Mitnick In The News
Exploring the Complex Relationship Between Infosec Professionals and Hackes
Jul 20, 2016 - Techgenix, by Derek Kortepeter
Thanks to misreporting by the media, people tend to think of hackers as “the bad guys” who are purely criminal. As such, this has in some ways created a “cops and robbers” view of the relationship between the hacking community and cyber-security professionals. The reality is far more nuanced than this as security pros and hackers truly in some way need each other. Some security professionals may disagree with this assertion and say that hackers only exist to cause trouble. On the flip side, some hackers view information security professionals with contempt, thinking that they “sold out” and left the community–after all, many InfoSec people have hacking backgrounds. These communities often intertwine more often than the general public thinks. You will find security professionals frequenting hacking conventions that also have likely cyber criminals in attendance. It is not a case of “know your enemy to better prepare against them,” but rather a case of blurred boundaries.
As I mentioned, some in the cybersecurity community are hackers themselves, some even with criminal pasts. Most notable is Kevin Mitnick, who is a rockstar in the hacking and security world (and is also my personal hero). In spite of his past run-ins with the FBI, Mitnick has been able to contribute greatly to the security world because of his hacking abilities. The last thing I want to do here, however, is infer that hackers are criminals. Some may very well be, but in the end a great deal are problem solvers. Hackers seek to create solutions to a problem that they see. Their respective problems are primarily what separates white hats from grey hats and black hats.
The white hat is completely committed to following all of the rules when engaging a network. A grey hat will often have good intentions, but what often separates them from white hats is their willingness to break laws in order to achieve their goals. A white hat only hacks a system with explicit written permission (this is called a penetration test), whereas a grey hat is not opposed to penetrating networks without the aforementioned permission. Many security researchers can fall into either white hat or grey hat camps, but black hats are another issue altogether. When people think of hackers, chances are they are think of black hats who steal and destroy data for a multitude of reasons.
Even in the case of black hats, the cybersecurity professional in some way has a symbiotic relationship with them. Aside from the obvious fact that cyber-criminals keep InfoSec experts employed, the black hat is also responsible for pushing security forward. As insane as it sounds, the often brilliant minds that use their hacking skills to compromise data are helping security professionals become stronger. The stronger that your enemy is, the stronger that you become, and this results in far greater awareness among the security world.
Think of it like this, many organizations hesitate to put certain security protocols into place because of cost or arrogance. They either do not wish to fork out the cash required to put stronger security in place, or they feel that their system is strong enough to withstand an attack. When there is a security breach, the security team is often tasked with making sure similar attacks never occur again. The final result is a system that is far more adaptable to cyber criminals with similar malicious intentions. While it would have been better to have a strong system before such a catastrophic attack, at least the system is now stronger. Instances of this occurring range from Sony after their embarrassing security breach in 2014, to the infamous Defense Threat Reduction Agency hack by the late Jonathan James in 1999. In both of these cases, security dramatically improved in ways that were deemed too cumbersome or expensive before.
In spite of all of the blurred boundaries and mutualistic symbiotic relationships, there is a palpable hostility between “pure” hackers and security pros. The reasons for this vary, and as this complexity is explored, hopefully greater understanding to the respective groups can be realized. I have already chastised the media for creating a dualism in which security professionals and hackers are placed in separate groups. It would be dishonest of me, however, to deny that divisions do in fact exist that would give an appearance of isolation among hackers and InfoSec experts.
The most glaring issue results from the reality that many hackers prefer a decentralized world, especially when it comes to their technological interactions. Consider the words of pioneer hacker and software developer Eric S. Raymond on authority, “Hackers are naturally anti-authoritarian… the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers.” With this in mind, understand that this is a dramatic contrast (and cause of conflict) with those in the cybersecurity profession.
If you work in the information security field, you are subject to strict rules and regulations. These rules are a result of the clients that contract your services. Such clients include corporations and governmental entities who are both a representation of power and control. Even if you are in complete opposition to how your client affects the world, you must complete your job and protect their data to the best of your ability.
The hacking community in many ways views this as a betrayal to the core values of their existence. In their view cybersecurity professionals are giving up their inherent freedoms as hackers (like I said many InfoSec folks are hackers) and are selling out to “the Man.” I admit as an InfoSec professional and hacker I feel this hypocrisy in myself quite often. I support government transparency efforts like WikiLeaks data dumps, even though these are often a result of security breaches. At the same time I believe in defending certain aspects of authority as total anarchy simply seems illogical to me.
This crisis of conscience is not uncommon for people in the security field, and hopefully it shows that we still believe in the hacker ethos. Like it or not, the hacking community and the security community are inextricably linked by contradictions and overlapping values. It is a complex relationship that will always exist. The sooner we all accept it, the better the cybersecurity world and hacking world can solve problems in greater harmony.