Friday, October 14, 2011

Wear a White Hat

Legal note: the opinions I express are my own, and should not be
regarded as official positions of CCSF or any of my other employers.

I am certified by E-C Council and (ISC)^2,
and I am therefore bound by a Code of Ethics (ref. 1).
When I applied to take an (ISC)^2 exam, I was required to answer four
questions about ethics, and only one of them troubled me: I was
requested not to associate with hackers. I refused to comply,
and explained that I teach "ethical hacking" classes, give talks
at Defcon and other hacking conferences, and write articles for 2600,
so I associate with hackers constantly. However, I do not perform illegal hacking, and I don't encourage
or condone it. (ISC)^2 accepted my explanation and approved me.

As I write this, it is Feb 2011, and the Anonymous criminal mob
has just hacked HB Gary Federal, publishing scandalous emails on
the Web. The activities of HB Gary were outrageous, planning
to intimidate activists and political opponents of their clients
by threatening their families and careers (ref. 2). Anonymous is
consequently in a state of high morale, seeing themselves as
both technically and morally superior to HB Gary Federal. But they
aren't done yet--Commander X, from Anonymous and the
People's Liberation Front, is delighted to think that an HB Gary member lives in fear of further attacks (ref. 3).

So this is a cyber-war between two criminal gangs, and at the moment,
Anonymous is winning. But even if HB Gary Federal is destroyed, the
US government and the Bank of America will surely find some
other gang of mercenary black ops specialists to attack anyone
who resists their agendas.

Both side are wrong, and we are all losing. Where are privacy, due process, and legal protections? Any of us could be targeted by these gangs at any time; hacked and
exposed, shamed, fired in disgrace, and hounded by masked, shadowy
figures for years.

I refuse to accept this savage conflict and pick a side.
I am not a criminal, and neither HB Gary Federal nor Anonymous can
make me into one. I want a world of law and order, in which
people must be tried and convicted before they are punished.

My position has been seen as absurd by some other hackers;
they regard me as cowardly and ridiculous, and they mock and
abuse me. But they have not convinced me to change.

I have a normal job at a college, and my students are also
working for real companies or the military--none of us want
to be outlaws. We are on the other side: we are the people
tasked with defending and upholding society as it is now.
We are correctly labeled "ethical hackers" because we
understand how computer attacks work, and use that knowledge
to defend systems. Our duty is to be "as wise as a serpent,
and as innocent as a dove".

The temptation to become an outlaw is very strong right now.
For a decade, our government has used its propaganda machine
to make us all very afraid, so we no longer expect Fourth
Amendment protections-- the "emergency" is so dire, that our
leaders cannot afford the luxury of ethics. And the
business world has learned the lesson well, gleefully
embracing illegal and unethical tactics to gain short-term
profits. A generation raised on graphic novels easily
accepts vigilante heroes as the answer, but that path will
not lead to the civilized society I want.

When you live in a neighborhood ruled by street gangs, the
easiest way to survive is to join a gang yourself. But
that just maintains the system--a higher path is to stand
for good principles and refuse all the gangs.

What do you want? If you want money, you can just steal it.
If you want to destroy a company, you can just hack it.
But if you want to live in a free and peaceful society,
where people are innocent until proven guilty, you must
first live by those principles yourself.



This article first appeared in 2600 magazine.

1 comment:

  1. kill yourself Sam what have you ever talked about at Def Con? How to code basic HTML?