See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/3955165

Ethical Hacking: The security justification redux

Conference Paper · February 2002

DOI: 10.1109/ISTAS.2002.1013840 · Source: IEEE Xplore

CITATIONS READS
17 3,479

3 authors, including:

William Yurcik
University of Illinois, Urbana-Champaign
201 PUBLICATIONS   2,959 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

MyProxy View project

Security Incident Fusion Tools (SIFT) View project

All content following this page was uploaded by William Yurcik on 03 July 2014.

The user has requested enhancement of the downloaded file.

Copyright 2001. Published in the Proceedings of the Ethics of Electronic Information in the 21st Century Symposium (EEI21), University of Memphis, Memphis TN
USA, October 18-21 2001. Personal use of this paper is permitted, however, permission to reprint/republish this work or any component of this work in other works
must be obtained from McFarland & Company, Inc. Publishers.

Ethical Hacking:
The Security Justification

Bryan Smith William Yurcik* David Doss

Illinois State University

Dept. of Applied Computer Science
{basmit3,wjyurci,dldoss}@ilstu.edu

Abstract
The state of security on the Internet is poor and progress toward increased protection is slow.

This has given rise to a class of action referred to as “Ethical Hacking”. Companies are

releasing software with little or no testing and no formal verification and expecting consumers to

debug their product for them. For dot.com companies time-to-market is vital, security is not

perceived as a marketing advantage, and implementing a secure design process an expensive

sunk expense such that there is no economic incentive to produce bug-free software. There are

even legislative initiatives to release software manufacturers from legal responsibility to their

defective software.

Ethical hackers find bugs and fix bugs. In the process they beta test software for companies in

exchange for access and information. They scan networks for bugs and share information about

software bugs over the Internet. Alerting a software company to a bug, there is an expectation

* Corresponding author; additional contact information: telephone/fax (309) 556-3064/3068;

hardcopy mail: 45 Oak Park Road, Bloomington IL 61701 USA
that they are helping but sometimes software companies do not respond in-kind. Thus Ethical

Hackers often take it upon themselves to disclose sensitive information they have themselves

discovered in a form of blackmail to motivate software vendors into action. There is an

incredible ambiguity in that sometimes the Ethical Hacker is a respected university professor

who is perceived as doing a service to the Internet community and sometimes the Ethical Hacker

is suspicious foreign student who is perceived as a malicious cracker. It is not clear that without

Ethical Hackers the Internet would be a more dangerous place.

Introduction

Hacking has come to have many different and often conflicting definitions. Hackers do not

require certification, anyone can say they are a hacker. For the purposes of this paper we define

hacking as the software methodology to achieve a particular goal using self-taught programming

experimentation “to make rough cuts” (Murray 2000). Celebrated incidents of unauthorized

computer intrusions into computer systems have been attributed to hackers due to the extensive

programming experimentation needed to achieve success.

Computer intrusions are considered to be unethical and laws have been passed to prosecute such

behavior. Spafford clearly states that computer intrusions are ethical only in life-saving

circumstances (Spafford 1992). Once hacking ability is used to commit a crime, the hacker
becomes a criminal. However, a new class of “ethical hackers” has arisen who believe that

probing for computer intrusions, a legal activity that provides sensitive information, provides a

altruistic service to increase both local and global Internet security by exposing and fixing

security flaws.

The debate between “ethical hacking” and criminal intrusion dates back to the very first

widespread Internet virus, the Internet Worm of 1988. Robert Morris was convicted for intrusion

damage caused by the Internet Worm but his defense lawyers argued that he had provided a

service in exposing security flaws (Eisenberg et al.1995, Spafford 1992).

Ethical hackers use their knowledge to help improve system security. Upon discovering a

security flaw, they do not exploit the flaw; they fully disclose all relevant information to the

affected users of the systems, software companies, mailing lists, trade press, or popular media.

In contrast, unethical hackers (crackers) gain unauthorized access to subvert systems. Statistics

show that the motivation of unethical hackers has changed from the pursuit of knowledge and the

desire for challenge to the new lures of money, power, or political purposes (hactivism) (Palmer

2001). They privately share their knowledge of security flaws, maintain unauthorized access,

and do damage to systems (Goslar 2001).

The Problem

If history is any indication, the information technology community is incapable of constructing

networked information systems that can consistently prevent successful attacks (Evans 2001).
The natural escalation of offensive threats versus defensive countermeasures has demonstrated

time and again that no practical systems can be built that is invulnerable to attack. Even an

organization where network and computer security is paramount such as the US Department of

Defense has continuously demonstrated how susceptible it is to attack.

We posit that the main factor contributing to the poor state of security on the Internet is the lack

of quality software testing. The intellectual complexity associated with software design, coding,

and testing virtually ensures the presence of “bugs” in software that can be exploited by

attackers. Most software today is tested for bugs by the penetrate-and-patch approach – when

someone finds an exploitable security “hole” the software manufacturer issues a patch.

This approach has proved inadequate since after-the-fact security leaves bug vulnerabilities open

until they are exploited. However, software manufacturers find this approach economically

attractive – why invest time and money in assurance testing if consumers are not willing to pay a

premium for secure software. Time-to-market survival dictates that software is released as early

as possible, often with serious undetected security flaws (Zimmerman 2001).

The problem presented by lack of quality testing is also acerbated by automated attacks,

operating system homogeneity, and poor practices. Devastating attacks appear in executable

scripts that can be downloaded to anonymously target systems anywhere in the world. The

homogeneity of operating system software from the same manufacturer (i.e., Microsoft

Windows) makes it possible for a single-attack strategy to have a wide-ranging and devastating
impact. Poor system administration practices result in a system remaining susceptible to

vulnerabilities even after corresponding patches have been issued from software manufacturers.

It has been estimated that over 90% of all Internet attacks would have been deterred if system

administrators had implemented the most current versions of their system software (Schneier

2000).

The Scanning Solution?

Testing for security flaws appears to be a natural attraction many for hackers – it is both

challenging and contributes to the public good by exposing and patching vulnerabilities. Manual

testing has evolved into automated programs scanning a network of computers for known

weaknesses (de Vivo 1999). Scanning is not a one-time fix – new software versions bring new

bugs and new security flaws that can be exploited are discovered. The frequency of the scan will

depend on the software lifecycle of the systems involved and the ability to cleanup

vulnerabilities – it makes no sense to discover weaknesses if they are simply ignored.

In 1995 Dan Farmer introduced a scanner called SATAN (Security Administrator for Analyzing

Networks) (Freiss 1997, Farmer 1993). Unlike previous automated scanners that ran on the

particular system being analyzed, SATAN could analyze any system accessible over the Internet.

The dual nature of SATAN was quickly understood even in the mass media- Newsweek

published a brief article “SATAN: Friend or Foe?” (April 3, 1995). Proponents of SATAN view

it as a system administration tool to find bugs to prevent intrusions. Opponents of SATAN view
it as an easy-to-use tool an inexperienced hacker can use to bring down systems all over the

Internet.

Hypocrisy – Beta Testing, Penetration Testing, and Hacking Contests

As a whole, the hacker community represents a testing environment far more effective than any

one corporation could ever construct. Ethical hacking has become institutionalized by most

major software companies in the form of “beta” testing new software with select groups of

customers who will stress test and report back information about defects (e.g. extensive beta

testing of Microsoft’s Windows XP). Often the only reward for the “beta” testers is privileged

access to the software. This may work well for testing software performance but security bugs

do not often show up in “beta” testing unless the testing is done by security experts or a security

bug is stumbled upon (Schneier 2000). In the rare cases where a security flaw is discovered by

beta testers, fixing the bug may not be a high priority for the software vendor and “ethical

hackers” have sometimes had to resort to a form of blackmail (threaten release of bug

information to mass media) to motivate action.

Some firms offer penetration testing or “ethical hacking” services (IBM Consulting). For a fee

($15K to $200K), a red team will launch a controlled simulated attack to test known

vulnerabilities and report back corrective patches that need to be installed (Wood 2000). An

overall evaluation of a system’s security will focus on there three questions: (Palmer 2001)
 (A) What can an intruder see on the target system?

(B) What can an intruder do with the information from (A)

(C) Does anyone at the target system notice the intruder’s attempts

or successful attacks?

The hypocrisy in penetration testing is that organizations are paying hackers to attack with the

same behavior that they would legally prosecute if under any other circumstances. The irony of

penetration testing is that it is only superficial, real attacks will exploit unpublicized

vulnerabilities, and the most attractive red team employee may be a “reformed” cracker-for-hire

– who better to test your system than the kind of people who may break in? (Koch 2000, Winkler

2000, Marr 1999). If outsourcing penetration testing, trusting contractors becomes important

because real things can be damaged and sensitive security details will be revealed. Public

perception in the integrity of an organization’s information assets may be more important than an

objective technical security assessment. Lastly, quantitative system security assessments need to

be mapped to an organization’s subjective risk profile all vulnerabilities do not have equal risks

and there are different probabilities for exploitation: (Palmer 2001)

(A) What are you trying to protect?

(B) What are you trying to protect against?

(C) How much time, effort, and money is the organization

willing to expend to obtain adequate protection?

Hacking contests are promoted by organizations for two reasons: to publicize the supposed

security of a product against sustained hacking and to use the hacking community to harden

software that has not been adequately tested. These contests are generally unfair and the prize

money not scaled to the level of effort required but they still remain very popular – even causing

network congestion (Baltazar 2000, Schneier 2000, Solomons 2000). The hypocrisy in contests

is that organizations are paying (prize money) and thus encouraging the same expertise they

would legally prosecute against if under any other circumstances.

Conclusions

Security on the Internet is broken and “ethical hacking” has evolved as part of the potential

solution. Ethical hacking is fixing a system by compromising it – destructive testing in other

domains – which has a long history of achievement but it is not clear that this technique is

applicable for Internet security.

A security hole on one computer is not just an isolated problem as demonstrated by recent

distributed denial-of-service attacks – processes on compromised computers can be used to

attack other systems worldwide. At present, the Internet has poor security and “ethical hacking”

may be one of the most effective ways to proactively plug rampant security holes. “Ethical

hackers” see themselves as a necessary part of a larger vanguard protecting freedom and privacy

in addition to security.
On the other hand, “ethical hacking” tools (such as scanners) have also been notorious tools of

malicious attackers. A fine line exists between hacking for the public good and releasing

scanning tools that enable malicious attacks. Trying to fix the Internet security problem with

automated tools over a wide scale may have actually made the Internet less secure taken as a

whole.

We have focused in this paper on technical aspects of what may intrinsically be a non-technical

problem. If human intent does indeed dominate then technical solutions will not suffice and

instead solutions will need to focus on behavioral modification. Internet security is a complex

problem and while altruistic behavior such as “ethical hacking” may make a difference (not sure

in which direction), there needs to be stronger incentives to software vendors, system

administrators, and users to do the right thing.

References

Baltazar, Henry. June 26 2000. Hacker Attacks Welcomed. eWeek 30, 34.

de Vivo, Marco, Eddy Carrasco, Germinal Isern, and Gabriela O. de Vivo. April 1999. A Review of

Port Scanning Techniques. ACM SIGCOMM Computer Communications Review, 2: 41-48.

Eisenberg, Ted. et al., 1995. The Computer Worm: A Report to the Provost of Cornell. within

Computer Ethics & Social Values. by Deborah G. Johnson and Helen Nissenbaum, Prentice Hall 60-

89.

Emmanuel Goldstein interview within “Two Views of Hacking: ‘Hackers are Necessary.’” CNN

Interactive. <http://www.cnn.com/TECH/specials/hackers/qandas/goldstein.html>

Ethical Hacker 1999. IBMConsulting e-business advertisement, trademark, service mark & logo.

Evans, Bob. June 4 2001. The Sorry State of Software. InformationWeek 112.

Farmer, Dan and Weitse Venema. 1993. Improving the Security of Your Site By Breaking Into It.

<http://www.fish.com/security/admin-guide-to-cracking.html>

Freiss, Martin. 1997. Protecting Networks with Satan. O’Reilly Press.

Goslar, Martin D. August 2001. Is There Such a Thing as “Ethical Hacking?” Information Security.

Koch, Lewis Z. June 29 2000. Hacking for the Common Good? Inter@ctive Week.

Marr, Steph. October 1999. Ethical Hackers: Latest IT Craze or Real Deterrent? SC Magazine 17-18.

Murray, William Hugh. July 26 2000. personal communications (Email).

 Palmer, Charles C. 2001. Ethical Hacking. IBM Systems Journal 3: 769-780.

Schneier, Bruce. 2000. Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons.

Solomons, Mark. September 13 2000. Hackers Offered $10,000 Bait. Financial Times.

Spafford, Eugene H. 1992. Are Computer Hacker Break-ins Ethical? Journal of Systems Software

17:41-47.

Winkler, Ira. July 2000. The “Ethical Hacker” Debate, Information Security 82.

Wood, Bradley J. and Ruth A. Duggan. Red Teaming of Advanced Information Assurance Concepts.

DARPA Information Survivability Conference and Exposition (DISCEX). 112-118.

Zimmerman, Christine. March 26 2001. Race to Deploy May Magnify Software Bugs. InternetWeek

13.

View publication stats