Wear a White Hat
by Sam Bowne (sbowne@ccsf.edu)
Legal Note: The opinions I express are my own, and should not be regarded as official positions of CCSF or any of my other employers.
I am certified by EC-Council and ISC2, and I am therefore bound by a code of ethics.1
When I applied to take an ISC2 exam, I was required to answer four questions about ethics, and only one of them troubled me: I was requested not to associate with hackers.
I refused to comply, and explained that I teach "ethical hacking" classes, give talks at DEFCON and other hacking conferences, and write articles for 2600, so I associate with hackers constantly. However, I do not perform illegal hacking, and I don't encourage or condone it. ISC2 accepted my explanation and approved me.
As I write this, it is February 2011, and the Anonymous criminal mob has just hacked HBGary Federal, publishing scandalous emails on the web.
The activities of HBGary were outrageous, planning to intimidate activists and political opponents of their clients by threatening their families and careers.2 Anonymous is consequently in a state of high morale, seeing themselves as both technically and morally superior to HBGary Federal. But they aren't done yet. Commander X, from Anonymous and the People's Liberation Front, is delighted to think that an HBGary member lives in fear of further attacks.3
So this is a cyberwar between two criminal gangs and, at the moment, Anonymous is winning. But even if HBGary Federal is destroyed, the U.S. government and the Bank of America will surely find some other gang of mercenary black ops specialists to attack anyone who resists their agendas.
Both sides are wrong, and we are all losing.
Where are privacy, due process, and legal protections? Any of us could be targeted by these gangs at any time: hacked and exposed, shamed, fired in disgrace, and hounded by masked, shadowy figures for years.
I refuse to accept this savage conflict and pick a side. I am not a criminal, and neither HBGary Federal nor Anonymous can make me into one. I want a world of law and order, in which people must be tried and convicted before they are punished.
My position has been seen as absurd by some other hackers; they regard me as cowardly and ridiculous, and they mock and abuse me. But they have not convinced me to change.
I have a normal job at a college, and my students are also working for real companies or the military - none of us want to be outlaws. We are on the other side: we are the people tasked with defending and upholding society as it is now. We are correctly labeled "ethical hackers" because we understand how computer attacks work, and use that knowledge to defend systems. Our duty is to be "as wise as a serpent, and as innocent as a dove."
The temptation to become an outlaw is very strong right now.
For a decade, our government has used its propaganda machine to make us all very afraid, so we no longer expect Fourth Amendment protections. The "emergency" is so dire that our leaders cannot afford the luxury of ethics. And the business world has learned the lesson well, gleefully embracing illegal and unethical tactics to gain short-term profits. A generation raised on graphic novels easily accepts vigilante heroes as the answer, but that path will not lead to the civilized society I want.
When you live in a neighborhood ruled by street gangs, the easiest way to survive is to join a gang yourself. But that just maintains the system - a higher path is to stand for good principles and refuse all the gangs.
What do you want?
If you want money, you can just steal it. If you want to destroy a company, you can just hack it. But if you want to live in a free and peaceful society, where people are innocent until proven guilty, you must first live by those principles yourself.
References