Who are ethical hackers?
The following social and historical influences contributed to shaping perceptions about the identity and legitimacy of professional ethical hackers.
An identity and legitimacy crisis
Who are ethical hackers? Introduction
A brief history of hackers
Hacker ethic
Hacker practice
The ethics of ethical hackers
Key skills of professional ethical hackers
You may also be interested in Ethical hacking portal (Professional U Development).
An identity and legitimacy crisis
Ethical hacking as a profession suffers from a stigma stemming from confusion surrounding the identity and legitimacy of ethical hackers. The social stigma surrounding hacking and hackers harms society. The stigma is both a consequence and a cause of an identity and legitimacy crisis: it undermines ethical hacking education (acting as a reinforcing feedback loopâignorance fuels the stigma and the stigma leads to ignorance because the topic becomes a taboo), raising crime risk to society. The stigma from confusion surrounding the profession and the roles of professional ethical hackers in organizations and in society can drive down student enrolment in hacking classes and the hiring of expert hackers as instructors and professors within higher education. The stigma is a reputation risk to businesses and higher education and can discourage professors from acknowledging their hacking skills/experience.
An identity crisis can be understood as a crisis of confusion regarding who are professional ethical hackers and what do they do. A legitimacy crisis can be understood as a crisis of confusion regarding the ethics and values of professional ethical hackers, and regarding their value (contributions) to organizations and society at large.
Who are ethical hackers? Introduction
An appreciation of intellectual and historical influences on the conceptual development of the terms hacking and hackers â and by extension the terms ethical hacking and ethical hackers â from outside of the information security field (from the social sciences and humanities) includes a review of the role of the mass media and law enforcement in changing the original positive connotation of the term hacking from around the late 1980s and through the early 1990s to connote unlawful or criminal acts (Coleman & Golub, 2008; Thomas, 2005), the pioneering historical work of Steven Levy (1984) on hacker culture and hacker ethic (Hackers: Heroes of the Computer Revolution), and an anthropological analysis (taxonomy) of various hacker ethic based on idioms and practices (Coleman & Golub, 2008). Palmer (2001) offers one of the most authoritative conceptions of who are ethical hackers from inside the information security field.
A brief history of hackers
The meaning of the term ethical hacking can be understood in relation to the term hacking, as their history is intertwined. Hacking today âconnotes pejorative attempts to gain unauthorized access to computersâ (Thomas, 2005, p. 602).
But it wasnât always this way.
When the term hacking began taking off in the early 1960s, it was used to refer to a group of pioneering computer aficionados at Massachusetts Institute of Technology who âtypically had little respect for the silly rules that administrators like to impose, so they looked for ways aroundâ (Stallman, 2001). In the 1960s to the 1970s, a hacker was âsimply someone obsessed with understanding and mastering computer systemsâ (Levy, 1984, p. 602). A hacker (noun) meant,
1. A person who enjoys learning the details of computer systems and how to stretch their capabilitiesâas opposed to most users of computers, who prefer to learn only the minimum amount necessary.
2. One who programs enthusiastically or who enjoys programming rather than just theorizing about programming. (Palmer, 2001, p. 769)
The term hacker had a positive connotation in the 1980s and early 1990s among computer security professionals. Hackers typically had strong programming and computer networking skills. Some of their job duties were similar to those of todayâs ethical hackers (Harper et al., 2011; Harris, Harper, Eagle, & Ness, 2007; Palmer, 2001; Sterling, 1993). The connotation of the term âhackerâ would undergo a transformation in the late 1980s and early 1990s (Coleman & Golub, 2008; Thomas, 2005). Thomas (2005) traces the legacy of demonization of hackers to the rhetoric of media and law enforcement of the early 1990s.
In the golden age of hacking (late 1980s and early 1990s), the mass media began to frame criminal hackers as simply hackers instead of the more accurate description of âcriminal hackersâ thus associating hackers and hacking in the public mind with malevolence and crime. The early 1990s saw the commercialization of consumer-oriented computer technologies, and the rise of computer hacking incidents. âAs malware and attacks emerged, the press and the industry equated the term âhackerâ with someone who carries out malicious technical attacksâ (Harris, 2007, Ethics of Ethical Hacking, para. 27). The mass media began using the term hacker to describe individuals who break into computers for fun, revenge, or profit, instead of the more accurate term of criminal hacker. By the early 1990s, the word hacking had begun acquiring a negative connotation. Hacking and hackers became increasingly associated with computer intrusions and unauthorized telephone calls.
Meanwhile, law enforcement was influenced by a sense of âmoral panicâ regarding the rise of hacking incidents and began transposing terms used for criminal acts in the physical world to the online world (Thomas, 2005, p. 603). The origins of hacking âwere grounded arguably in what the original participants saw as an ethical, even noble, pursuit. However, law enforcement agencies had a different metaphor, setting out on a mission to purify cyberspace from the invading vandal hordesâ (Thomas, 2005, p. 603). Legal concepts such as burglary, trespassing and theft, âterms that have a reasonably unequivocal meaning in a world of material objects â became opaque, even absurd, when applied to cyberspace. Yet, prosecutors invariably used such legal terminology in their indictments.â By,
metaphorically invoking images of home intruders and thieves, legal rhetoric manipulated the meaning of hacking behavior to â some might say cynically â demonize the participants successfully. The indictments transformed âbad actsâ into formally sanctionable ones by creatively linking the act to more familiar predatory behaviors, such as âbreaking and enteringâ (e.g. US vs Robert J. Riggs and Craig Neidorf, 1990, 90-CR 0070 United States District Court, ND Ill. ED). (Thomas, 2005, p. 601)
In retrospect, the rhetoric of law enforcement and of other âmoral entrepreneursâ of the late 1980s and early 1990s can be seen as an example of how the symbolic manufacturing and pursuit of demons can lead to equally demonic excesses that may create ethical transgressions greater than those being controlled. (Thomas, 2005, p. 600)
The response of law enforcement in the golden age of hacking to incidents by computer hackers was âout of proportion to the threatâ and reflected a âmoral panic.â It focused on selected incidents as âsymbolic signpostsâ and illustrates how hacking âboth constituted and reflected ironic ethical ambiguity between the enforcers of the law and those who transgressed it.â
Perhaps the media were taking their cues from law enforcement or perhaps they were experiencing an episode of moral panic themselves, or perhaps the media opted for brevity so they dropped the word âcriminalâ from what should have been âcriminal hacking.â Both the media and law enforcement demonized hacking and hackers and undermined the increasingly important role of hackers and hacking in society. The value of hacking, and by extension teaching students to hack, remains confused. Palmer (2001) writes that since calling someone a hacker was originally meant as a compliment, âcomputer security professionals prefer to use the term âcrackerâ or âintruderâ for those hackers who turn to the dark side of hackingâ (p. 770).
More recent studies have emphasized the original positive connotation of hacking as inquisitive tinkering, âhighlighting the hacker ethicâs ability to emancipate its practitioners from the iron cage of late modernity and capitalismâ and ârecuperating hackingâs tarnished reputationâ (Coleman & Golub, 2008, p. 256).
Hacker ethic
The hacker ethic is a philosophy and set of moral values common within hacker culture. The philosophy originated at the MIT in the 1950s-1960s. The hacker ethic is related to the concept of freedom of information as well as the political theories of liberalism, anti-authoritarianism, anarchism, and libertarianism.
Levy (1984) offered one of the earliest theorizations of hacker ethic (what hackers thought it meant to be a hacker), particularly in the early decades of computer technology in the 1950s and 1960s. Levy (1984) distilled the hacker ethic into six bullet points:
Access to computersâand anything that might teach you something about the way the world worksâshould be unlimited and total. Always yield to the Hands-On Imperative!
All information should be free.
Mistrust authorityâpromote decentralization.
Hackers should be judged by their hacking, not criteria such as degrees, age, race, sex, or position.
You can create art and beauty on a computer.
Computers can change your life for the better.
The hacker ethic as retold by McConchie (2015):
1) The âfundamental tenet of the hacker ethic is that information should be free, and that access to computers should be unrestrictedâ (p. 879); 2) Hackers see the creative reuse and repurpposing of technology as a hands-on way of learning about the world and becoming self-directed and self-reliant individuals; 3) Hackers believe that information should be decentralized and authority mistrusted; and 4) Hackers believe that hacking, in itself, can make the world better through the free exchange of information and hacking skills.
The mistrust of authority structures hacker ideas about socialization and self-organization within hacker communities; the community of hackers presents itself as a meritocracy wherein hackers ought to be judged solely on hacking skills, ânot bogus criteria such as degrees, age, race, or positionâ (Levy, 1984, p. 35, cited in McConchie, 2015).
Hacker practice
Coleman and Golub (2008) saw various hacker ethic as representative of the subjective self. In this vein, they conceptualized three liberal moral expressions of hackers and hacking (cultural sensibilities or hacker ethics) revealed variably in the context of computer hacking: Cryptofreedom, free and open-source software, and the hacker underground.
Coleman and Golub (2008) argue that the literature on ethical hacking has tended âtowards dichotomous representations of computer hackers as either unhealthy young men engaged in bold tournaments of sinister hackingâ or visionaries âwhose utopian technological lifestyle has the potential to disrupt the pathologies of capitalism and modernity more generallyâ (p. 255). This tendency threatens to obscure the cultural significance of computer hacking, they argue, because hacker morality âin fact exists as multiple, overlapping genres that converge with broader prevailing political and cultural processes, such as those of liberalismâ (p. 256).
For Coleman and Golub (2008) it is reductionist to ignore the socio-cultural and historical context of hacker practice â breaking the law, and what it means to break the law are evolving ideas that can only be anchored in and understood within culture, specifically, hacker culture. The authors examined three liberal moral expressions (cultural sensibilities or hacker ethic) of hacking revealed variably in the context of computer hacking. The practices and ethics of computer hacking âafford an exceptional entryway for conceptualizing liberalism as a cultural sensibility with diverse and sometimes conflicting strandsâ (p. 256).
Coleman and Golub (2008) distinguish between three different, though overlapping, moral expressions of hacking in order to theorize liberalism âas a cultural sensibility closely wedded to what Charles Taylor has called the âexpressive self â (1989) that in practice is under constant negotiation and reformulation and replete with points of contentionâ (p. 256).
An elaborate comparison is made of three modes of hacker practiceâ cryptofreedom, free and open source software, and the hacker underground. One example within hacker practice was Richard Stallman, the founder of the Free Software movement, the GNU project, and the Free Software Foundation. Stallman was a hacker who ârealized his liberal ideals in a technological idiom and he linked his political goals to one of the most popular operating systems among the technical community, UNIXâ (p. 263). By comparison with another form of hacker practice, the hacker underground espouse moral conventions and practices bespeaking âa Nietzschian notion of power and pleasure, and especially a critique of liberalismâ (p. 263).
Other hacker taxonomies
The ethics of ethical hackers
Professional ethics
The social context
Professional ethical hacking is legal
Ethical hackers are trustworthy
Key skills of professional ethical hackers
Ethical hackers typically have âvery strong programming and computer networking skills and have been in the computer and networking business for several yearsâ (Palmer, 2001, p. 771).
They are also adept at installing and maintaining systems that use the more popular operating systems (e.g., UNIX** or Windows NT**) used on target systems. These base skills are augmented with detailed knowledge of the hardware and software provided by the more popular computer and networking hardware vendors. (Palmer, 2001, p. 771)
Further, the âbest ethical hacker candidates will have successfully published research papers or released popular open-source security softwareâ (Palmer, 2001, p. 772).
Table 9: Hacking Skills Coding Table (Network Penetration Testing)
Last updated