In isolation, hackers are both feared and reviled as a disruptive force in the world of information security. Perhaps it is time to review the collective benefit that the hacker brings to IT as a whole - an element of life giving-tension between system creators and protectors, and this subversive element.
Hackers have existed for as long as there have been electronic computers. (For an excellent overview of the history of hacking, please see "Hacking's History," ITworld.com, November 6, 2001.) When this history is assessed against the pattern of the evolution of our Internet-based world, the much-vilified hacker has often been a catalyst for change and in the broader sense, a force for good.
The hacker lineage can be traced over the past 40 years, from its roots at MIT in the 1960s, to the phreaks and the 'blue box' home businesses of the 1970s through to the sophisticated multi-dimensional denial-of-service attackers of today. Hacking began at a time when the nascent IT industry was not commercialized to any great extent. If one accepts the proposition that the origins of the Internet are rooted in a philosophy that the gathering and the distribution of knowledge should be subject to few boundaries, it is not surprising that the concepts of data protection and of network security have remained an anathema to the hacker.
Hackers keep the IT professionals honest. As a collective entity, hackers are better than any expert at fostering effective IT security because hackers do not fall into any one particular category. As hackers are not capable of being easily compartmentalized, the battle of wits between systems security and the hacker is akin to systems personnel playing chess against a very skilled opponent who is effective in a number of techniques.
Hacking can be divided into four genres, with the recognition that there may be some measure of overlap:
1. The Funster
These hackers are the absence-of-malice operator. They see a computer system as a Mount Everest - they are motivated to attack because it is there, and the joy is in the doing. The Funster does not always have a predictable method of approach, and is not particularly inspired by any motive. These operators are a random force. Once successful in the achievement of their objective (rarely for personal gain), they move to another target.
There is commonly an element of cheeky humor in the Funster's systems mischief making, an attitude akin to a youngster calling out, "Look Ma, no hands!" when they have mastered the bicycle. Funsters, without question, are irritants, and something of a challenge, but they are not menaces.
2. The Conscience of the Community
In October 2001, two Cambridge University doctoral candidates decided that they were fed up with what they saw as an over dependence by major British banks upon the concept of 'security by obscurity.' To expose this flaw, the students penetrated a major bank's IBM 4758 computer (a version previously thought to be virtually impregnable), demonstrating how a bank employee could theoretically steal huge sums from the bank (see SiliconValley Tech, November 11, 2001).
Like the Funster, the Conscience works without bearing malice towards his subject. Unlike the Funster, this hacker is issue driven, with a focus upon a discernable target, possessing a powerful motive to expose a shortcoming or system flaw, for the benefit of the larger public interest.
Various recent penetration-type attacks against wireless networks using mobile or 'war driving' technologies are similar in their motivation (as reported by BBC News, November 6, 2001 and Sandra Kay Miller, Information Security, November 2001). A successful Conscience hack is impossible to ignore, pushing the impugned system to be better.
3. The Pink Slip Hacker
Rejection, either by a corporate entity or by a paramour, fuels this hacker. As this person acts for the purposes of revenge, they are usually turning against a system through the possession of inside knowledge. This hacker has a typically limited focus, and, being motive driven, is easier to identify. Such hackers have usually highlighted flaws in internal controls of system security, such as continued access to a system after termination or lax password practices.
4. The Malicious Hacker
These elements are the most rare and the most troublesome of the hackers - the alter ego to Funster. Malicious hackers are fueled by their own private interests, either immediate financial gain (gaining access to credit card information as an example) or attacks to acquire information or control of other systems.
The Malicious Hacker operates without conscience, and usually for a large-scale design.
A Rose by Any Other Name
Why are the activities of the hacker such a useful and vital part of Internet security? It is the increased profile of the hackers of all types that have, in essence, spurred the creation of hundreds of 'legitimate' research companies, whose mandate it is to test and otherwise alert the public and software manufacturers to potential exploitable holes in their product. The MIT students of 30 years ago would be amused to see today that the president of eEye Digital Security Inc., isolator of the much publicized vulnerability in Microsoft's XP operating system, refers to himself as the 'chief hacking officer' of eEye. The company is now working with Microsoft to correct the identified error, as reported in "Flaw Threatens Security," Tyler Hamilton, Toronto Star, December 21, 2001.
Simulated penetration attacks have been a feature of systems security for a number of years. Hackers, taken as a whole, are a far superior form of research and development tool - random, intelligent, committed, the hacker element forces systems professionals to be better.
As is the case with the other world's oldest profession, laws aimed at the prevention of hacking are as effective as attempts to legislate away streetwalkers. Just as prostitutes perform a service that may well have an element of societal benefit, the hacker should be viewed as, at the least, a necessary evil.
There is no question that hackers beneficially heighten the public consciousness by bringing home to all citizens the fallibility of IT systems; a successful hack into a system, while disruptive to the entity involved, may actually serve a public purpose - it reinforces the fact that no matter how technically sophisticated, no matter what wonders our cyberworld may hold, all manmade applications are ultimately suspect and susceptible to human error. Information systems are as fallible as any other aspect of our existence.
Bryan Davies works and lives in Whitby, Ontario, Canada. A lawyer, a professor and a consultant on Internet security issues, Davies has prosecuted numerous Internet based crimes, including serious frauds and multinational child pornography. He is currently assisting in the development of an Internet security systems course at Durham College, Oshawa, Ontario. Davies can be reached at firstname.lastname@example.org.