Security and ethics

by happy_moron Posted on May 1, 2008

This story illustrates everything you ever wanted to know about computer security. In no particular order,

  1. It’s a people problem, not a technology problem.
  2. It’s all about trust.
  3. A system is only as secure as its least secure component.
  4. Bad guys don’t play by the rules: this is why they’re bad guys.
  5. The system doesn’t care if an attack is ‘fair’ or not – it only knows secure or insecure.
  6. The difference between a white hat hacker and a black hat hacker is the difference between right and wrong.

Let’s break it down.

First things First

The first issue to be laid to rest is that the company’s system was shown to be insecure. It doesn’t matter how it happened: their web server was shut down(5). The ultimate measure of their security is whether or not they can keep their server up, which they couldn’t (in this case).

A People Problem – You are the Weakest Link

This particular attack required no computer skills; anyone could have pulled it off. Well, not true. It takes a certain amount of attitude; any con-artist could have pulled it off. Most of the problems with computer security have very little to do with computers and everything to do with the people using them. This is because people are the only ones who can care about security (by definition; computers don’t care about anything) . Sad but true.

If an attack can be performed by fooling a person rather than a computer, chances are it will be done that way because people are generally easier to fool.

That being said, the really fascinating things about this story are the issues of trust and ethics involved. It’s not hard to view this story from two different directions:

Point – He pulled a job

Our superhacker was just that: a sly hacker who defrauded a naive ISP out of $3500. Their *real* security problem was not being able to distinguish between a reputable consultant and a malicious attacker.(2) He broke the rules (explicit or implicit) of their agreement and betrayed their trust to steal their dough.

CounterPoint – He did a job

The hacker was hired and his reward was contingent on his taking the server down, showing the insecurity of the system (5). He exposed a severe flaw in their security attitude and process, which are just as crucial to security as  technical systems(1,3). Paradoxically, the most honest approach he could have taken was the dirtiest one possible, because that’s what a real attacker would do.(4)  While completely satisfying their agreement, the hacker taught the ISP a valuable lesson about security, and he was worth every penny of his fee.

Breaking it down

So which rendition is correct?

It all depends on what he put in his report, because only his report can reveal whether or not he acted ethically. His ‘patch’ could prove to be either a crude attempt to paper over his own dishonesty, or it could be a devastatingly ironic (and insighful) commentary designed to drive a point home.

Security measures are designed to restrict the actions of people you don’t trust. There is, however, another part to security: deciding who to trust. No security measures, however stringent, can protect you if you decide to trust the wrong people.(2) If the superhacker was a trickster and a fraudster, then the company trusted the wrong person.

White and black hat hackers think in the same way and hunt out the same vulnerabilities. The difference between them is that  white hat hackers *don’t* take you to the cleaners just because they can.(6)

This entry was posted in technical and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>