Why hacking is healthy

For the typical layperson, the word "hacker" evokes a very specific image: a mysterious, malicious, digital intruder. If you look in the hacking community, however, you are unlikely to find anyone matching that description.

By David Raikow, Special to ZDNet

For the typical layperson, the word "hacker" evokes a very specific image: a mysterious, malicious, digital intruder -- the PC-age equivalent of a cat burglar, waltzing through networks, past locks and alarms, to steal data at will.

If you look in the hacking community, however, you are unlikely to find anyone matching that description.

Indeed, hacking does not necessarily have anything to do with computer security; while there are certainly those who "hack" their way into systems, the term itself has more to do with a desire to understand technology. The Jargon File -- the nearest thing to a standard hacking lexicon -- defines the word "hacker" as "a person who enjoys exploring the details of programmable systems and how to stretch their capabilities."

Mark Loveless, Senior Security Analyst for Bindview Corp., puts it more succinctly: "Hackers take things apart to figure out how they work."

Loveless, better known to other hackers as "Simple Nomad", contends that the ethics of hacking are more complex than the common image would suggest.

"The hacking community is just like society at large," he says. "There's a minority who are scrupulously respectful of the law, a majority who bend the rules now and then, and a minority who are outright criminals."

The first group -- sometimes referred to as "white hat" hackers -- spend their time hunting for software glitches, security vulnerabilities, and new approaches to hardware or software problems. They work largely within the confines of their own computers or networks; when they make use of other systems, they gain permission first.

But the majority of the hackers behind the keyboard are best described in shades of gray.

Gray hats, black hats, and script kiddies

According to Loveless, the bulk of the hacking community is comprised of "gray hats" who, for the most part, respect the law.

"(But) like other law-abiding citizens, we respect some laws more than others," he says. "Most people wouldn't dream of stealing a stereo, but wouldn't hesitate to steal cable service. Who hasn't broken the speed limit?"

"Gray hats experiment with the gray areas as a means of learning more," says "Oxblood Ruffin," the "Foreign Minister" of well-known hacker group Cult of the Dead Cow (cDc). "Of course people go overboard -- most of these guys are kids who don't always think through the consequences of their actions -- but there's usually no evil intent."

Of course, there are "black hat" hackers. Most observers agree that some are pretty close to the public image of the hacker. You're not likely to run into any of these folks, however; if they do exist, they represent a miniscule fraction of the population -- perhaps 100 individuals worldwide -- and are obsessively averse to publicity.

There are also otherwise average members of the hacking community who maliciously attack systems for money, or to promote some political agenda, or simply for kicks.

The great bulk of high-profile security breaches, such as Web-site defacements and denial of service (DoS) attacks, aren't the work of hackers at all. Most culprits know very little about computer or network security but instead rely on ready-made tools to launch attacks they themselves do not understand. Indeed, many argue that web defacements are always the sign of a "script kiddie" or "packet wanker", as they are called, because they require almost no technical sophistication.

"These are kids getting their kicks," says Oxblood Ruffin. "Ten or twenty years ago, they would have been spray painting walls or throwing rocks through windows. It takes about as much skill."

The security ecology

If hackers aren't necessarily out to get you, just what role do they play in computer security? Probably a bigger one than you think, according to security guru Richard M. Smith.

"Hackers represent a vital niche in the whole ecology of network security," he says.

The hacker's most important security role is as the "bugspotter". Many attacks on computer systems exploit software weaknesses: either mistakes in the underlying code, or unexpected used of known features. These glitches are an inevitable part of the development process, and some will always get by even the best programmers and make their way into shipping software. Few, if any of these bugs can escape the intense scrutiny of the hacking community for very long, however. As a whole, the community represents a testing ground far more effective than any one corporation could ever construct.

Working under the same "full disclosure" philosophy that underlies the Open Source movement, hackers hunt down these bugs and bring them to the public's attention. This is a controversial practice; while most hackers at least give software companies a chance to release a patch before announcing their finds, many argue that bug reports provide the black hats with tools they wouldn't otherwise have.

But such speculation might give too much credence to the threat that black hats pose.

"The good guys often overestimate the bad guys," says Smith. "The bad guys are often pretty lazy, and won't find holes unless someone else points them out."

Still, it's a pervasive fear. Last year, Microsoft cried foul after security firm eEye publicized a major hole in its server software, stating that "responsible security companies do not provide tools that can be used to attack innocent people."

Keeping the industry honest

Most observers concur, however, that on the whole, bug reports are an important part of improving security. According to Mike Fuhrman, manager of security consulting at Cisco Systems, "When they publish bugs to the world and don't give us an opportunity to fix them first, it can be frustrating. But at the same time, it does keep us on our toes, and keeps the industry honest."

Oxblood Ruffin is more blunt: "Most merchants treat these problems as a PR issue, and aren't going to fix them unless we keep their feet to the fire."

Many hackers also capitalize on their skills by earning a living as security engineers or consultants. Indeed, many firms rely heavily on hackers' talents to hunt down potential problems.

"Tweety fish", a member of both the hacker group L0pht Heavy Industries and the cDc, claims this practice is more prevalent than you'd think.

"If a company says 'We don't hire hackers', well, either they're lying, or they're sacrificing competence for a clever PR ploy," he says.

Some have taken this idea a step further, offering penetration testing or "ethical hacking" services. For a fee, these hackers will launch a controlled attack on your network in order to test your defenses. While this is often a risky proposition, particularly when it may be impossible to assess a hacker's skills or distinguish between white, gray, and black hats, the practice has gained so much popularity that large, mainstream companies are beginning to offer it as a service.

Cisco Systems, for example, has a team specifically dedicated to penetration testing services.

"We think it provides a useful snapshot of a given network's security issues, and uncovers problems that can't be found any other way," says one Cisco spokesperson.

You may not be aware of it the next time someone tries to break into your computer. If your defenses hold, however, you probably have a hacker to thank for it.