Security
Topics > Against Security?

IT Security
Overview


Firewalls

Intrusion
Detection

Security
Policies

Vulnerability
Assessments

Cryptography

Portal
Review

Scanners

Against
Security?

 

The debate on the information protection industry

It is an interesting fact that most scientific research and speculation on deviance concerns itself with the people who break rules rather than with those who make and enforce them. . . [w]e must see deviance .. . as a consequence of a prcoess of interaction between people, some of whom in the service of their own interests make and enforce rules which catch others who, in the service of their own interests, have committed acts which are labelled deviant . . . (Becker, quoted in Taylor (1999)).

Contents

Introduction

The term 'network security' is likely to call to mind the image of an innocent network needing protection from malicious attack. The term 'information security' suggests that there are people from whom information must be protected -- in other words, that some have a right or a privilege to certain information, while others don't. These connotations are very strong, probably just as strong as the connotation carried by the term 'national security'. The right to own or control information of all sorts, and to maintain and protect the networks to control the flow of that information, is widely accepted.

There are those, however, who challenge the idea that information should be secure (in most instances), or who argue that networks that are insecure ought to be attacked, in some sense, in the interest of some greater good. Although the term 'ethical hackers' means different things to different people, one might apply it to this group.

top

Hackers and networks

Ironically, the greater good that many hackers claim to pursue is greater security. These hackers are practicing the equivalent of an angler's catch-and-release. They scan, they probe, they find an exploit - and they go home to tell the story. They don't attempt to alter or damage the compromised system. However the catch-and-release analogy is particularly apt here, for just as a fish is not released from the hook unchanged, so the hacked system is not left as it was. Unexpected configurations might crash as a result of a scan. And even a stealth hack may be detected. System administrators will generally have no idea if suspicious network activity is 'ethical' or not and can spend hours checking out a system after detecting an attack, just to ensure that no damage has been done.

Once the hacker retreats to tell his story, it is an open question to whom he tells it. Some insist on going through 'official' channels, to ensure that the problem can be fixed before it is maliciously exploited: this official channel might be the owner of the network, if the problem is specific to the network configuration; or it might be the creator of the faulty software, if the problem lies there; or it might be an establishment clearinghouse for technology security, like CERT.

Others, however, argue for disseminating information more broadly as an important form of public education. The vendors who supply the hardware and the security apparatus protecting it have a vested interest in not publicizing vulnerabilities, and have a profit driven interest in not having to fix each vulnerability as soon as it is discovered. CERT might be subject, indirectly, to some of the same pressures. Hackers, by going public with new exploits, put some pressure on the vendors to provide patches, if not better hardware/software to begin with. And in the larger picture, this publicity serves as a warning to consumers that the vendor-supplied goods may not be as secure as advertised. Of course, it also serves as an invitation to malicious hackers. The ethical hacker, though, generally claims to hack to hone his own skills, and to promote security in the long run by exposing poorly designed networks, software and hardware in the short run.

top

Hackers and Information

The situation changes, though, when the question moves beyond relatively benign non-approved access to a network, to the question of the ownership and control of information. One hacker, when asked what the social responsibility of a network security professional is, responded:

First, to not help make a system secure if the information contained in the system should not be kept secret. Second, to not help make a system secure if the information contained in the system violates an individual's privacy or has not been volunteererd by the individual.

To this hacker there is only one kind of information that can be legitimately owned: that which concerns the owner himself. All other information should be in the public domain. And if anyone violates this principle by trying to hide that information, it is legitimate to use hacking means to obtain it. From this perspective, the ethical hacker may justify altering or damaging networks to liberate unethically hoarded information. He could just as well, however, be opposed to altering or damaging the network, but in favor of using an exploit to access information, then to make that information public. A classic example would be getting access to the source code behind a popular application. Microsoft, for instance, was recently hacked and concerns have been expressed that the hackers may have gained access to source code in development. Non-network-based software hacking is also common. Cyber Patrol, a filtering program, was reverse-engineered by a lone hacker a few years ago, and he was able to prove that certain sites with substantial academic merit were explicitly being filtered. His goal was to show that the software was exceeding the bounds of its stated objectives. But because the software was proprietary, he had to resort to criminalizaed means to do this.

More commonly proprietary software is attacked simply on the grounds that it is inefficient. When source code is restricted noone can learn from it, noone can borrow from it, users cannot contribute to debugging it, users cannot customize it to work more efficiently for their specific context, and other developers cannot build upon it. Moreover, the owners must devote time, effort and money to developing in secrecy, packaging, marketing and policing their proprietary products. All this results in fewer people using the product, and thus a general decrease in its potential benefit to society. While limitations on use make some sense in terms of primarily physical products (roads deteriorate, so there is a down-side to unrestricted use), the cost to the physical manifestation and reproduction of digital products is negligible, both directly in terms of resources, and indirectly in terms of the almost complete lack of degradation in digital copying.

The arguments for ethical hackers presented so far operate within a framework and general mindset in many ways very similar to that of their nemeses, the information security specialists. At times their goals are the same: to further network security. At times they agree on which means are not justified: altering content and disrupting connectivity. The fundamental difference has to do with the idea of ownership of information, and the means taken to protect that ownership.

top

Hackers and Politics

A third type of hacking for the greater good diverges significantly from this framework. "Hacktivists" generally seek to pursue a political goal through blatant attacks on computer systems. The attacks are often not very sophisticated - hacktivism by and large differs from the other hacker forms discussed above in that the political goal completely overshadows concerns for demonstrations of technical ability and networking finesse. Many ethical hackers are opposed to standard hacktivist techniques, which include replacing home pages with political content and pseudo-denial of service attacks that make web sites inaccessible for a period of time.

Stephen Wray, in Electronic Civil Disobedience and the World Wide Web of Hacktivism: A Mapping of Extraparliamentarian Direct Action Net Politics, discusses a subgenre of hacktivism, electronic civil disobedience. These hacktivists generally acknowledge that some of what they are doing (changing the content of targeted web pages, for example) is and should be illegal. Hacktivists are not trying to call attention to networking issues. They want to use the network to call attention to broader political issues. They borrow "the tactics of trespass and blockade from . . . earlier social movements" to generate greater public awareness of an issue. Electronic Civil Disobedience, following this heritage, generally is undertaken in the open, without pseudonyms and without efforts to avoid arrest. Ironically, hacktivists may be in complete agreement with that establishment about the legitimacy of the ownership of information and the need to secure that information on networks. Like civil disobedients before them, they don't (necessarily) claim that the laws they are breaking are wrong, or even that their actions are not disruptive - they simply claim that sacrifices can and should be made to higher goals.

The majority of hacktivist attacks involve gaining access to a system and revising web pages. However, in 1998, a group called the Electronic Distrurbance Theater organized a pseudo-denial of service attack on three websites using home-grown software. Their call to action read:

In solidarity with the Zapatistas in Mexico, the Electronic Disturbance Theater will launch its FloodNet software against the web sites of Mexican President Zedillo, the Pentagon, and the Frankfurt Stock Exchange on Wed., September 9, from its base at the Ars Electronica InfoWar Festival. These actions are part of the Electronic Disturbance Theaterīs SWARM presentation at the festival now happening in Linz, Austria. Since April the Electronic Disturbance Theater has used its FloodNet software to engage in virtual sit-ins on the web sites of the Mexican government and the Clinton White House. Such electronic actions are designed to demonstrate collective and world-wide support for the Zapatistas in Chiapas and their opposition to the Zedillo government with its global neoliberal economic agenda.

FloodNet was a Java applet. When web users accessed the FloodNet page, the applet reloaded the target page every few seconds, and allowed the user to enter in political messages that would be sent to the server error log. More recently, hacktivist activity is taking place in the name of superpower rivalry between China and the United States.

Although the means are crude and easily offend a sense of 'digital correctness', the insecurity of network systems provides an avenue for counter-hegemonic voices that, given the concentration of media ownership in most of the developed world, have no such access to other forms of mass media. And if sit-ins that shut down businesses or government offices, or marches that clog up city streets, were important and ultimately justifiable means for achieving political ends (in the case of the civil rights movement, for example), why shouldn't coordinated mass network activity with the intent to disrupt be considered in the same light? (Actually, we can think of several reasons, but that is for another essay).

top

Conclusion

Even for those who do not count themselves among the ranks of the etical hackers, it is important to be aware that security often does come at the expense of openness, convenience and efficiency. University systems are acutely aware of this (as are hackers), and in keeping with general commitments to openness and the free exchange of ideas, have much less secure systems. Information technology security is often the challenge of balancing the demands of users with the need for data confidentiality and integrity.

top

Sources:

Here are three web sources containing important documents related to ethical hacking.

Denning, Dorothy. (1990). "Concerning Hackers Who Break Into Computer Systems" (http://www.cpsr.org/cpsr/privacy/crime/denning.hackers.html)

Before becoming a top security expert working with the government to protect information (and thereby something of a pariah to the hacker community), Dorothy Denning was one of the first establishment security professionals to look seriously and sympathetically at hackers. Her article, "Concerning Hackers Who Break Into Computer Systems" (1990) summarized informal interviews she conducted with several hackers, which led her to conclude that "[h]ackers have raised serious issues about values and practices in an information society", and to "recommend that we work closely with hackers." Denning, it should be pointed out, limited herself to a small subset of hackers, those who "are learners and explorers who want to help rather than cause damage, and who often have very high standards of behavior."

Stallman, R.. (1992). "Why Software Should be Free" http://www.gnu.org/philosophy/shouldbefree.html

Richard Stallman is a software developer and a leading figure in the open source movement. Stallman says that as a software designer, the key question he must answer is what to "do with the software I develop in order to benefit humanity the most" -- probably not your typical software engineer's primary dilemma. In this essay he considers whether proprietary software can fulfill this mission better than free software. He draws an analogy between proprietary software and toll roads - both are 'artificial obstructions'. Not only that, they are costly artificial obstructions. Throughout this discussion Stallman also reflects on the psycho-social effects of these obstructions, which promote secretiveness, information hoarding, distrust, a combative disposition and social anomie. He concludes that "in any kind of intellectual field, progress is built by standing on the shoulders of others. That's no longer generally allowed in the software field - you can only stand on the shoulders of the other people in your own company."

Wray, S. (1998). Electronic Civil Disobedience and the World Wide Web of Hacktivism: A Mapping of Extraparliamentarian Direct Action Net Politics http://www.nyu.edu/projects/wray/ecd.html

And

Electronic Disturbance Theater Archive. Accessed April 27, 2001, on the WWW: http://www.nyu.edu/projects/wray/wwwhack.html

Discussed above.
top

Further Readings:

Denning, D. (1990). "A dialog on hacking and security". In P. J. Denning, Computers under attack, ACM Press, Addison Wesley.

Ronfeldt, D. F. et. al. (1998). The Zapatista Social Netwar in Mexico. http://www.rand.org/publications/MR/MR994/

Taylor, P. (1999). Hackers. New York, NY: Routledge.

top