Discussions

News: Article: Are white hat hackers an endangered species?

  1. In "Are white hat hackers an endangered species?," security experts debate the actions of white hat hackers. Some say they're doing a service to companies and customers by finding vulnerabilities before the bad guys, while others say they still have to follow the law and not do things without permission. The issue, some security experts say, arises from the fact that laws in the digital world have not caught up with the laws in the physical world. Other experts say, however, that we need the good guys to look for and disclose vulnerabilities. Otherwise, the bad guys will run the show. As an example where the laws have punished those who seem to have good intent, Eric McCarty is mentioned:
    Eric McCarty did come forward -- through the Security Focus computer security site -- when he found a vulnerability on the University of Southern California's online application system when he was allegedly registering for a class last June. McCarty told Security Focus how he was able to access the database at USC and copied a small number of records. He worked through Security Focus to notify and help USC fix the problem. He has been charged with computer intrusion under the U.S. Patriot Act. A trial date has been set for July 11, 2006.
    From the article's first paragraphs:
    Recent prosecution of so-called white hat hackers -- those who find security vulnerabilities in Web sites or systems, either inadvertently or intentionally, and subsequently make the owners of those sites or systems aware of the problem -- have brought several issues to the fore: Do white hats provide a service or a disservice? Should security researchers who find vulnerabilities in Web sites report them, or is the risk of prosecution too great? And finally, if the white hats hang up their hats, what will the ramifications be?

    Threaded Messages (14)

  2. White Hats[ Go to top ]

    I've never accepted the argument that so called "white hat" hackers present. "We're doing the the internet/companies a service" ... etc, etc. IMHO, what they're doing is analagous to breaking and entering. Would you like to find some strange dude sitting in the living room of your home ... just so he could tell you ... "Hey man, I found out that your bedroom window wasn't locked securely ... so I took the liberty of climbing through in order to teach you a lesson."? Hell no, you'd probably shoot the SOB. These people need to find something better to do with their time. Of course that's just my opinion.
  3. Re: White Hats[ Go to top ]

    Frank, while I agree with you, there's also a point at which a white-hat hacker provides a very, very useful service. What's more, if a company *hires* a white-hat hacker, they tend to set rules around what the hacker can do or try, which fundamentally limits the usefulness of the process. It's a grey area, to me.
  4. Re: shoot this SOB[ Go to top ]

    In France, if you shoot someone you find in your home, you are considered as a murderer and go to jail for a few years. This kind of post will always surprise me!
  5. Re: White Hats[ Go to top ]

    I've never accepted the argument that so called "white hat" hackers present. "We're doing the the internet/companies a service" ... etc, etc. IMHO, what they're doing is analagous to breaking and entering. Would you like to find some strange dude sitting in the living room of your home ... just so he could tell you ... "Hey man, I found out that your bedroom window wasn't locked securely ... so I took the liberty of climbing through in order to teach you a lesson."? Hell no, you'd probably shoot the SOB. These people need to find something better to do with their time. Of course that's just my opinion.
    But from the article, white hackers often inform the company they have found a potential vulnerability while they work on it, and not just afterward. I think that transparence is the main issue. Of course, I would be pissed if I was to company to just learned it afterward but if he informs me of what he's doing, he's is indeed doing me a service.
  6. Re: White Hats[ Go to top ]

    I've never accepted the argument that so called "white hat" hackers present. "We're doing the the internet/companies a service" ... etc, etc. IMHO, what they're doing is analagous to breaking and entering. Would you like to find some strange dude sitting in the living room of your home ... just so he could tell you ... "Hey man, I found out that your bedroom window wasn't locked securely ... so I took the liberty of climbing through in order to teach you a lesson."? Hell no, you'd probably shoot the SOB. These people need to find something better to do with their time. Of course that's just my opinion.


    But from the article, white hackers often inform the company they have found a potential vulnerability while they work on it, and not just afterward. I think that transparence is the main issue. Of course, I would be pissed if I was to company to just learned it afterward but if he informs me of what he's doing, he's is indeed doing me a service.
    .. some fixes... Of course, I would be pissed if I was the company and just learn it afterward but if he informs me of what he's doing, he's is indeed doing me a service.
  7. They are, and it is because of the litigous nature of the society. Personally, I would never test someone else's system for vulnerabilities, and if I came across one accidentially I wouldn't report it. I don't mind helping people, but in my own experience, the most likely response is "I know what I'm doing! Leave me alone!!!1111oneoneone!!!". Toss in the plethora of articles about people being sued over the same type of thing and nope, I just won't do it. You can be sure I won't use the site/service anymore though. None of this applies to open source obviously, I don't have to worry about ending up in court for pointing out a bug. :-)
  8. Re: No good deed goes unpunished[ Go to top ]

    They are, and it is because of the litigous nature of the society.
    This is exactly why white hat hacking is finished. Legislation and the legal profession have now caught up with technology. Worldwide legal services costs last year were $250 billion, with two-thirds of that in the USA (source: The Economist, last week). Madness... PJ Murray, CodeFutures Software Data Access Objects and Service Data Objects
  9. Wrong analogy[ Go to top ]

    In this artical, author gives analogy of house which is personal property. But in case of Websites they are like public places and if you dont put notice or lock in certain places or forgot to put, people will go in these places and explore. It wont be peoples fault. Ofcourse,It will be a crime if anybody goes to this unlocked place and do some damage in it. So I think until anybody is not doing any harmfull activity, there is no crime.
  10. Re: Wrong analogy[ Go to top ]

    In this artical, author gives analogy of house which is personal property. But in case of Websites they are like public places and if you dont put notice or lock in certain places or forgot to put, people will go in these places and explore. It wont be peoples fault. Ofcourse,It will be a crime if anybody goes to this unlocked place and do some damage in it. So I think until anybody is not doing any harmfull activity, there is no crime.
    I like your analogy. If one evening I walked past a store and noticed the door was unlocked, shouldn't the owner be grateful that I either gave him a call or notified a cop? That is assuming I didn't enter the store and help myself first.
  11. In "Are white hat hackers an endangered species?," security experts debate the actions of white hat hackers. Some say they're doing a service to companies and customers by finding vulnerabilities before the bad guys, while others say they still have to follow the law and not do things without permission.
    You should not have posted this story here on theServerSide.com. Why? Because the majority of the participants hereon do not understand security at all. Here is the evidence. Please read the replies to the post that I have linked to. If you want an informed discussion of issues relating to information security, you should probably try posting this story to another web forum. Formerly, I would have recommended Slashdot, but that site seems to be in decline these days. Furthermore, there does not appear to be a "Slashdot for information security" web site. OTOH, there are many mailing lists devoted to Info Sec matters.
  12. Now thar's a hornets nest! You wascal you!
  13. This sounds more like why we should have posted it here on TSS, rather than a reason not to. Were you being sarcastic?
  14. This sounds more like why we should have posted it here on TSS, rather than a reason not to. Were you being sarcastic?
    He appears to be more interested in chest beating and looking down on others. Paul, as for why many Java developers may not know anything about buffer overruns or stack smashes is because those are not issues one has to deal with at the Java language level.
  15. who is accountable?[ Go to top ]

    With an application of any sort that is a purely hosted application, including something such as an online stock trading site for example, there is currently very poor accountability in general for anyone with regards to security of the application or website. Given some of the arguments presented so far in this thread, the user has no right to do even the simplest tests to see if the site is secure. The legal issues are slightly more complex and not yet very well defined, but the precedents that have been established so far make it very easy to accidentally step over the line. Check to see if you could, in theory, possibly retrieve someone's information without authorization? That may be ok. Actually do it? That may not be ok. What if it is your own information being accessed by you in an unauthorized manner? What if it is someone else's information that they authorized you to try to discover? Who knows. Could I have been prosecuted for reading a reporter's credit card information back to him after I stole it, with his permission, from his Microsoft Passport wallet? When I did that, the risk to me was low. Now, who knows. The company doesn't have a lot of motivation to ensure the security of their applications, since if there is a problem they will simply apologize or find someone to blame. This is changing slowly with laws such as California's privacy breach disclosure law, but that is far from the norm; even then, it is just mandating disclosure, not providing strong incentives to keep the problem from existing in the first place. Once various types of personal information is compromised there is little anyone can do but hope it isn't used for crimes such as identity theft. Even if the "company" has the best of intentions, and by "company" I'll mean the executive level management and IT team, they don't always have the skills or resources to know if something is secure or not. Any auditing firm they hire can only tell them they didn't find any problems, not that there are no problems. And, like it or not, there are only so many top notch folks who can find some of the tricker security issues. And most of them don't work as consultants doing so for companies. Suppose someone can logon to a major US financial institution's online trading site, and within moments figure out how to download the code for their application and gain full access to the host it is running on. You need to accept that such issues are there, and that they are easy to find, since that is reality. Given such a reality, the challenge is to ask what you, as a user of such a site, would want to happen if someone who was not acting under the authority of the company who owned the site knew or could easily know such an issue existed. Personally, I have found many security holes in all sorts of applications in the past, including hosted applications, without any authorization from the company owning the application. In each instance, I used my judgement to figure out how to report them in the most appropriate manner to get them fixed. Luckily, the companies involved chose to acknowledge and deal with them rather than make a big fuss. Sometimes it was easy to report issues. Sometimes it took weeks of trying to get past first level support folks, until one morning you are woken up by an unexpected conference call with 3 VPs of a large US bank. Sometimes it took threatening to go public. I haven't done this for a number of years now, largely due to my changing personal interests. If I were to still have interest in it, however, the current legal situation would definitely have resulted in me not looking for flaws, and even if I did then I would definitely not report them. The end result would be that a variety of sites that many of you use every day would be much less secure and open to the compromise of all your personal information stored on them.