fbpx

Tag Archive for hacker

Single Point or Continuum

 

http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/

A couple of weeks ago, I posted a blog entry here about the thin line between a security researcher and “cracker”.  About how the difference between “good guy” and “bad guy” gets blurred by things like corporate bounties for zero day exploits and law enforcement’s ideas on criminal prosecution.  There’s another element to be considered as well.

SPIN.

Here’s the thing.  Whomsoever gets their story out there first has some lead time to shape hearts and minds.  The “Feds” are never EVER going to be first at this.  They don’t GAF about hearts and minds, they care about facts and evidence.  So when they finally speak up, it means they have something that will hold up in court.  This can take months, possibly even years and by the time they finally DO speak up, there’s going to be a sh*tstorm of public opinion to deal with.  So nobody will believe them, because they didn’t put the time in on the PR side.  Because their job is to enforce the laws, not to make you feel all warm and fuzzy while they do it.

But as observers in the court of opinion, we don’t really *know*, do we? Anyone who has been in a tight moral spot can empathize with the researcher, can understand that they might have been stepping outside the box in order to get a security issue taken seriously.  But on the other hand, we have the authorities eventually speaking up and saying “Well, actually…”  Could both sides be lying?  Absolutely.  Could both sides be telling the truth?  After a fashion (once you start getting terminology clarified).

And when we run into a disconnect like this one, this is where our trust breaks down.  This is where we have a step across the line that might be a bit too much too far.  A “white hat” hacker trying to ensure a security hole is fixed, possibly trying to do the “right thing”, but the story as it continues to unfold suggests that the “right thing” put lives in danger.  Not in the “I’m going to take you all down with me Mouhouhahaha” kind of danger, but the “Hey Ma, look, no hands!” kind of danger, where a situation itself is high-risk even if the intentions are benign.

And in the meantime it serves to reinforce the idea that hackers of any color hat are dangerous.  They can lay hands on the keys to the city and cannot wholly be trusted not to use them.  Their own moral compass (or thirst for knowledge, or love of puzzle-solving) may drive them to act for the greater good, circumventing much slower corporate processes but endangering lives (or personal information, or your nest egg) in the process.

The very fine line

https://www.techdirt.com/articles/20150420/05585630727/fbi-united-airlines-shoot-messenger-after-security-researcher-discovers-vulnerabilities-airplane-computer-system.shtml

The above caught my attention the other day, in part because I have an ongoing fascination with transitional spaces.  Those grey areas which aren’t quite “good guy” and not quite “bad guy”.  Most of the ones I encounter are legal grey spaces (rather than moral ones).  A law or a rule has been placed in place that is ignored if the rulebreaker is working for the greater good, and enforced when the rulebreaker is operating with malicious intent.  Needless to say, this kind of inconsistent enforcement can become a problem, especially if clear secondary boundaries are not set.

Take (as a similar example) the bounties that companies like MSFT and Facebook place on finding security holes in their software.  There are potential criminal penalties for finding and exploiting these holes, but if you find one and are the first one to report it (I’m over simplifying here, I’m aware) there is often a bounty awarded.  In both cases, the act of hacking the software is technically illegal (again, oversimplifying), but the company chooses to reward one instance and persecute another (which makes sense, right?  One hack is by a good-guy, helping to make the software more secure, the other is the bad guy, exploiting the hack for personal gain).

But because of these inconsistencies, the laws get hard to enforce.  Law enforcement and the corporate interests may not align.  Hackers and crackers may switch hats with regularity, working on “white hat” projects and “black hat” projects simultaneously or in turn, depending where their interests lie and because of this, law enforcement tends to regard most (if not all) of them with equal suspicion, leading to incidents like the one above.