Defining hacker is like trying to define American. There is a pretty good stereotype but in reality there is much more diversity than meets the eye. That said, here is my stereotype.
Computer Hacker: Person who either breaks down or builds up technology for specialized use. A hacker doesn’t play by the implied rules of software or services. Sometimes hackers have to gain access to a restricted area to be able to modify the technology the way they see best fit.
The idea of Ethical Computer Hacking is fundamentally flawed. At their very nature, hackers don’t play by the rules which makes calling the activity ethical a challenge. However, the word ethical is up for interpretation. There are entire classes on ethics so it is not a topic that can be taken lightly. Ethical hacking is a lot of unethical behaviors who’s final product is used only for good or ethical purposes.
Take social engineering for example. In the movie Takedown(2000), Kevin Mitnick calls an engineer pretending to be someone else. The goal was to get information about a computer system in that employee’s company. Several lies later the person finds Kevin generally likable and decides to break the rules and hand over information they should not. That particular attack would not be possible if it were moral. The fact that the hacker has to lie and deceive makes it unethical. Had this been a test to make the engineer’s company aware of their weakest entry point, the final product would be for the greater good. Social engineering is particularly hard to include in ethical hacking because the victim, regardless of the test, is usually left feeling violated.
Penetration testing or pentesting is a form of ethical hacking. Since it is just a test, this activity can be considered moral. This activity can go very wrong if a few rules are not followed.
1. Pentesters must first describe the details of their test to their victim and get written consent to perform their test from an authority figure
2. Pentesters have to be familiar with the tools they are using. They have to understand the source and any potential side effects. Lots of available exploits overwrite memory on the victims computer which could cause data loss or a service outage. Also, these tools can be embedded with code that uploads the vulnerabilities to a Black Hat.
3. Pentesters have to release all of their results from the test but only to the predetermined parties
4. Pentesters must release the results in a professional fashion. It is only natural to LOL at the utter disregard for security but keep in mind real people are responsible for this security and they have feelings. Hurting feelings for the greater good may be ethical but is unnecessary.
That last point is up for debate. Sometimes security has been taken with such disregard that the only thing that will get through to them is a public shaming. It is very temping to take the results of a pentest and want to fire those responsible for the lackluster security. That would be the wrong thing to do. That would be incredibly naive.
Pentesters often go for speed. That by its very nature leaves many things up to chance. It is important to remember that the hackers are always ahead of the defenders. There are always security holes and all of those responsible for the security of systems are making mistakes. It is good to preform a thorough examination before jumping to any conclusions.
To the Point
Want to be good at computer security? Patch your computers. Want to be really good at computer security? Learn how to hack.
I recently played a capture the flag game. We were given two virtual machines, one attacker and one victim. The goal was to answer questions about the victim computer by hacking into it. I am looking forward to sharing this experience because it was a seriously eye opening challenge. It was probably the most fun I have had learning in a long time.