let others do so.
A hacker should inform system owners of the security vulnerabilities and weaknesses found.
A hacker should teach when asked to teach, and share when they have knowledge to spread. (The author adds: "This isn't necessary, it is politeness.")
A hacker should be aware of their potential vulnerability in all computing environments, even in the role of hacker. "Act discreetly," the author says.
A hacker should persevere but not be stupid nor take greedy risks.
Also, The Knightmare offers a couple of tips. One is to surround oneself with people who follow the same code or a similar one. Another is to show honesty and compassion in one's actions, which will lead to others acting in the same way and save the hacker troubles that may arise due to unkindliness.
Some time has passed since Secrets of a super hacker came out. The context has evolved and among the changes is the affiliation (and certification) of ethical hackers. Like I said, there are plenty more codes of ethics, and they may offer some items that could be added to the list above. For example, the Electronic Commerce Council (EC-Council), which issues the Certified Ethical Hacker (CEH) certifications, offers its own code of ethics. Among its code's 18 items, this institution asks hackers to respect intellectual property, avoid using illegal software or processes, gain prior consent from clients to collect and handle information during hacking, check that their (the hacker's) abilities are up to the tasks, lead a good project management, not associate with black hat hackers, and not be convicted for any felony or violating the law of the land. Moreover, some institutions, like GIAC, which issues several information security certifications, officially state that they will investigate the violation of their code of ethics and subject the transgressor to a course of discipline.
To conclude, even though hacking was born a benevolent undertaking—and though it may seem like the codes of ethics just underscore being a decent person—it is now part of a legitimate professional path and, as with the activities of any other profession—which may also cross the line into corruption—, it helps the hackers' and their clients' interest quite a lot to try to guarantee that it is done with the good of the systems, their users and their owners in mind.
Fluid Attacks' certified ethical hackers and vulnerability scanner look for vulnerabilities in your system continuously and during your software development lifecycle (SDLC). Contact us to ask us about our service.
Recommended blog posts
You might be interested in the following related posts.
Watch out for keylogging/keyloggers
There's not an only way but here's a good one
Benefits and risks of these increasingly used programs
A hacker's view of the performance of Researcher CNAs
Why so many are switching to Rust
Description and critique of CEH certifications
An OffSec Experienced Pentester review
Recognize the value of this security assessment method