Dailydave: Fwd: Fear and Loathing in Information Security

[Anthony Zboralski <bcs2005 () bellua com>]

Published on O'Reilly Network (http://www.oreillynet.com/)
  http://www.oreillynet.com/pub/a/network/2005/02/11/mbauer_1.html

Fear and Loathing in Information Security
 by Michael D. Bauer, author of Linux Server Security, 2nd Edition
 02/11/2005

 If I were to tell you that I'm proud to be a hacker, would you wish I 
was dead? Last week I attended a speech by someone who just may, and 
while that speech was offensive on more levels than I can address in 
one editorial, I would like to talk about the demonization of hackers 
within the information security ("infosec") profession. In my opinion, 
the time has come for infosec professionals to stop fearing 
technology's boundary-pushers and for hackers to stop pretending 
there's any glory in the crimes most of them are too smart to want to 
commit in the first place.
The Speech

The speech that set me off took place at a local meeting of an 
information security professional organization, and the presenter 
represented a well-known vendor of intrusion-detection software. During 
his lengthy address this person called competing security researchers 
"ankle-biters," suggested most users in Brazil are "miscreants," and 
expressed a desire to use an Apache helicopter to "take all those 
morons out" (apparently meaning hackers in general). While he was at it 
he referred to Eastern Europe as a "country," ridiculed the weight 
problems of several young computer criminals, and generally displayed 
what struck me as truly remarkable levels of bigotry, anger, and 
ignorance.
I said I wasn't going to dwell on the specifics of this speech, 
outrageous though it was. But I'm sure that the gist of what he was 
saying, that is, that hackers are scum, resonated with some percentage 
of the audience, and that's the part I want to address here.
Over-the-top invective aside, it wasn't the first time I've been 
exposed to this attitude. Many people in my profession, even knowing 
that "hacker" doesn't mean "criminal" any more than "locksmith" means 
"burglar," nonetheless fear and mistrust hackers. In the interest of 
trying to do something about this rift, which I think serves no useful 
purpose, I'd like to discuss why infosec practitioners demonize 
hackers, and why that tendency is both irrational and 
counterproductive. As someone who identifies very closely with the 
hacker community, I'll also share some ideas on what hackers might do 
to help the situation.
Hacking Defined

I want to stress that the real problem here isn't one of vocabulary: 
it's one of culture. But just to be safe, let me clarify what I mean by 
"hackers": I mean people generally obsessed with solving problems with 
computers and with determining for themselves how things really work. 
These are people who see a computer or network not as a predictable, 
black-and-white system regulated by strict rules, but rather as a 
nearly infinite set of potentials limited only by its users' skills and 
imaginations.
Code Fragments only

Hackers tend to employ unorthodox means of solving problems and 
learning things. In fact, the very definition of a "hack" is "something 
that isn't supposed to work but does." It therefore follows that 
whether they call themselves such or not, many of the world's greatest 
engineers and enterpreneurs throughout history have been hackers. Linux 
Torvalds is a hacker icon; Neal Stephenson has argued that Lord Kelvin 
was a hacker too. In summary, hackers are the world's boundary-pushers.
One quick note about where I fit in, since you'll notice I sometimes 
use the word "we" when describing the hacker community. I consider 
myself a member of both the hacker and professional infosec 
communities. I've presented at both Def Con (twice) and at the Computer 
Security Institute's Annual Conference, and while I am neither a 
programmer nor a penetration tester (which by some people's definition 
disqualifies me from ever being an elite hacker), I identify closely 
with the hacker values of creativity, curiosity, knowledge-sharing, and 
exploration. I have this "dual citizenship" in common with some of my 
most valued infosec colleagues. In no way do we condone any crime or 
consort with known criminals, but of course that's the whole point of 
this essay.
Boundary-Pushing: Sin or Virtue?

The reactionary element in information security understands this 
definition of "hacker as boundary-explorer," and is perfectly capable 
of distinguishing between people who live on the edge and people who 
cross the line. However, we seem to be sharply divided over whether (a) 
pushing boundaries is a good thing to be doing in the first place, and 
(b) it must inevitably lead to crime.
Consider the popular hacker pastime of security research (or, more 
precisely, vulnerability research). Security researchers attack, within 
the confines of their own lab systems, operating systems and software 
applications for the purpose of proactively identifying security 
vulnerabilities so they can be patched against or otherwise mitigated. 
There are, it seems, three prevailing points of view on security 
research.
Hackers, naturally, love security research: It's a constructive outlet 
for some of their darker impulses, one with tangible benefits to 
society. Such "full-disclosure" proponents believe we all benefit any 
time the "good guys" find a new vulnerability, give affected vendors 
fair notice to release a patch, and then notify the public so they can 
apply the patch or take other corrective action. This ethos is 
exemplified (most of the time) by the Bugtraq mailing list.
Vendors seem to have a somewhat more ambivalent attitude toward 
independent security research. On the one hand, it provides free 
third-party quality assurance testing. On the other hand, it can be 
really embarrassing, depending on how obvious or egregious a given 
vulnerability is and on how much advance notice the researcher truly 
gives.
Many people, however, including many information security 
professionals, think it's simply wrong to abuse any system or 
application for any purpose, even in a lab setting, unless it's 
conducted by whomever created that system or application. People with 
this attitude tend to be highly suspicious of the motivations of 
security researchers and tend to believe that "security research" is 
actually a euphemism for "mischief."
Granted, I'm intentionally dodging some subtle controversies of the 
full-disclosure movement, that is, precisely how much time a security 
researcher should give a vendor to respond and release a patch before 
the researcher publicizes a vulnerability, whether sample exploit code 
is ever justifiable, and so on. My point is simply that vulnerability 
research is an area that many people consider to be inherently 
conducive to abuse, regardless of its usefulness, and that many people 
are uncomfortable not so much with vulnerability testing's specific 
impact on Internet security, but rather with the general idea of people 
pushing limits in this fashion.
And here we come down to fundamentally opposite realities. There are 
people who think that vendors should be allowed exclusive control over 
security testing on their products, and should be trusted to both admit 
to and fix security problems whenever they find them. And there are 
people who think that (a) software nowadays is too complex and the 
threats too numerous for this to really work, and (b) it isn't 
necessarily in vendors' best interests to do so anyhow.
The infosec purist, in other words, wants to believe what vendors tell 
him, but the hacker wants to figure things out for herself. I believe 
this to be one of the main sources, if not the primary source, of 
discomfort with hackers.
The Corruptive Nature of Hacking

Perhaps less irrational than the fear of boundary-pushing is the belief 
that hacking leads to crime. If you become too fascinated by how 
network attacks work, the story goes, you'll eventually cave in to the 
temptation to conduct those attacks. And it is an incontrovertible fact 
that many people who commit computer crimes are hackers. But are they 
criminals because they're hackers, or do they have other problems? I'm 
convinced of the latter.
I have nothing more scientific to base this belief on than my own 
experience and observations (plus those of my friends), but as somebody 
who's spent a lot of time researching and experimenting with network 
hacking, not to mention securing large networks against intrusion, I 
think this counts for something.
I started out as a network engineer. Early on I learned how TCP/IP 
works, how Ethernet works, and how to use network diagnostic tools such 
as packet sniffers. Even in my first year doing this type of work, I 
knew how to eavesdrop on telnet sessions and to otherwise abuse the 
tools of my trade. But I didn't abuse them; I respected the rights of 
my users and understood the consequences of betraying my employer's 
trust.
After eight years of immersion in both information security and hacker 
circles, I humbly submit that this level of awareness and ethics is 
typical among hackers. Hackers who cross the line into illegal and 
unethical behavior are, in my opinion, outside the mainstream of hacker 
culture. I'm sure of this for two reasons.
First, anybody who understands how networks work knows that there's no 
such thing as privacy or anonymity on the Internet, and that those who 
mess with other people's systems will be caught eventually. Second, 
insofar as hacking involves increasing and sharing knowledge, it's an 
altruistic pursuit for most of its practioners; abusing that knowledge 
generally runs contrary to the hacker ethos.
So who, exactly, commits computer crimes? Mostly the very young or very 
ignorant, I think. These are people who don't understand the 
ramifications of what they're doing or how easily they can be caught. 
There are some bona fide sociopaths; the hacker community is no more 
free of these than any other segment of the human population. And yes, 
there is such a thing as an evil hacker mastermind; the world surely 
contains highly-skilled professional computer criminals who seldom if 
ever get caught. Most people I trust, however, believe there are 
relatively few hacker sociopaths and even fewer evil hacker geniuses.
Conventional wisdom nowadays is that the vast majority of people who 
commit computer crimes are in fact script kiddies, that is, people 
scarcely skilled or creative enough to even be called hackers. If this 
is the case, that the least skilled hackers are most prone to commit 
crimes, then can it really be said that acquiring hacker skills leads 
to crime? I don't think so. It seems to me that people who are inclined 
to commit computer crimes sometimes acquire (limited) hacker skills, 
not the other way around.
The Notoriety Thing

Okay, so people's discomfort with hacking is their own problem, and 
most hackers are in fact upstanding citizens. Then why do so many 
hackers like to dress and act provocatively, and why is Kevin Mitnick 
treated like royalty when he attends Def Con?
Personally, I think hackers' tendency to act out comes at least partly 
from their being treated like outcasts. Hackers have been so 
misunderstood for so long that we shouldn't be surprised when they cop 
a "to hell with mainstream society" attitude. If you're going to be 
treated like a misfit, then you may as well have some fun playing the 
part.
In this context, it becomes tempting even for otherwise-straight hacker 
types to sympathize with actual techno-outlaws, especially when it 
seems like the punishment meted out to them is disproportionate to 
their actual crimes. For example, most hackers knew Mitnick deserved 
jail time, but few felt he deserved to be held for four years, without 
bail, including eight months in solitary confinement, before he was 
even brought to trial. Personally, as I sat through that hate-filled 
speech last week, I found myself starting to feel sorry for the young, 
misguided, and yes, even stupid computer criminals whose photos the 
speaker ridiculed and excoriated; much as I deplore their 
transgressions, they're still human beings for whom I can't help but 
feel some compassion and even kinship. (There, but for a happy 
childhood and some crucial mentoring early on, go I...)
Still, clearly it's wrong when hackers do or say things that implicitly 
or explicitly condone illegal behavior. A few years ago a hacker named 
"Se7en" got a lot of attention for claiming to be on a crusade to 
infiltrate the systems of child pornographers for the purpose of 
shutting them down (though by all accounts, se7en's braggadoccio was 
disproportionate to his actual skill). More recently, the brilliant but 
misguided Adrian Lamo penetrated a series of high-profile corporate 
networks for the purpose of demonstrating their insecurity, and 
although in each case he worked with his "victims" to fix the problems 
he found, the last of these (The New York Times) pressed charges.
People like Mitnick, Se7en, and Lamo are, in real terms, well outside 
the mainstream of hacker culture: Most hackers simply don't approve of 
messing with other people's property, productivity, or freedom of 
speech. But hackers do sometimes idealize people like Lamo because of 
their talent, skill, or panache, and because of the aforementioned 
persecution thing.
This idealization is unfortunate. It impairs hackers' credibility and 
ultimately reinforces people's misconceptions about hackers. So what I 
suggest to the hacker community is this: Let's work a little harder to 
downplay the notoriety angle, and be a little more vocal in condemning 
the behavior of those few of us who cross the line from pushing 
boundaries to breaking laws.
This doesn't mean we need to ostracize those who fall from grace; 
giving up on people who make bad choices surely isn't any more 
altruistic than computer crime is. I'm not suggesting that Kevin 
Mitnick be barred from attending Def Con. In all honesty, I'm not 
entirely sure how to achieve what I'm suggesting. My point is that 
there's still a lot of skepticism out there with regard to the reality 
of hacker daily life, which for most of us emphatically excludes 
illegal and unethical behavior, and the hacker community must accept 
some responsibility for people's hesitating to give us the benefit of 
the doubt.
Conclusions

My esteemed colleague the hacker-philosopher Richard Thieme says that 
hackers, due to the very fact that they operate at the edges of what is 
known (and especially of what is thought to be possible), are destined 
to be misunderstood. Society has always treated innovators and whistle 
blowers with ambivalence. Information security professionals, however, 
tasked as we are with protecting critical infrastructures that everyone 
depends on, can't afford the mental laziness of demonizing this 
important segment of the technical community. For one thing, it's amply 
represented within our profession: "They" can't all be enemies, because 
so many of "them" are in fact "us." And that's a good thing. Hackers 
are arguably our biggest allies in neutralizing and catching real live 
computer criminals.
If more information security professionals would free themselves of the 
notion that the hacker mindset is morally wrong or that it inevitably 
leads to crime, they could borrow or even learn themselves how to use 
hackerly creativity and innovation in their efforts to protect and 
secure. Everyone would benefit from that; nobody benefits from 
narrow-mindedness.
Michael D. Bauer is Network Security Architect for a large financial 
services provider. He is also Security Editor for Linux Journal 
Magazine.
--
Bellua Cyber Security Asia 2005 - http://www.bellua.net
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005 () bellua com - Phone: +62 21 391 8330 HP: +62 818 699 084
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave