>David Binder wrote,
>I think Hacking is a very interesting topic but there is something I want
>to mention. I think Haking and Hackers have a positive aspect too, if they
>dont want do harm you (otherwise they would be called crackers).
>If a Hacker broke into your system and shows you that your security system
>is not good, you will have to work on it. So you will have a better
>security system and this protects you from people who really want to harm you.
>Software engineers and producers of firewalls will also have to work on
>it. So the Internet will get more safe.
>I agree with you when you say that it is a vicious circle but that is the
>same in real life too.
Consider the following scenario, that takes place in a country
without universal and unlimited health care. Someone walking on a
public street is stopped by a wild-eyed, stethoscope-wielding person
in a white coat. The white-coated one screams that he has observed
that the passerby has yellow eyes, spider-shaped blood vessels under
the skin, fluid retention in the legs, is trembling and seems to be
itching intolerably.
"You have innumerable symptoms of advanced liver disease. That is not
good. Your liver wishes to harm you and must immediately be replaced
with a transplant."
And the innocent one says "I have no money for food. If I do not
eat, the state of my liver will be irrelevant."
Let me try to put this into philosophical rather than metaphorical
terms. The doctor, in my metaphor, regards the state of one's liver
as an absolute good. Those hackers that claim they are doing a favor
for individuals and organizations, by probing every aspect of their
security, base their claims on that security against active probes is
an absolute good, and that the target of their probe can guard
against the attacks.
Assume that one of the targets of the probe is a community health
center in a remote rural area. That center has limited funds. Due to
its remote location, electrical power is not reliable. With finite
resources, the center may make a decision that it is more important
to buy a backup electrical generator than to allocate those resources
to install a firewall.
In the clinic example, I will assume that its system administrator is
infinitely knowledgeable in security and security tradeoffs, and has
made a conscious decision that the risks of not having electricity
are more severe than the risks of breakins. Does that administrator
have an obligation to tell the hackers why he implemented a certain
policy? What responsibility do the hackers--and I will assumed they
are well intentioned--have to the system administrator? That
administrator may have detected a breakin, and not know if it is
malicious or not. Under such circumstances, a reasonable
administrator is forced to spend resources to restore potentially
damaged files. He cannot trust the word of the hacker, because they
are anonymous and unsolicited. No relationship of trust exists
between hacker and organization being hacked.
For sake of argument, the clinic administrator is assumed to be a
security expert. In the real world, only larger enterprises will
have in-house security staff. Properly supporting a firewall is not
a trivial task--I've done it, and simply staying aware of published
new threats and installing protections against them requires
significant effort.
To me, there is a significant ethical difference between:
a hacker that experiments on her own machines that run Microsoft
software, finds a vulnerability, and notifies both Microsoft and
independent organizations (i.e., http://www.cert.org) of the
vulnerability and how to protect against it
a hacker who invades a small business system and leaves a note saying
"I am an Elite Hacker D00D who got in through your lousy security.
Fix it. I could have left a bomb, but trust me, I didn't."
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
