A word on ethics, hacking, and ethical hacking



No discussion of software vulnerabilities or the techniques used to exploit them should proceed without understanding the ground rules. There are ultimately two ways to apply one's knowledge of cybersecurity: for good or for evil. "For good" means we employ our services with the end-objective of improving cybersecurity; "for bad" means that we seek to harm and damage people, either directly or by enabling others to do so. One might say that the do-gooders are "white hats", or "ethical hackers", and that the crooks are "black hats"; "gray hats" are supposedly do-gooders but are maybe more like mercenaries looking for a payout. These terms are imprecise and don't address the many nuanced ethical positions in which cybersecurity professionals might find themselves: how should one disclose newly discovered vulnerabilities, and to whom, in order to best improve security? How should one promulgate and teach hacking techniques and to whom in order to maintain healthy networks and software?

The ethics of hacking "for good" are generally utilitarian: act so as to bring about the greatest amount of good for the greatest number, though the "amount of good" tends to be a challenging thing to calculate in practice. Some researchers make it easy: only disclose vulnerabilities to those directly in control of fixing them. Period. Though sometimes it's not so easy: sometimes the vulnerability is in some industry-standard, or the developer is intransigent—unconvinced that a fix is needed. In these cases, security researchers have been known to release exploit code or a hacking tool to the public, ultimately with the hope of forcing a security improvement. In these cases, innocents are undoubtedly harmed; however, the action might be justified if the eventual bug fix protects a great many more from being hurt by the vulnerability. But, indeed, there is a certain viciousness to the cycle: the researchers are forcing a mitigation to a tool they've developed. The rationale, though, is that if not them, then someone else. Perhaps. As I said, the greatest good for the greatest number is a tricky thing.

The articles on this site discuss, in some detail, various tricks of the hacking trade. Publicly known tools are discussed; some are improved upon. Some new tools are described and source code is provided. Despite this, we have an exceedingly low tolerance for harming others: we're actually rather dubious of the whole utilitarianism thing. Therefore, nothing disclosed here lacks a known fix—we are never out-stepping the good guys in the cybersecurity arms race. Our philosophy is that in order to protect something—to really defend it—you've got to know it inside and out. This includes knowing where it breaks, and understanding how it can be made to do things it wasn't engineered to do. Any cyber defender worth their salt is also a penetration tester: they should be routinely devising ways around and through their protections. After all, the best defense is a good offense, particularly when turned on oneself.

In summary, we hope to educate so that networks and systems can be better secured, even though this inevitably involves handing tools and know-how to the potential unscrupulous scoundrel. So, as to your end of the social contract: don't use this information to harm others. Those are the ground rules.