Tuesday, December 16, 2014

The Hacker

Hackers are depicted by the media as criminals.  It's a sad truth that hackers have to live with and will always fight against.  But to better describe the hidden culture that mainstream media has no interest in discovering, here is my own personal analogy.

My original analogy was that Hackers are like Butchers.   They both have skills that most people don't choose to learn.   They are both artists in their own way.    A butcher uses a potentially dangerous set of tools referred to as knives, most typically the butcher knife.    A hacker uses a set of potentially dangerous tools known as code, but most typically referred to as computers.

But why is a Hacker a criminal while a butcher is not?  While some people think it's a stupid question, there are many hackers that are still baffled by this question.   So here is my latest analogy that will be easier on the comic book movie fans.

Hackers are like superheros.   They do things that most everyone cannot do and achieve things that were once thought to be unattainable.

In the computer security profession, we refer to the three hats...
White Hat
Gray Hat
Black Hat

The White hats are the good superheroes...the knights in white satin armor, Captain America and Superman.    They use their powers only for good while doing everything the nice way and playing by all the rules no matter the jurisdiction.

The Gray hats are the vigilante superheroes, like Batman and Rorschach.   They use their powers for the common good, but they don't care about playing by the rules as much as white hats.   Helping out society is more important that following the normal procedure to achieve such results.

The Black Hats are your evil superheroes (or super villains) like Lex Luthor or Mageneto.  They are using their super powers for their own selfish purposes.  In today's world, that purpose is simple monetary gain.

 The media's depiction of hackers typically defines them as Black Hat only.  They are the ones that are making all the bad apps in the App Store or Play Market that steal all of your banking information.  They are the ones that are wearing ski masks in front of the computer doing their best to take down the world with a few "simple" key strokes.   They are reverse engineering the software you love to find a vulnerability they can exploit.  Once they find that exploit, they eventually use it against society for their own selfish gain.

For example, a software vendor releases a new program that everyone likes to use or maybe it's game everyone likes to play.    They do their best to program with security in mind, but there's always something that is overlooked and a company's project budgetary time line will always push a software release ahead of schedule.   A popular MMORPG I used to play actually released an expansion pack that wasn't even complete as they intended to just release the remainder of the pack later as a download instead of part of the CD distribution.   These releases will always have unseen vulnerabilities that have yet to be discovered.

The White Hats are the folks that are doing refutable security research and promptly reporting it to the "authorities" (aka the companies of which it concerns).  For example, a researcher finds a vulnerability in Microsoft software.  Microsoft welcomes such notifications so the vulnerability is quickly analysed and a software patch is released to resolve the vulnerability thus keeping the public as safe as possible.

This is referred to as "penetration testing" where they inform the security guards of the software realm that they can get in if they wanted to, but in an effort to play nice they did not do so.  But they are informing this company so they can fix the problem so a true villain doesn't cross that line.   Some companies like Belkin have started to offer "bounty" rewards where a cash prize will be given to the researcher that reports the existence of a vulnerability.   Various police jurisdictions have incorporated similar programs to better strengthen security of the community. 

The Gray Hats are somewhat in the middle between White and Black (go figure).  They tend to do things for fun, fame, or other reasons, but they also don't have any intention of endangering the general public.   So these superheroes are just as skilled as White and Black Hats, but their "ethics" are a tad looser in comparison.

Not all companies welcome such harsh testing of their own software.   Some companies actually refuse to acknowledge such vulnerabilities despite the evidence presented by ethical security researchers.  Sometimes the companies worry more about the negative publicity while others will worry about the cost the repair the threats it has created.

No matter the reasons, the Gray Hats believe it's more important that the public be protected from these threats, even if the company doesn't want to admit it.   They will reverse engineer software and hardware just out of curiosity and enjoyment, even if the vendor legally forbids such action.   They will break the rules just to prove their point and keep the public safe so as long as their actions do not put the public in any further danger.

For example, a gray hat might attempt to penetrate your favorite App store or market.  In doing so, they would be able to prove to the vendor that they have an exploitable vulnerability that needs to be resolved to keep the rest of society as safe as possible.

A Black hat would just penetrate and then do whatever they could to profit from their actions...like post an evil app, replace a good app with their own evil version, or steal everyone's credit card or other personal information.

A White Hat wouldn't bother to do such research without the vendor's written permission.    They typically have a very refutable job and certifications that forbid them from breaking the rules like Gray Hats.

Pick your hat color....it doesn't matter....they are ALL hackers.

They all have an impressive skill in the world of computers.   It's what they do with that skill that determines the legality or illegality of their actions.

The media could, in theory, present both sides of the story.  But let's face it....the villain is always more interesting to talk about.

Every year, hackers meet in Las Vegas for a convention known as Defcon.    The conference covers a wide range of topics in the field of hacking.  But most of it is presented in a manner of "look what I was able to do" instead of learning how to do it yourself.   But in most every case, the topic presented is intended to show you just how easy it is to exploit a particular piece of hardware of software.  It gives the vendors something to think about and in some cases it blows the whistle on the vendors that would rather sweep it under the rug.

This conference is a great way to spark positive change in a "gray hat" sort of way.   A recent example is at Defcon of 2012 where a group of researchers developed a program that made it VERY easy to exploit nearby laptops while on a shared access point such as a coffee shop.   One might wonder, why would they do such a thing?  Why would they make it EASIER for the unskilled user to take advantage of other people?

[Hackers] all have an impressive skill in the world of computers.   It's what they do with that skill that determines the legality or illegality of their actions.   

The researches addressed this issue in their presentation.  The vulnerability that they were exploiting was a vulnerability that was presented by many others in previous years.   The point of releasing such a tool was to get the vendor community to move further towards a resolution because despite all the time they've had to do so, they still haven't bothered to fix the issue.    In cases like these, when the White Hats can't get the job done, the Gray Hats give it their best shot in an attempt to stop the Black Hats from using the same issue against us all.

Hackers have shown us how easy it is to do almost anything we can imagine.  One year they demonstrated how easy it was to hack an ATM.  Shortly thereafter, there was no ATM within 10 miles that was not exploited.  No money was taken (probably), but the majority of exploits simply changed the presentation of the ATM screen similar to how web sites are defaced. 

I wore my Defcon shirt to work one day.  While in the elevator, a random stranger asked me what defcon meant.  I told him it was a hacker convention in Las Vegas.  He said "Oh" and quickly averted his head not saying another word as he exited the elevator as soon as possible.   No surprise there.   It's just the reaction we get because hackers are always misunderstood.

But without hackers, your phone wouldn't be as secure as it is now.  All the security updates you get from Microsoft would not be available as often and the bad guys would be able to steal all your money without any effort.   You wouldn't be able to shop online because the threats hackers have demonstrated have forced improvements in SSL technology to build the foundation certificate authorities are now selling to web sites like Amazon and Ebay as a standard practice.

I support hackers...the good ones.  I fall along the lines of Gray Hat simply because there are certain ethical guidelines that I don't agree with.   White Hat forbids aggressive defense tactics.   This means if someone attacks you, you cannot attack back.   I just can't wrap my head around that.  One reason I like Arizona is because they are big on defending one's home and family.

According to the law there is a difference between physical attacks versus digital attacks...but I disagree.  I believe in defending my home no matter what.  The Gray Hat knows the computer fraud laws were created to defend corporations that need to protect their proprietary information so they know these laws should not apply to the home user that needs to protect their family and their networked devices.

Hackers showed us all via youtube just how easy it is to "bump" a deadbolt lock that we all have on our doors.  They invented the credit card lock pick to unlock office doors as seen in movies.  They invented social engineering to manipulate people into willingly providing sensitive information to strangers.    Anything that manages to circumvent protective measures to achieve the same goal as using the intended protective measures is generally considered to be a hack. 

There are now small workshops out there called "Hackerspaces."  They are places where people in the community go to make things and even hack things in a cooperative environment for learning and other positive purposes.   A hackerspace will often create a group of interested hackers to play in the occasional Capture the Flag events.
Anything that manages to circumvent protective measures to achieve the same goal as using the intended protective measures is generally considered to be a hack.

Capture the Flag are contests surrounded by various topics of computer security.  The main theory behind these games are now supported by college level professors in that the best way to learn about security is to learn how to exploit computers.   Many experienced police officers and even federal agents will agree that the best officers/agents are the ones that know how to think like a criminal.

So Capture the Flag gives players a good experience of computer security without endangering or otherwise harming anything at all.  Universities have also begun to embrace CTF as it provides an incredibly valuable set of practice scenarios compared to only the theory that college can offer.

These people are hackers.

Hackers are leading the way to a safer tomorrow in a never-ending fight against the evil hackers that only want to rip you off.   Your view on hackers should only depend on the team you are rooting for.

Are you rooting for the villains, the vigilantes or the white knights?

No comments:

Post a Comment