The debate over Ethical Hacking goes on in increasing fury. It rages in convention-panels, TV shows, blogs, and security-companies' lunchrooms everywhere.
The debates rage all over, except where it counts: in the legislative bodies wherever they may be.
Criminals or heroes, common sense versus legal philosophies, ownership issues, and other elements all tie into this debate which sometimes loses focus on what the real issue is. The broken bridge between two worlds: the technical world and the corporate world. Two groups that speak completely different languages, unable to convey their point of view in a way that could even be appreciated by the other side.
“What do property issues have anything to do with security?” The hackers might ask “We’re only helping”.
The corporate managers might look dumbly and shrug. “Property is for the lawyers,” they will say, “Security? Well, we have an IT department for that.”
I’m reminded of Eric McCarthy. Eric discovered a security breach that allowed access to personal details of 275,000 past and present potential USC students. He was jailed and his white-hat-wings were clipped, as were everyone’s who thought of following his footsteps. In a common-sense, utopian world (i.e.: no “bean counters”) he would have been hailed a hero.
We’ve also read about Daniel Cuthbert (A.K.A. the “Tsunami Hacker”, a nickname preying on too many movie stereotypes). He was found guilty of what his defense team characterized as knocking on the door. It makes a lot of sense to a lot of people. Daniel, and others like him all over the world, did a “good” thing. He insured for all of us, you and me, that a site which requires our confidence, indeed deserves it.
I’m relaying these two reminders to make a point: this discussion is not theoretical. Real people get into real entanglements with the law over hacking and voluntary testing.
An analogy: Timmy walks by the bank at 2AM and passes by the back door. Concerned about his money's security, he tries the latch. The latch opens! Timmy calls the bank and reports the unlocked door. Before he does that, he looks inside. He sees another door. He decides to walk in, and make sure that the door is locked as well.
Now he’s breaking and entering. He just wanted to alert the bank to all the potentially unlocked doors, he could later claim in his trial.
He shouldn’t have checked the door at all, some would say.
Ok, no problem. Analogy amendment: Timmy walks by and sees the latch open, and the door ajar. He suspects the bank is not properly caring for his money and decides…
Never mind. Another analogy: Question: if I walk into a supermarket, and I squeeze the avocados, do I cause the supermarket harm?
Well, potentially, yes.
I could spoil the avocado because I am an inexperienced squeeze-tester. And even if I’m an expert squeezer, should I then go on and squeeze all the Avocados? The supermarket could claim a loss because there are customers who like their avocados very ripe.
Ok. Forget Avocados. How about a bag of potato chips? The manufacturers invite us to report any bags whose contents spoiled under normal use and storage condition. They expect faults and expect people to find them. Surely testing the bags wouldn’t be an issue.
It gets more complicated and rather irrelevant from here.
That’s the problem, isn’t it? Real world, common sense analogies don’t work for the virtual world. They get more and more complicated. We try twisting and turning, elaborating, and refining the conditions to no avail. For most of us, trying to extract information through a web-page after you have lawfully logged in just to test a service’s security, is not like walking into the bank to try and check all safe-deposit boxes locks.
We argue back and forth whether it's right or wrong to punish people for curiosity-triggered-pen-testing. Whether "ethically" we should or shouldn't be allowed to do so.
But why is the debate not raging in the halls of legislature? why is it solely the domain of security magazines and expert bloggers? because it’s not interesting.
The whole “why can’t I test my own web-account security” debate isn’t interesting for government representatives (as long as their own bank accounts don't get hacked...)
The courts rely on precedence. A judge takes the vast volumes of law generated by various legislation over decades, and tries to fit the case at hand into one of the available boxes. Judges have to try and match the charges to some hyper-complex yardstick to see if the charges are valid or not. The judge has to rely on simple, real-world comparatives to make judgments.
I’ve read a complaint about Law vs. Justice in Daniel Cuthbert’s case. Today, the contents of the web-application belong to the provider. Period. That being the case, the question brought before the court is completely different.
It isn’t 'Ethical Hacking' that was contended. It was 'Uninvited Ethical Hacking': the testing of a web-site that is someone else’s property without being invited to do so.
In the case of our bank, the bank did not ask anyone to go around checking the door. The potato-chips manufacturer asked to report any problems, but it did not ask for vigilante QA engineers to test the freshness of their products. The supermarket doesn’t want you to touch an avocado you have no intention of buying. Any judge would have no choice, even if there was understanding and sympathy, but to fine Daniel and send Eric to jail.
The law itself must be changed to reflect the nature and concerns of virtual services like web-applications. Without a clear separation of the web from Avocado and Potato chips, we will need to find different ways to satisfy the demand for increased security of our web-based information. As technical people, most of us try and find technical solutions. It’s hard to admit, but there seem to be no technical solution to this problem. This may be a task more suitable for PR firms, lobbyists and politicians.