Three Hats

White hat hackers are members of the security industry hired specifically to test and find security vulnerabilities in production systems and applications. A company might hire a white hat hacker to attempt to breach their networks and systems without their knowledge. This is very similar to popular television shows where a homeowner learns just how easy it is to break into their own house. The television burglar is videotaped getting through all of their security systems, and then offers advice on how to secure their property. White hat hackers are obviously not going to cause any damage for their clients, and their intent is to strengthen the security measures a client takes against attack. They do not break any laws, as their access to the network, while using the same methods that a malicious hacker (or “cracker”) might use, is perfectly authorized by prior contract.

Black hat hackers are, naturally, the antithesis to a white hat hacker. The hacker community refers to these programmers (often as skilled as true hackers) as crackers, due to their malicious intent to harm or gain profit from hacking. Black hat hackers do not follow any particular ethic, and break into systems for no other reason that to commit a crime of some sort. These are the types of hackers that are most covered in the media, and are often the focus of legislation and public outcry. It is the actions of black hat hackers that have generated a negative image for hacking.

Gray hat hackers are a hybrid of the previous two types. They share the same ethical foundation as the original hacker, but they stretch the boundaries of that ethic into a sort of vigilanteism. The gray hat hacker’s intent is much the same as the white hat hacker: these hackers want to expose vulnerabilities in public and government systems in order to force these systems to become more secure. Yet they do not seek prior consent or authorization. They prefer to hack into these systems anonymously and leave their mark, informing system owners of the vulnerabilities on the way out. They often do not cause any irreparable damage, although they have been known to cross the line into black hat behavior. Because they are not regulated by the security industry’s public ethics (as white hat hackers are), there is no hard and fast code that means a gray hat hacker will always have the greatest good in mind. But for the most part, the intent is to show off by showing other people how vulnerable their systems really are. Gray hat hacking often occurs as a type of “tagging,” much like the graffiti artists of subway fame.

Case Study

In 1999, a seventeen year old hacker with the handle “ytcracker” exploited a weakness in Microsoft NT’s web service and replaced the homepage of three U.S. government agency web sites. The homepages of NASA’s Goddard Flight Center, the office of Land Management’s National Training Center, and a Defense Contracts Audit Agency suddenly showed an image of a graffiti-like rapper with gold necklaces and the message:

To the U.S. government and military–I have warned you about these security flaws. Please secure our military systems to protect us from cyber attack.

ytcracker’s message was accurate–he did send messages to the administrators of these systems notifying them of the vulnerabilities. When they did not fix the security flaws, he used them to breach their systems. The seventeen-year old was charged and fined $30,000 for unauthorized access of a computer system.

Ethical v. Legal

Ethics often entail a philosophical discussion of the greatest good, and an analysis of the “right” decision over the legal decision. This means there are times when committing a crime might still be an ethical act. Or an unethical act might not involve a victim or a crime at all. Legality, on the other hand, pertains to the protection of society. Laws determine what behavior or action is socially allowed. Damage to society or to an individual member of society is often considered illegal.

The actions of gray hat hackers often break the law. The breach of any computer or network without authorization is a violation of the law in many U.S. states and other nations. But the avowed purpose of these actions, according to many gray hat hackers, is to strengthen otherwise weak security systems. Because a question of ethics often involves both intent and a choice for the greater good, it can be argued that gray hat hackers are providing a service that benefits the greater good: the increased security of the Internet. White hat hacking, by its very nature of prior agreement (warning) with the client cannot be 100% effective at exposing unknown vulnerabilities. It is often only once a system has been breached via an unknown weakness that system administrators are forced to take action. The more gray hat hackers expose, the more security holes are closed. The Internet, being a fairly unregulated space (thus is its flexibility), is improved by a joint effort between white hat and gray hat hackers. We need both to create the best possible security environment.

With wired networks, you must have a physical connection in order to use the network. The security is through physical access. Wireless networks have no such security. You must configure your wireless device for this security. This is fine for techies, but non-techie home users rarely have the savvy to secure their wireless networks. It’s not surprising that pirating or piggybacking of these open wireless networks —using someone else’s Internet connection without their knowledge or approval—is extremely commonplace. Is wireless piracy stealing? Or is it a victimless crime?

In 2005, Benjamin Smith, III, was arrested and charged in Florida with unauthorized access to a computer network. In 2006, David Kauchak pleaded guilty in Illinois to “remotely accessing another computer system without the owner’s approval”. In 2007, Michigan resident Sam Peterson was charged under the state’s “Fraudulent access to computers, computer systems, and computer networks” law. Each time, the “criminal” was observed using a laptop computer from their vehicles outside of a business or home. They were taking advantage of unsecured wireless networks to gain access to the Internet.

There are three ethical issues here. First, a network’s owner purchases Internet access from an ISP. The Internet connection is basically licensed to the customer for their use. When other people pirate an Internet connection, the ISP is missing the opportunity for additional revenue. Second, the fact that the networks are unsecured is important. If I were to place a bag of money on the street in front of my house, is it a crime for someone to come by and take it? I know people who leave their wireless networks open on purpose, as a sort of public service for their neighborhoods. How can a laptop user determine which networks are open on purpose, and which are not? Finally, a major problem with unauthorized access to a network is that the network owner doesn’t know what the pirate is doing on their network. If it is something illegal, the network owner is unwittingly an accomplice to a crime, at least in the eyes of the ISP. When an open wireless network in a coffee shop was being used to generate spam, the ISP shut down the coffee shop’s connection.

ISPs need revenue to build up their infrastructure. We need a bigger infrastructure in order to offer Internet speeds equal to those found in Japan and other countries. If someone is able to piggyback on their neighbor’s connection, they’re shooting themselves in the foot. This would mean wireless pirates are slowing down the growth of Internet infrastructure by not purchasing high-speed Internet themselves. But you could also hold network owners who are leaving their wireless networks unsecured (including public libraries and small businesses) just as liable for the loss in revenue. Eric Bangeman of ars technica thinks this is too much of a stretch:

Take the case of public WiFi hotspots: official hotspots aren’t that difficult to find in major cities—every public library in Chicago has open WiFi, for instance. Are the public libraries and the countless other free hotspot providers helping defraud ISPs? No, they’re not. There’s no law that using the Internet requires payment of a fee to an ISP, and the myriad public hotspots prove this.

If there is not a crime against ISPs, then the crime must be against the network owner who left their network unsecured. A wireless pirate is portrayed as a burglar, breaking and entering a property without permission. I find this to be too much of a stretch as well, because the radio signals are entering my house where my device can pick them up. If I had snaked a network cable into someone’s house, or perhaps hooked into their cable box and ran it back over to my house, I could see where I had broken the law. But technically, a wireless network owner is sending their wireless signal into my location (be it out to a public street or into my apartment). Bangeman correlates it to owing a neighbor money because some of the neighbor’s water from their water sprinkler got on my lawn.

If there is no crime against the network owner, then the only time that unauthorized use of an unsecured wireless network should be related to a crime is when that use results in another crime. Pirates should be prosecuted for spamming, downloading child pornography, or any of the other countless things we already have federal laws for, no matter where they gain access to the Internet. And network owners cannot be held responsible for these crimes, just like I cannot be held responsible if someone takes my car and commits a crime with it.

I think state legislatures have been too broad with statutes and laws related to accessing unsecured wireless networks. Until a real crime is committed, accessing something publicly available without “hacking” or compromising information hardly deserves the label “crime”. At most, it could be considered impolite, especially if a pirate uses up all the bandwidth.