A couple of weeks ago, I posted a blog entry here about the thin line between a security researcher and “cracker”. Â About how the difference between “good guy” and “bad guy” gets blurred by things like corporate bounties for zero day exploits and law enforcement’s ideas on criminal prosecution. Â There’s another element to be considered as well.
Here’s the thing. Â Whomsoever gets their story out there first has some lead time to shape hearts and minds. Â The “Feds” are never EVER going to be first at this. Â They don’t GAF about hearts and minds, they care about facts and evidence. Â So when they finally speak up, it means they have something that will hold up in court. Â This can take months, possibly even yearsÂ andÂ by the time they finally DO speak up, there’s going to be a sh*tstorm of public opinion to deal with. Â So nobody will believe them, because they didn’t put the time in on the PR side. Â Because their job is to enforce the laws, not to make you feel all warm and fuzzy while they do it.
But as observers in the court of opinion, we don’t really *know*, do we? Anyone who has been in a tight moral spot can empathize with the researcher, can understand that they might have been stepping outside the box in order to get a security issue taken seriously. Â But on the other hand, we have the authorities eventually speaking up and saying “Well, actually…” Â Could both sides be lying? Â Absolutely. Â Could both sides be telling the truth? Â After a fashion (once you start getting terminology clarified).
And when we run into a disconnect like this one, this is where our trust breaks down. Â This is where we have a step across the line that might be a bit too much too far. Â A “white hat” hacker trying to ensure a security hole is fixed, possibly trying to do the “right thing”, but the story as it continues to unfold suggests that the “right thing” put lives in danger. Â Not in the “I’m going to take you all down with me Mouhouhahaha” kind of danger, but the “Hey Ma, look, no hands!” kind of danger, where a situation itself is high-risk even if the intentions are benign.
And in the meantime it serves to reinforce the idea that hackers of any color hatÂ are dangerous. Â They can lay hands on the keys to the city and cannot wholly be trusted not toÂ use them. Â Their own moral compass (or thirst for knowledge, or love of puzzle-solving) mayÂ drive them to act for the greater good, circumventing much slower corporate processes but endangering lives (or personal information, or your nest egg) in the process.