SHOULD HACKING BE LEGAL?

 

INTRODUCTION

 

Hacking is probably one of the least understood subjects in the realm of the Internet, yet it touches upon some of the most vital and sensitive areas of network computing. Most of the time, hacking is misinterpreted to mean cracking. This is untrue and does a disservice to some of our most talented programmers. Most people say hacking is bad when in actual sense it is cracking which is actually bad. This essay attempts to throw more light on the meaning of hacking, the difference between hacking and cracking, and why hacking should be legal.

 

HACKING

 

A hacker used to be defined as "One who is proficient at using or programming a computer; a computer buff." However, this use has been turned around now, to mean that of a cracker -"One who uses programming skills to gain illegal access to a computer network or file." [1] Hackers seek to understand computer, phone or other systems strictly for the satisfaction of having that knowledge. They wonder how things work, and have an incredible curiosity. They will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in. [2] Hacking is the act of Innovating, especially in the computer world. Hackers write programs and solve problems. [3] They hack to test their programming skills and their intellectual abilities with no intention of committing fraud or causing harm. They are intensely interested in the arcane and recondite workings of any computer operating system. Most often, hackers are programmers. As such, they obtain advanced knowledge of operating systems and programming languages. They may know of holes within systems and the reasons for such holes. Hackers constantly seek further knowledge, freely share what they have discovered, and never, ever intentionally damage data. [4] Hackers in most cases are contracted by companies to test the I.T. security of such companies.

 

Some people refer to hacking as “ethical hacking” to differentiate it from cracking. I will use the term ethical hacking interchangeably with hacking. In this write up, they both refer to the same thing.

 

CRACKING

 

Cracking on the other hand is hacking with criminal intent.[5] A cracker is the common term used to describe a malicious hacker. Crackers get into all kinds of mischief, including breaking or "cracking" copy protection on software programs, breaking into systems and causing harm, changing data, or stealing confidential information. Crackers break trust and create problems. Crackers hack for the purpose of immediate or long term financial benefits.

 

Hackers regard crackers as a less educated group of individuals that cannot truly create their own work, and simply steal other people's work to cause mischief, or for personal gain. [6] Hackers HATE crackers because crackers have given them a bad name.

 

 

 

 

DIFFERENCE BETWEEN HACKING AND CRACKING

 

The main difference between hacking and cracking is that hackers try to make things, while crackers try to break things. Hackers program websites (among other things) and they do not try to harm the work of others as is thought in today’s society. Hacking is a skill. [7] Cracking on the other hand is any and all forms of rule-breaking and illegal activity using a computer including wilful destruction against a system with criminal intent.

 

In my opinion, hacking is good and should be made legal once it is not cracking. There are several good sides to hacking. The following paragraph looks at a few.

 

GOOD SIDES TO HACKING

With the growth of the Internet, computer security has become a major concern for businesses and governments. Most businesses want to be able to take advantage of the Internet for electronic commerce –which is a major source of revenue- , advertising, information distribution and access, and other pursuits, but they are worried about the possibility of being “cracked”. They are worried about losing confidential data about their customers. At the same time, the potential customers of these services are worried about maintaining control of personal information that varies from credit card numbers to social security numbers and home addresses. They want to be sure their personal details are safe and secure in the hands of these organisations and businesses.

In their search for a way to approach and solve the problem, organizations came to realize that one of the best ways to evaluate the intruder threat to their interests would be to have independent computer security professionals attempt to break into their computer systems. This scheme is similar to having independent auditors come into an organization to verify its bookkeeping records. In the case of computer security, these “tiger teams” or hackers would employ the same tools and techniques as the intruders or crackers, but they would neither damage the target systems nor steal information. Instead, they would evaluate the target systems' security and report back to the owners with the vulnerabilities they found and instructions for how to remedy them.

This method of evaluating the security of a system has been in use from the early days of computers and has been effective. In one early ethical hack, the United States Air Force conducted a “security evaluation” of the Multics (Multiplexed Information and Computing Service) operating systems for “potential use as a two-level (secret/top secret) system.” Their evaluation found that while Multics was “significantly better than other conventional systems,” it also had “vulnerabilities in hardware security, software security, and procedural security” that could be uncovered with “a relatively low level of effort.” The authors performed their tests under a guideline of realism, so that their results would accurately represent the kinds of access that an intruder or cracker could potentially achieve. They performed tests that were simple information-gathering exercises, as well as other tests that were outright attacks upon the system that might damage its integrity. Clearly, their audience wanted to know both results. There are several other now unclassified reports that describe hacking activities within the U.S. military. [8] The use of hackers in this scenario saved the US government the embarrassment of crackers taking advantage of the vulnerabilities found in the system.

Today, organizations face global risks once their computing infrastructures are externally exposed. Ken Brandt (Co-founder and Managing director of Tiger Testing, a firm that specializes exclusively in ethical hacking) believes that hacking can be a strong weapon in the information security professional’s arsenal to help mitigate that risk. No matter how extensive and layered the security architecture is constructed, Ken believes that an organization does not know the real potential for external intrusion until defences are realistically tested. This is where hackers come to the rescue.

 

In his article “The Case For Ethical Hacking”, Ken advises that every organisation should organize a hack attack on their systems once a month - at varying and random times each month – to avoid potential risk of a real cracker cracking into their system. [9]

 

Steven Lipner, a senior security analyst for the Microsoft Corporation also believes that hacking is a good thing. In an interview on the Hackers in the Twenty-first Century Conference (2002), he admitted that Hackers frequently find bugs in Microsoft products before they (Microsoft) do. In his words “We work very cooperatively with a lot of them (hackers) and we will work with anybody who reports information to us that we need to know to protect our customers. We do ask them (hackers) when they report to keep those vulnerabilities private until we can fix the problem, assuming there is one”. [10]

 

I believe there are several advantages of hacking, the obvious one being that companies can easily identify loopholes in the security of their systems. Despite these good sides to hacking, there are also bad sides to it. In my opinion, the good sides out weigh the bad.

 

BAD SIDES TO HACKING (CRACKING)

 

As explained earlier, hacking can be bad if done with the intention of committing a crime or causing harm. This is termed cracking. There are several cases of cracking on the Internet. The motive behind them is usually political, for selfish monetary gain or for mischief. In all cases of cracking, the truth still remains that the crackers exposed a threat to a system/network which the security administrator in such an organisation should have known of, especially if they employed the expertise of a hacker.

 

The case of three Germans in Bremen, West Germany that were hired by the Soviet KGB during 1986-1989 to hack into U.S. Government systems easily comes to mind when talking of the down sides to hacking. They penetrated Pentagon systems, NASA networks, Los Alamos National Laboratories and Lawrence Berkeley Laboratories. They were detected by Clifford Stoll, at Berkeley, when he checked out minor discrepancies in the account billings. Stoll later wrote the popular book, The Cuckoo's Egg, about the case. The three hackers were arrested and convicted of espionage. [11] This is clearly a case of politically motivated cracking.

 

It is true that the three Germans hacked into the U.S. government’s systems illegally, but the question we could ask ourselves is that if their system was not hacked, would the U.S. government have known that such vulnerabilities existed and worked hard to cover them up?

 

There is also the case of a security engineer in an I.T. company who got fired for hacking into the company’s system without prior permission from his boss. There are unanswered questions to his true intentions for hacking the system. According to him, he said he was doing his job, because he was able to detect loopholes in the system’s network that would erstwhile have gone unnoticed and would probably be entry points to crackers. [12] I tend to agree with him on this.

 

It is obvious hacking is of great benefit to any IT organisation, hence should be legal.

 

THE GOVERNMENT AND HACKING

 

Presently hacking is illegal in most countries.  In the UK, anyone hacking a computer could be punished with 10 years' imprisonment under new laws.[13] In Singapore, the anti-hacking law allows police to take "pre-emptive action'' based on credible information even before hackers strike, in order to protect computer networks from unauthorised entry.[14] It is argued that this particular law is harsh as it can be misused by the police. In Germany, it is an offence to create, sell, distribute or even acquire so called Hacker Tools that are built to conduct criminal acts like acquiring illegal access to protected data. It is feared by many that this might keep administrators and security experts from doing their job – i.e. from properly testing applications or networks to enhance security [15]. In the US, anyone found guilty of hacking can spend up to 10 years in prison.[16]

 

It is my opinion that these laws are rather too harsh and should be targeted at crackers not hackers. Laws should be put in place to legalise hacking and not cracking. To show how much I.T. security personnel want hacking to be legalised, the EC-Council (The International Council of Electronic Commerce Consultants ) has released a certification called Certified Ethical Hacker (CEH). Its goal is to certify security practitioners in the methodology of ethical hacking. This vendor neutral certification covers the standards and languages involved in exploits of crackers. It covers how vulnerabilities in a system can be exposed and countermeasures one can take to mitigate against the threat of crackers in any system, stressing the fact that hacking should only be done legally and with the written consent of the organisation whose system is being hacked.

 

WHY WE MUST HAVE HACKERS

 

It is my opinion that hacking should be legal as hackers are a necessary “evil”. Also, Organizations must secure their IT infrastructure and networks from crackers. Just as corporations employ auditors to routinely examine financial records, so should corporations audit security policy. Lack of real financial audits can cause a great deal of havoc in corporations so also can lack of hacking an organisation’s network system can create an avenue for crackers to operate. Just as accountants perform bookkeeping audits, hackers perform security audits. Without security audits and compliance controls, no real security exists. The only effective security audit in my opinion is hacking.

 

If hackers do not hack a system to expose vulnerabilities in that system in order to take preventive measures, crackers will crack into such a system and take advantage of the loopholes in such a system to cause havoc. There are several individuals waiting to test and probe an organization's security stance. These individuals range from government and corporate spies, to crackers, script kiddies, or those who write and release malicious code into the wild. Their presence in any network in not a good thing. [17] Hacking is the only way to mitigate against such individuals.

 

CONCLUSION

 

Government in most countries have very strict rules that do not draw the line between hackers and crackers. These laws should be revised to differentiate between the two. Laws on hacking should be relaxed while those on cracking should be tightened.

 

The law must clearly define what ‘cybercrime' is and state clearly that hacking is not one of them. Cracking is. Making hacking a crime, one will have to charge every single proficient and competent computer programmer in the country [18]. 

 

My advise to companies that take part in e-commerce transactions is simple, “Allow hackers hack your systems (they will cause no harm, they could do it for free) to expose the vulnerabilities that exist in your system before the crackers get to them because the effect of a cracker’s attack might be irreversible and very expensive.

 

Hacking should be made legal, as it is, in my opinion the only secure way to detect vulnerabilities in any I.T. System.