Ethics and Hacking: Are these two words complementary?

Written by: LearnKey Expert Tom Carpenter

When many people think of a hacker, they think of a criminal or a person with bad intentions. This thinking may come from media coverage or Hollywood movies, but it may shock you to discover that it is not necessarily an accurate conception of a hacker.

I remember working on my Commodore 64 computer in the 1980s. I would write my own programs to manipulate the various components in order to learn how they actually worked. Many times I intentionally designed code that worked differently than the reference manuals indicated that it should. I did this in order to discover methods around limitations in the hardware. In those days, personal computers were seldom networked and this type of hacking was limited to the local machine.

In the late 1980s and early 1990s, I began to work heavily with networking technologies. This timeframe saw the launch of the modern network hacking community. Network and systems hackers sought to discover weaknesses in security solutions in order to improve the strength of their security. They looked for solutions to known vulnerabilities and for new vulnerabilities that needed remediation.

This movement continues today. Thousands, possibly millions, of hackers around the world work from an ethical perspective. During the filming of the LearnKey Certified Ethical Hacker training program, I had the opportunity to interview Johnny Long (also known as j0hnny). In the video, you will learn about the organization Johnny started known as HackersForCharity.org. This interview reveals the real positive work that is being performed by hackers all over the world. From building websites for non-profit charitable organizations to feeding hundreds of hungry families in Africa, HackersForCharity.org reveals the true heart of this movement.

All of this information does cause many to ask a question: If hackers are not bad, what do you call an attacker who does actually want to harm systems or steal information and resources? The general term for such an individual is cracker. A cracker is someone who hacks with malicious intent. A hacker is someone who hacks with positive intent. These uses are the proper uses of the terms from the perspective of the computer security industry; however, we are not likely to change the view of the popular culture any time soon.

During the writing of this article, I visited Wikipedia to see how the term hacker was used. Here is an excerpt from the Wikipedia article:

In common usage, hacker is generic term for a computer criminal, often with a specific specialty in computer intrusion. While other definitions peculiar to the computer enthusiast community exist, they are rarely used in mainstream context. SOURCE: http://en.wikipedia.org/wiki/Hacker_(computer_security)

As you can see from this opening statement, the author of the Wikipedia article certainly prefers the popular definition over the definition given the term by the actual community that celebrates the art of hacking. This author is not alone. The vast majority of people I’ve spoken with also think that a hacker is a criminal. For this reason, I think it is very important that we place a heavy emphasis on the word ethical. You want to be a Certified Ethical Hacker instead of a Certified Ethical Hacker.

How do you accomplish this goal? There are three keys to acting in a manner that will be perceived as ethical by your clients, customers or employer.

Perform only authorized acts.
Provide full disclosure.
Never share information about your clients.

The first behavior, performing only authorized acts, is of the utmost importance. As an ethical hacker, you should gain permission to perform specific actions and then limit your activity to those approved actions. Due to the nature of the individuals drawn to the world of hacking, it is often tempting to go one step beyond thinking things like, “The approved method didn’t work, but I think this other trick I know may get me into the system.” This temptation comes from the pure motives of curiosity and the desire to help the client. The only problem is that the additional method is not approved. When you live by the second behavior and provide full disclosure, it will be obvious to the client that you went beyond the agreement and this will be perceived as unethical.

Sometimes the ethical hacker is tempted to leave some information out of the penetration testing report. I don’t think this temptation arises from a desire to store up secret back door entry points into organizations. In discussions with other penetration testers, it’s clear that this temptation comes from a desire to protect the ego of the client. Sometimes, the client’s environment is so woefully insecure that it is difficult to heap the coals of embarrassment on the head of your contact. But, in order to be ethical, it must be done.

The third step to an ethical hack is actually an ongoing commitment. By ensuring your clients or employer of their privacy, you go a long way toward gaining and maintaining their trust. After all, isn’t that what ethics is all about. We trust an ethical person and we mistrust an unethical person.

At this point, you might be wondering how you go about gaining permission to perform certain actions and what you should include in the post pen-test full disclosure report. All of this is covered in the objectives of the CEH certification and in the LearnKey training that helps you prepare for the same certification. While you do not have to be a CEH professional to perform penetration tests, it will definitely help you place more emphasis on the ethical and less emphasis on the hacker. In today’s popular culture, this is very important.