My 03/30/08 Missoulian column
What would you think if you read a news article with a lead like this, from the Philadelphia Inquirer: “Trevian Mathis taps his computer keyboard just a few times to hack into First Bank’s customer accounts. Within minutes, he has checking, savings and credit-card numbers'”?
That sounds like a black hat hacker – someone working with a profit motive on the dark side of the computer world, someone who’s in the news a lot these days – right? All except for the next line: ‘His maneuvers may look sneaky, but Mathis is on the side of justice.”
Suddenly the hat changes to white – he’s a good guy, after all, working for the law. He’s the new buzzword, an “ethical hacker,” someone who learns the same skills as a black hat but works to secure business and government computers from hacking. And there’s more: He’s a student in an ethical hacking certification program.
Black hat hackers’ crimes might make the news each week, but ethical hacking is a growing industry, one in which students practice breaking into test systems that are set up like typical bank and e-commerce Web sites. Google “ethical hacking” and you’ll discover there are many schools and seminars offering degrees and certifications.
Some of the more popular ethical hacking and information security offerings are from the EC-Council, a member-supported industry group that works in conjunction with schools. A program in our region is the Certified Ethical Hacker Program at Edmonds Community College in Washington, which is offered in conjunction with the EC-Council. The program employs high-tech workers and teaches students basic and advanced techniques for finding weak points in the defenses of computer systems and networks set up for testing.
In many of these programs, students must sign agreements to not use their knowledge for black hat purposes and, in some cases, must be employees of legitimate businesses in order to register – safeguards to help prevent the misuse of their hacking education.
According to Ken Stasiak, president of SecureState, a Cleveland firm that specializes in ethical hacking, there is a real need for businesses like his who employ graduates of ethical hacking programs. His assessment, as reported by the Newhouse News Service, is that when “attacking” a business that has hired the company, “nine times out of 10, SecureState employees successfully retrieve sensitive information”.
A nonprofit organization that works toward the same goals of ethical hacking is the Institute for Security and Open Methodologies. It provides training and tools, and works with schools, businesses and government agencies. The group provides training and seminars around the world, like EC-Council, as well as different offerings such as its Hacker High School.
“Hacker High School” got your attention, right? The reality isn’t quite what the name implies – the program provides free materials for public schools in order to educate kids about their own information security and the potential for someone to hack their computer.
Beyond the schools and degrees, a Google search will turn up all sorts of Web sites maintained by “lone wolves” calling themselves ethical hackers, along with endless discussions about the boundaries of ethical hacking and the software tools available. But ethical hacking on your own can be sketchy – even if the intent is to help secure systems, an ethical hacker must accesses systems and information without permission, the legality of which varies.
In the recent news, lone wolves and ad-hoc organizations have been hacking along blurry ethical boundaries. The Great Firewall of China – the attempt by the Chinese government to block “subversive” news and information – is full of holes, and ethical hackers will show anyone who wants to know the half-dozen or so ways around and through it. (The “Great Firewall” is a play on the Great Wall and firewalls, hardware and software systems that selectively block Internet traffic.) Actions that are viewed as ethical by these hackers – trying to get news and information into China about controversies such as Tibet and the Tiananmen Square protests – are seen as crimes by the Chinese government.
This brings us to another buzzword – “cyberethics” – and the recent case of a multibillion-dollar business mixing with global politics. The San Francisco Chronicle last year reported the story of how Yahoo Inc. CEO Jerry Yang and the company’s top lawyer were “lambasted as moral ‘pygmies’ for the firm’s role in helping China identify and jail a journalist in 2004”.
Yahoo had turned over secret data that enabled Chinese officials to track down and punish the dissident journalist, but the company argued that it “was better to try to expand the Internet in China (by bowing to the government’s demands) even if that meant agreeing to live under its repressive rules.”
Who gets to set the ethical standards and take the moral high ground in cyberethics when billions of dollars, world powers and human rights collide? As with any high-tech issue, it is – and likely will be – in flux for years; it may never be decided. At very least, I wonder if a degree on the wall and a sense of morality are enough to keep an ethical hacker from seeing greener grass on the black hat side of the moral divide.
Follow-up: There’s a new lawsuit over the digital TV changeover. From the Associated Press: “The lowpower television industry is facing a ‘death sentence’ because of a flaw in the government’s plan to force broadcasters to shift to digital broadcasting and has asked a federal judge for a reprieve”.