The word “hacker” is all too often associated with criminal activities—“The hacker who broke into the systems at …”
This association, however, does a disservice to the legitimately curious people, including students, academics and researchers—“Researchers worked with Microsoft to patch the vulnerability before it became known.” What people don’t often realize is that these “researchers” are hackers.
Really, hacking, by itself, is not a crime. The word “hack” simply means to take something apart. And there’s a corollary in the hacking world that says “you can look, but you can not touch.” Meaning, you can witness encrypted packets traversing a network, but you can’t open them and look inside.
Everyday, so-called ethical hackers are improving the security of software, our networks, and our critical infrastructure.
In EP 47 of The Hacker Mind. I spoke with Brian McAninch (Aph3x) about his organization, Hacking Is Not A Crime. Brian’s organization has a red line for its activities. One might see these as ethical boundaries.
“So when you're talking about ethics and legality,” he said, “I have tried to keep this straight in my head. You have ethical-legal and ethical-illegal. You have unethical-legal and unethical-illegal.
So just kind of right off the bat, we in no way support anything that's unethical. Whether it's legal or illegal, right? If we want to, we want to narrow down that nuance to what we can really focus on and have impact. We fully condone and support ethical-legal obviously, and where we're really trying to have an impact is on the ethical-illegal. “
Criminal hacking is, and remains, illegal. There’s an important difference.
And it doesn’t help that the media plays up the criminal side without acknowledging the ethical side.
All of this leads to poor judgment from elected officials.
In February Representative Clay Higgins (R-LA) announced on Twitter that “I’m pushing federal legislation for life imprisonment without chance of parole for cybercrime.” He went on to say, “So, for you 125lb hackers… you might want to start working out. Just saying.”
Higgins, a freshman congressional representative, is a member of Homeland and Oversight committees. If the point of Rep. Higgins’ proposed legislation is to discourage criminal hacking, there are better ways to do that.
Rep. Higgens’ proposal of “life imprisonment without chance of parole for cybercrime” has no basis in reality. For context, the average sentence for rape in the United States is three years.
So, breaking into someone’s network because of poor configurations, or breaking someone’s software because they didn’t test it, well, that doesn’t sound to me like that it is several magnitudes worse than rape. Not even close.
Also there’s that quip about criminal hackers being only 125lbs. Meanwhile, Donald Trump said, during one of the 2016 Presidential Debates, that hackers are 400 pounds and live in their parents’ basements. So, which is it? Frail and weak, or overweight and unemployed?
I’m beginning to think Higgens’ tweet in February was a non-serious proposal from a freshman congressional representative.
Another problem is that while there are some US-based criminal hackers who are subject to our laws, a lot of criminal hackers reside outside the US.
Consider the case of Gary McKinnon. He was accused of hacking American military computers. His extradition to the United States was blocked in October 2012 by then Home Secretary Theresa May, on human-rights grounds.
Consider the case of Lauri Love. He was indicted in the US and spent many years fighting extradition from the United Kingdom.
And, there are many more Russian nationals who will likely never be extradited.
If we can all agree that there’s a breed of criminal hackers, hackers who intentionally break the law and should be punished for breaking the law, then let’s also agree that all the other hackers are likely not criminals. Rather than punishing hackers for their exploration, their curiosity, we should be directing them toward more opportunities to learn.
For example, capture the flag (CTF) is a safe training ground to understand various aspects of application security. In Episode 27 of The Hacker Mind, I talked with Megan Kearns of Carnegie-Mellon University's Cylab, which runs PICO CTF.
If CTFs aren’t your thing, then there’s bug bounty programs which can financially reward you for hacking. There have been hackers who have earned over a million dollars. In Episode 9 of The Hacker Mind, I talked with Stok about his experiences on the bug bounty circuit.
The sooner we harness hackers’ abilities, the better our cybersecurity will be overall. I think that’s an outcome we can all rally around.
Ethical hacking is what we do at ForAllSecure. Our security testing solution, Mayhem, was built by professional hackers to identify defects in your apps and APIs.
Last year, our customers ran over 300 billion tests of their applications and APIs, integrated Mayhem into over 1400 open source projects, and found several CVEs.
Protect yourself from criminal hackers and find vulnerabilities first with Mayhem.
Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.
Thank you for subscribing!