Last month I was approached with the idea of writing about ethical hacking. The reasoning behind this was to build up interest for a new book for the Certified Ethical Hacking exam. About the same time, Johnny Long (Google hacker extraordinaire) was interviewed by PaulDotCom.com and, among other things, had discussed Christianity and how it affects his work and life. The combined events led me to ponder the connection between ethics, hacking, and a person's faith. This section is the result.
If you ask any stranger on the street what they think about hackers, you will probably get a surly look followed by a negative comment. The reason for this is simple — over 80% of computer users have been affected by a "hacking" incident. Whether it is a stolen credit card or virus attacks, the media has labeled the people behind such activity with the term "hacker." I am not going to bore you with the semantics of hacker, cracker, whitehat, and blackhat, because you can look those terms all over the internet. The point is that not all hackers are bad. In fact, most hackers stay on the legitimate side of the law and use their talents to create new technologies that you benefit from. For example, Steve Wozniak and Steve Jobs, the founders of Apple, are often labeled as hackers.
According to Wikipedia, ethics are used to morally evaluate an object, action, or person and assign some form of judgment, such as good, bad, right, wrong, etc. For example, "People should not take something that is not theirs" is a moral statement that denotes a right and wrong — "People" "should not" "take."
The problem with setting a condition of morality is that it is defined by your external and internal environment. The following is a sort list of some of the influencers and how they might change your idea of right or wrong.
- Religion — If you are Hindu, it is wrong to eat beef. If you are Jewish or Muslim, it is wrong to eat pork. However, a Christian will probably eat both.
- Social — If you live in China, digital piracy is acceptable. If you live in the US, digital piracy is wrong.
- Economic Extremes — If you are wealthy, stealing food is wrong. If you are starving, stealing food could be considered right.
The point is that ethics vary from person to person in many obvious and subtle ways. Because ethics are so subjective, it is very hard to determine with any assurance that a person is truly ethical by your standards.
So, ethics are tied to morality, which is a definition of right or wrong. What then is ethical hacking?
According to the EC-Council (and I summarize), an ethical hacker is a security professional who possess a variety of technical skills, but first and foremost, must be trustworthy. The reason is that an "ethical hacker" holds the keys to the company, and often has access to sensitive information. In addition, an ethical hacker has to know when to stop, due to the risk of damaging systems.
While this might be EC-Councils definition, the fact is ethics are subjective. Johnny Long puts it very well:
"There could be, at least in theory, such a thing as a blackhat hacker who is ethical, at least in terms of his own ethical standards. Most hackers have their own kind of ethical and moral compass, even if they are termed a blackhat. There’s this line that most folks won’t cross, so the question becomes where is that line, and how specifically is it defined?"
In fact, most people I talked to discount the whole idea of ethical hacking. Lt. Richard Fogie, of the Lancaster (PA) police department, put it this way:
"Call it what you will – ’ethics’ are impossible to define. Therefore, ethical hacking is simply performing a job based on a contract (verbal or written). The concept of ethical is just another way of saying, permitted or legal."
Self described ethical hackers even find fault with the label. CEH holder Ryan Trost stated:
"The term 'hacking' in any phrase produces thoughts of malicious intent and this particular one [ethical hacking] is somewhat viewed as an oxymoron. If the phrase was replaced with 'Advanced Network Defense' would it be so taboo?"
However, Dr. David Heinaman (life long educator and database guru) simplifies the issue exists with this statement: "...without 'ethical hacking' there will be only 'unethical hacking' with dire consequences for all."
In other words, there are "good" hackers and "bad" hackers, but how can you really tell the difference?
Ethical Hacking and Certificates
Dr. Phil Hippensteel, a consultant and assistant professor at Penn State commented:
"In all of my recent study of laws related to hacking systems, I find nothing that indicates a difference between ’ethical’ and ’unethical.’ I think that concept is one that comes from the black/white hat community — maybe out of fear, guilt, or concern."
To provide some means of measurement, the security industry created certifications that require certificate holders to agree to a code of ethical conduct. For example, the CISSP (Certified Information Systems Security Profession) candidate must agree to the following "canons:"
- Protect society, the commonwealth, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
But what does that really mean? Can a certificate keep a person ethical? Where is the accountability?
Johnny Long finds some value in certifications that include ethical questions "...if only for the fact that they provide an ethical baseline. Skills without ethics are suspect if you've got a history of making unethical decisions [i.e. ex-blackhat hacker]." Therefore, on the surface, there is some value in holding a certificate because it proves to the world that you know what you should and should not be doing with your talents.
However, one self described grey hat hacker who holds the CEH (Certified Ethical Hacker) certification admitted, "I work a security job during the day and at night try and expand my security knowledge by knocking on a few doors." According to the CEH requirements, a certificate holder "...agrees to abide by all legal laws of the land in the use of thus acquired knowledge." So, in this case, does the certificate really make the hacker 100% ethical? Apparently not. At least not by the certificate’s standards.
In fact, there are many security professionals that have an issue with an ethical certification. Jose Morales, a student virus researcher, stated:
"The title Certified Ethical Hacker is misleading. If you have a security certification of some kind, then you already have the tools and knowledge for ethical hacking. I don't think a certification specifically for ethical hacking is a good idea."
The problem is that a person's true ethics can not easily be measured or understood. There is a huge difference between answering a few questions on a test and applying those same ideals in real life. How then can an ethical certification ever expect to be of value?
Dr. Heineman suggested this as a solution: "I’d like to see some kind of bonding requirement or perhaps if you are busted for hacking and you are 'certified,' penalties are all doubled." Now that would put some teeth into the certification. At least at that point you can be pretty sure a Certified Ethical Hacker is going to strive to keep their activities up to the legal standard.
God is in the Details
Trying to determine how a person will act on ethics alone is risky. You simply do not know enough about their background or who they are to trust they will do the "right" thing. However, what if you could have insight into their religious beliefs? Would knowing a person was a practicing Christian or Muslim have a bearing on your opinion?
I pondered these questions and decided to ask others in the field how they felt. The answer was overwhelming.
Jose Nazario put it like this, "Many of the most talented hackers are deeply respectful and religious or spiritual. From my experience, they run the whole gamut from devout to devoid, just like anyone in any common profession or line of work or hobby." And I agree. In fact, I recall one year at BlackHat the subject of religion came up with those around me. To my surprise everyone was open with their beliefs. What was more surprising was the wide range of faiths represented by these top notch security professionals. Mormons, Catholics, and more were all there and accounted for and not scared to share.
Despite the strong beliefs that many have, there is often a great divide between religion and online activities. Johnny Long made an observation about himself that strikes the point home: "I felt like God wasn't on the Internet." This simple statement is quite true, and the online virtual world fosters this feeling. Just ask the many people out there who steal music via a P2P program. They wouldn't walk into a store and steal the CD, but they give little thought to stealing it online.
This brings us back around to the question "Can a person's religious beliefs determine how they will act as a hacker?" The answer across the board was no. There are again too many factors involved.
Kung Foo Hacking
If you have been in the security world for long, you will be familiar with the idea of Kung Foo/Fu. In short, this is basically the idea that an expert hacker has a certain Kung Foo quality about their programming skills.
Tim Rosenberg, the CEO of White Wolf Security noted that there should be a connection between how a hacker works with their computer, and a Samurai works with their sword. He stated
"When I taught swords in college, my instructor cadre reinforced the need to practice within an ethical framework; i.e. violence to defend self and family is ok, violence for the sake of self is not. So too with hacking. Boot Camps [the name given to week long cram courses that lead to a certification] are about teaching skills, but not within an ethical framework. Dojos teach skills, yet tie them to the body and spirit through honor, discipline, ethics and morality."
Another well known security expert, Dr. Gary McGraw (CTO of Citigal and author of the new book Software Security: Building Security In), uses the Yin/Yang approach to describe how the best of hackers needs to understand:
"...that a unified approach to security requires as much bad guy fu as good guy fu. Security design, secure coding, penetration testing, exploit development... offense, defense, construction, destruction. A clear mix. So the notion of the Yin/Yang, an eternal inextricable binding of two opposing forces fits very nicely."
An ethical hacker then would be one who has expert computer skills of all types, but keeps them in sync with their body and spirit, as strange as that may sound. Of interest, this is already known in part by the corporate world and is why most companies now require a personality/psychological profiling tests before you get a job. In such tests you will be asked what you think about different scenarios and how you would react. The results of these tests generally show what kind of person is applying and if they are trustworthy. I wonder if someday we will see a psychological ethical hacking test?
This section looked at a lot of ideas and concepts. However, in the end we can conclude that "ethics," as measured or required by certifications, are not worth much. We also can conclude that a person's religious orientation may not be inline with their heart and actions in the digital world. Perhaps someday a true test of a person's psychological makeup will be included with the certification process, but for now I think a verse from Proverbs 20:11 sums it up best:
Even a child maketh himself known by his doings. Whether his work be pure, and whether it be right.
And incase you were wondering, I am a Christian :)