28 replies to this topic

[Cranium]

Quite often, I see that people are hacked or hijacked. I would like to start a simple discussion on the ethics of hacking.

I know that many times hacking could be a good thing. Such as when people post a security flaw, and a way to work around that issue. This has been used many times with Google quite successfully.

So please, discuss....
Why would there be an acceptable reason to hack and why would you do it?

[PixelToast]

i only hack to point out flawls in peoples code
not to actually do harm to the person
for example there was that one guys mail server that had a really insecure PHP file
right now im working on a worm for firewolf that spreads by responding to all http requests and runs malicious code
unless the person says no, then i dont do anything at all :s

[Dlcruz129]

I assume you're talking about NDF-OS, and I just wanna say that the user who hacked the database was not being helpful. Being helpful would be PM'ing NDF and letting him know about the flaw, rather than posting the entire contents of the database on the forums. Just my 2¢.

[nitrogenfingers]

Ethical discussions are very hard to have as every person has different interpretations on right and wrong. I preface this argument by saying these are coloured by my personal beliefs and acknowledge and respect others may differ.

It very much depends of course on what is done by the hacker. For simplicity we'll consider a typical hack as discovering a limitation or hole in a system that results in providing a user with access beyond that which the service owners had intended. This of course is entirely ethical- we can analogise this to spotting a corner of a store with no security camera. What you choose to do with that information however is the crux of the argument.

To do nothing and explicitly report the error to the developer is probably the best thing you can do. They can then act on that information, and you'd do this if you genuinely want the service to be improved. I expect this is rarely done because for those searching for security flaws actively (unless at the behest of the developer themselves), this is probably not the desired outcome.

Most will instead probe the security flaw to see exactly how much damage can be done with it, a mindset I believe cultivated by the experimentation necessary in the process of becoming an advanced computer user. I would say hackers that genuinely don't want to see harm done to the developer or any users reliant on the system would most likely attempt to make their attempts innocuous, not recording personal data or deleting anything system-critical.

Depressingly there is an attitude of entitlement with some people who perform hacks, suggesting that any damage they do is justified because the security flaw was there. This is akin to using a security hole in a convenience store to steal a large amount of merchandise, and then justify the theft as being perfectly ethical because no one could feasibly stop them. We've seen instances of hacking on these very forums and in popular media where misguided idealism will lead people to believe that seriously compromising security is well within their rights and entirely justifiable, going so far as to consider themselves heroes or martyrs for their defiance while men in the unit (or sometimes, horrifically en mass) must suffer the loss of service and sometimes more seriously money and personal identity in the name of that same heroism.

To take another more negative stance, I would suggest a lot of hackers aren't interested in being helpful. A lot of attacks performed will be done for the sake of satisfaction achieved by the hacker, which is why it bothers me a little to see such acts followed with a pious defence of their harmful behaviour as "doing us all a favour". It's of little comfort to those missing their names and wallets.

[Mendax]

Julian Assange - Wikipedia said:

Don't damage computer systems you break into (including crashing them);
Don't change the information in those systems (except for altering logs to cover your tracks);
And share information.

That is taken from the wikipedia page on Julian Assange. That is ethical (maybe except for the last bit, if it's something major, just tell the owner of the script) although, even though he never did anything wrong, he is still being hunted. Moral of the story: learn to work out the moral of the story

[Cranium]

As always, well said Nitro. I am always a strong believer of the golden rule, and I feel that it has guided me well so far in life.
If you don't want bad things to happen to you, then don't do it to others.There should be no reason to start an argument, or cause grief, because all it gets in return is more grief.

[Cranium]

Mendax, on 02 January 2013 - 04:22 AM, said:

Julian Assange - Wikipedia said:

Don't damage computer systems you break into (including crashing them);
Don't change the information in those systems (except for altering logs to cover your tracks);
And share information.

That is taken from the wikipedia page on Julian Assange. That is ethical (maybe except for the last bit, if it's something major, just tell the owner of the script) although, even though he never did anything wrong, he is still being hunted. Moral of the story: learn to work out the moral of the story

I just finished reading a book by Kevin Mitnick, one of the most notorious hackers. In his book, he always goes into systems just because he can. Yes, he does keep 'trophies', such as Sun Microsystem's source code for their newest project, but he never uses that information for personal gain. His style of finding loopholes is definitely in the realm of 'do no harm'(except when he causes grief for some naughty people).

[Loki]

Cranium, on 02 January 2013 - 04:30 AM, said:

Mendax, on 02 January 2013 - 04:22 AM, said:

Julian Assange - Wikipedia said:

Don't damage computer systems you break into (including crashing them);
Don't change the information in those systems (except for altering logs to cover your tracks);
And share information.

That is taken from the wikipedia page on Julian Assange. That is ethical (maybe except for the last bit, if it's something major, just tell the owner of the script) although, even though he never did anything wrong, he is still being hunted. Moral of the story: learn to work out the moral of the story

I just finished reading a book by Kevin Mitnick, one of the most notorious hackers. In his book, he always goes into systems just because he can. Yes, he does keep 'trophies', such as Sun Microsystem's source code for their newest project, but he never uses that information for personal gain. His style of finding loopholes is definitely in the realm of 'do no harm'(except when he causes grief for some naughty people).

I just read the preview of that book. (Yes, all of it) and i completely agree with you. I hack peoples programs quite alot so i can let them know what flaws they have in their system. I call them flaws because they arnt holes. A hole can be filled in, however a program can always be hacked. A program has no holes that can simply be filled in. however, a program does have flaws that can last forever. Im sure i could hack into the worlds most secure program ever if i had enough time and money.

[mibs3]

the only time i see hacking as ok is when your working with the company/person you are hacking and only doing so to find security issues and help fix them

[tesla1889]

you're forgetting that the first hackers were just college students who broke the locks off of windows to use their college computers at night (back when computers took up rooms).

hacking just means using a clever method to solve a problem.

cracking is writing malicious code to break through security in networks or computers.

[KaoS]

nitrogenfingers, on 01 January 2013 - 08:09 PM, said:

--snip--

That was very well put. you can explain yourself much better than I can... My view on hacking is very different though

I hack to "crack" systems as tesla1889 put it however my motivation for doing so is to gain personally, not to damage the owner, if he is inconvenienced in the process I can live with that as I expect that in return. as a coder people have always tried to hack my programs and sometimes succeeded with... unwanted... results and I hold no personal grudge against them as this is common behavior.

perhaps my view on this is a result of my competitive nature and I will continue to hack for personal gain however I do not justify it as "doing them a favor" or in any way absolve myself of the blame. if I am caught then they will attempt to retaliate and that is fine. I will not willingly allow myself to be retaliated against but once again I will not blame the person retaliating

[billysback]

Simply put I believe that the ethics of hacking is case specific,
you cannot simply say all hacking is bad nor say all hacking is good, obviously people hack for personal gain at the cost of someone else but people also hack with other people in mind.

There are the very obvious examples of "ethical" hacking groups, such as Anonymous
There have also been some very public examples of people hacking to point out security holes but resulting in a service going down for several weeks, if not months, one such example is the hacking of PSN, although it is still unknown who did this (it is presumed to be Anonymous though that hardly narrows it down) the intensives were clear and, in some ways, ethical. However it got out of hand and the hack resulted in not only PSN going down (which meant they had affected the users, something they try to avoid) but also that apparently PSN user's money was being taken and spent. Anonymous claimed that they were attempting a "cease fire" on PSN and were not attacking PSN at this time... These are of course, big time example and because of the amount of attention a group will get from attacking big time companies or sites such as PSN there reasons must be ethical to at least some else they will get no support and a lot of hate, usually something they want to avoid.

[tesla1889]

i am forever grateful for the works of Anonymous, but they often attack the wrong people. Anon should be focusing its efforts on china and north korea, breaking through security such as the great firewall of china

[D3matt]

WTF I thought I made a post on this thread, but it's gone...

[Loki]

tesla1889, on 03 January 2013 - 10:02 PM, said:

you're forgetting that the first hackers were just college students who broke the locks off of windows to use their college computers at night (back when computers took up rooms).

hacking just means using a clever method to solve a problem.

cracking is writing malicious code to break through security in networks or computers.

Thats a good way of putting it. A program is always hackable. Like a lock is always pick'able. (Pick a boo! I see you!)

[TheOddByte]

Cranium, on 02 January 2013 - 04:30 AM, said:

Mendax, on 02 January 2013 - 04:22 AM, said:

Julian Assange - Wikipedia said:

Don't damage computer systems you break into (including crashing them);
Don't change the information in those systems (except for altering logs to cover your tracks);
And share information.

That is taken from the wikipedia page on Julian Assange. That is ethical (maybe except for the last bit, if it's something major, just tell the owner of the script) although, even though he never did anything wrong, he is still being hunted. Moral of the story: learn to work out the moral of the story

I just finished reading a book by Kevin Mitnick, one of the most notorious hackers. In his book, he always goes into systems just because he can. Yes, he does keep 'trophies', such as Sun Microsystem's source code for their newest project, but he never uses that information for personal gain. His style of finding loopholes is definitely in the realm of 'do no harm'(except when he causes grief for some naughty people).

I just gonna say that It sounds like a pretty good book and
I'm gonna see if I can get a hold of it!

[Cranium]

Hellkid98, on 13 January 2013 - 08:10 AM, said:

I just gonna say that It sounds like a pretty good book and
I'm gonna see if I can get a hold of it!

I definitely recommend it. It really makes me wish I had some of his skillz.

[RunasSudo-AWOLindefinitely]

Loki, on 04 January 2013 - 11:27 AM, said:

A program is always hackable. Like a lock is always pick'able.

You can't really compare the two. A lock is designed to be able to be undone. A program is not.
It's sort of like saying any hashing algorithm can be cracked because encryption can be cracked too.

[Cranium]

Well, to be honest, it is really true. There does not exist a single system, whether that be mechanical or computational, that cannot be hacked/cracked/bypassed. Yeats ago it was thought that we would never be able to crack the human genome. That by far has been the most difficult cryptological puzzle in the last several years in my humble opinion.
Given enough time, patience, and resources, anything can be cracked. The discussion I wanted to emphasize was what to do after said system has been cracked. Do you take that flaw to the owner to be patched, or do you do as much damage as possible to leave a 'calling card'?
Personally, I have never had a reason, the skill, or the opportunity to do such a thing. However, being the nice guy that I am, I would most likely report the issue.

[NeverCast]

Actually computers in some ways are exactly like padlocks, In the most simple form, it's access control, Let in someone, but not everyone.

But then you have the other end of it, instead of a padlock, you have a giant solid wall, instead of a password.. you have no remote or local login, instead of a computer having a connection to the outside world, it doesn't.

There ARE programs that can't be hacked, simply because to gain access, access has to have been intended for someone at some point. If a computer has a shell daemon, it's there because it's intended to be, getting in without the appropriate credentials is then it's flaw.

Just wanted to say this to clear something up, If someone didn't want anyone or anything having access to a system, not even themselves. Security is easy. It's the Access CONTROL part that is what makes a system from a padlock to an advanced authentication system vulnerable.

Anyway, this doesn't address the OP, Ethics of hacking. All the hacks I've done in the past I'd like to hope didn't damage any services, and if they did, I probably wouldn't apologize not because I'm a horrible bastard, just because I wouldn't wanna be caught for damaging something I'd never intentionally deface or damage anything, Some of my friends in the past have found it to their entertainment to disrupt services and deface websites. For me I find that wrong, But I don't mind attempting to exploit some access control for the sake of seeing if it can be exploited.

If someone posted some access control system on these forums, I'd download it, and I'd try and crack it. Then I'd tell them, and depending on their level of understanding I'd either correct them on where they went wrong and help them, or say nothing and let them figure it out because they might not understand why it was insecure anyway.

Wow I feel like I've written a lot but nothing at all, No where near as literate as nitro, Whom's post I agree with entirely for the most part. I'm not sure how actively he would seek to check for exploits, but I actively check most systems I see, maybe only for a few seconds, but always.. I just find it interesting to see what habits people have, You wouldn't believe how common a passwords.txt file is.

In the end of the day, I do it to learn, not to damage property. That's my stand on it