Why We Need Hackers
The following is something I wrote over 10 years ago. I figured I’d repost it on my shiny new site. Enjoy!
Original post from 2013
I’d like to open a conversation here with those reading this. I’m titling it, “Why We Need Hackers.” Please post your opinions and points of view, but no flame wars or attacking individuals is allowed. This is going to be lengthy, and I’m not providing a tl;dr (too long; didn’t read — a.k.a. a summary for those unfamiliar with the term), so please don’t respond if you are not willing to read it all. I’m going to give some background for those who are not familiar with the topic, pose a few questions, and then make some potentially controversial statements to provoke discussion. I’m interested to know if you feel my arguments have merit, if there are weaknesses in them, if there are better ways to support them, etc. I haven’t done any recent research as to what others have said about this, so there may be better articles out there already. I didn’t want to read any of them before I finished writing this because I wanted to ensure that my arguments weren’t yet affected by outside opinion. The entirety of this post is my personal opinion only, and I am not speaking for any employers, organizations, or individuals with which I am currently associated or have been in the past.
The home analogy to hacking has been used before and is easily understood, so I’ll start off by restating it in my own words. You have a home. There are valuable things in your home. You don’t want everybody to be able to enter your home and take your things. In a perfect world, people wouldn’t want to take your things. This is not a perfect world, so you have locks on the doors. Locks are not all made equal. Some locks are made to be cheap and available to the masses. The strongest locks are very expensive and are made to protect even more expensive things. It is your responsibility to determine the tradeoffs you are willing to take when it comes to the cost of the lock and the protection it provides to your home. So you pick one, possibly getting whatever is on sale, or more likely just using the lock that was installed by someone else before you. Your neighbor, Joe, has the same type of lock and discovers that it can be opened with the pop top off of a soda can. This is obviously bad for the security of your home. Here’s where it gets controversial. Does Joe keep the information to himself? Does he go to the lock manufacturer and tell those who can fix it? What if the lock manufacturer says they are unwilling to fix it because it doesn’t affect enough homes or it affects too many homes and they can’t afford to replace that many locks? Does Joe go public and tell the whole world about the problem to force the company to address it or at least give the lock owners the opportunity to buy new locks? Does he sell the technique to criminal or government organizations, both of which may benefit from applying this knowledge? Should he be arrested for messing around with the lock in the first place? If he paid for the lock, does he have the right to disassemble, modify, or even simply just fiddle with it? Does he own the lock itself, or has he only paid for the right to use it? If he has only paid for the right to use it, can he sue the lock company when it fails to protect his home? Finally, let’s ask some questions related to you, since you use the same type of lock as Joe. Do you have the right to know about the vulnerability since you have the same kind of lock installed in your home? If you ask Joe to demonstrate the problem, are either of you exposing yourselves to legal repercussions? What happens if the manufacturer refuses to disclose or fix the vulnerability? Are there legal actions you can take if you ever find out that it has been hidden from you? If you have only paid for the right to use the lock, will you get into trouble for modifying it so that it actually provides the level of protection you desire? Some of these questions may seem ridiculous when applied to a door lock, but they are all applicable to modern computer software. Read your End User License Agreements if you don’t believe me. I’ll also be happy to further discuss the relevance of these questions.
The home analogy does break down in some places when compared to actual modern-day hacking. In the physical realm, attacks are limited by physical laws and constraints. The virtual realm has its own sets of laws and constraints which are often less limiting than the physical. For example, in the physical realm, the average person cannot simply make a copy of your home so that he may examine it at his leisure in order to determine the best way to break in. However, this is exactly what happens in the virtual realm when a hacker discovers what version of a particular software program is running on your computer and then acquires the same software. In the physical realm, it is difficult to anonymously attack your home security, and the risks are generally too high to invite multiple attackers at once. In the virtual realm, you often must deal with multiple attacks happening simultaneously from attackers who are difficult or impossible to identify. There are also many differences in the legal aspects of physical versus virtual. You may have the right to use lethal force to defend your life and property in the physical realm, but you may find yourself in trouble with the law if you attempt to retaliate even with a simple network scan when faced with a virtual attack.
Most people seem to have misconceptions about hackers and what they do. There are those who prefer to differentiate between “the real hackers” (those who break and fix things in order to understand them and make them better) and computer criminals. Hacking is ultimately concerned with discovering how something works. This often leads to finding ways to make something do what it was not intended to do, including things that are potentially illegal or unethical. The type of hacker that mass media likes to publicize are computer criminals who gain money or fame by breaking and exploiting systems. Only a few of these computer criminals are real hackers who have discovered the system flaws themselves. More often than not, those labeled as “hackers” by the media are criminals who exploit vulnerabilities discovered by others by using tools made by others — they are not real hackers themselves. Not surprisingly, those same media giants ignore the fact that companies like Apple, Google, Microsoft, and others are founded by and made up of real hackers. Unfortunately, the moniker “hacker” is used by the general public to mean computer criminal, so I choose to include that definition in my own usage of the term.
There are differing levels of sophistication when it comes to hacking. There are those who simply find tools that exploit known vulnerabilities, also known as script kiddies. There are those who find new vulnerabilities and write the tools to exploit them. There are differing levels of scale when it comes to hacking. There are individual hackers as well as organizations which are dedicated to hacking. These may be criminal or even governmental organizations. Organized crime has their hackers. The Three Letter Agencies and military which are involved in national security have their hackers. Governments in other countries have their hackers. Many of these groups are constantly at odds with each other.
When it comes to hacking in general, the most important question in my mind is, “Who will be the first to discover a specific vulnerability?” To me it is not a matter of if, but of when and by whom. This conversation with you all was instigated by a conversation I had just yesterday. I spoke with a gentleman who was very opinionated about the hacking community and who openly voiced that he thought hackers should be “taught a lesson,” “made examples of,” and “strung up from trees.” I mentioned that someone was increasing the security of medical devices by exposing flaws in the Bluetooth interfaces to said devices. These are critical life-saving devices that are wirelessly exposed to the outside world. The hacker, Barnaby Jack, was found dead of unknown causes in his apartment on July 25, 2013. The man with whom I was speaking said that he hoped that Barnaby ended up killing himself by hacking his own medical device and that it “served him right.” He believed that anyone messing with life-saving medical technology deserved to die. What a horribly insensitive and screwed up perspective to have. Barnaby Jack was a hero. I would much rather have a friendly security researcher discover this flaw and help the device manufacturer to fix it than have a not-so-friendly foreign government or criminal organization discover it and exploit it in the future, leading to the loss of innocent life. Again, there are so many people involved in modern-day hacking that it is not a matter of if, but of when and by whom. If there exists a vulnerability in any system — whether we are speaking of software systems, hardware systems, social systems, political systems, or any other system — there will be someone who wishes to exploit that vulnerability for money or power. This is human nature and will not be changed in this world as we know it.
Hackers are constantly making the world better. Hackers expose flaws that need to be fixed. Hackers attempt to persuade the makers of flawed technology to fix their flaws. Often the flaws that are found are widespread, affecting many other systems and devices. The good news for these categories of flaws is that when a method is found to fix one flaw, it is often trivial to fix the others in the same way. This leads to better engineering of new technology, as it is usually cheaper to build something robustly in the first place instead of having to fix it later. Hackers protect those who do not know how to protect themselves. Pervasive computing is only becoming more pervasive. Technology is getting more complex and the average person is not interested in spending the time required to learn about the privacy and security implications of the newest toy or gadget. Our electronic devices are full of information that we would not want the general public to see. This doesn’t make us criminals, this makes us human beings who value our privacy. Having flaws in these devices makes it possible for the real criminals to steal that information, which often affects not only the user of the devices, but also anyone who interacts with that user. Friends, family, coworkers, employers, acquaintances, romantic interests, etc, are all put at risk from a single flaw in a single device used by a single person. There is more at stake than ever before, and very little financial incentive for the makers of these technologies to actually set money and resources aside to ensure the safety and privacy of their users. Hackers are making our country safer. Pentesting (network penetration testing) is vital to the security of any network, but it is especially necessary for our national intelligence and defense networks. If we don’t practice breaking into our own networks, we won’t have a full understanding of how to prevent malicious attackers from doing the same. How terrifying to think that a foreign government or criminal organization might know more about our systems than we do!
We need hackers. We need more hackers than we have. We need hackers on the internet. We need hackers in the schools. We need hackers in our businesses. We need hackers in the boardroom. We need hackers in the government. We need hackers in all levels of society if we want to make the world a better place and ensure the safety and privacy of the common citizen.