Is Ethical Hacking an Oxymoron


What is an Oxymoron?

“Confining himself to the language most in use. a man can scarce avoid running, in appearance, into perpetual contradictions. His propositions will appear, on the one hand, repugnant to truth; and on the other, averse toutility. As paradoxes, they will excite contempt: as mischievous paradoxes, indignation. “’–Jeremy Bentham’s take on an Oxymoron(2016)

The central issue for the debate of ethical hacking lies in the difficulty of precisely defining the significations of ethics and hacking. There are twopivotalvarieties of hackers, white hat and black hat.Ethical hacking cannot be associated to a single type of hacking. It is not to be used to prohibit the scope of hacking. A white hat hacker is someone who would havethe job title of an ‘ethical hacker’ and will mainly do penetration testing for businesses/corporations. Themore accurate term for these ‘hackers’ ispenetration testers as they aren’t technically hacking. ‘A person who uses computers to gain unauthorised access to data’ isthe Oxford(2016)definition of being a hacker, yet to be an ethical hacker you have to receive authorisation.Penetration testing is a legal and authorised attempt to successfully exploit computer systems for the purpose of making them more secure. This is the role of the conventionally deemed”Ethical Hacker”. The goal of a penetrationtester is “to find security issues by using the same tools and techniques as an attacker. These findings can then be mitigated before a real hacker exploits them.”(P, Engebretson –2013)The difference between the two hackers is not an ethical one. It isabout where they stand in terms of law. To situate them on this particular spectrum, there exist three key differences. These being; authorisation, motivation and intent. The penetration tester has to stick to what they have discussed with their customer.By going beyond this they are lowered to the same level of illegality as the black hat hackers. Typically, a black hat hacker wouldbe driven by personal gain, be thisthroughprofit, extortion or fame. Potentially they just want revenge on a corporation(RT. 2016.)or a particular individual. They very well may even claim to be doing it to improve the security of the system that they are attacking, but if they are doing it without prior permission then it is illegal. It would be like a thief breaking intoyour house,then when caught claimingthat it was all done to improve your home security.It would be comprehendible to wish for that thief to be prosecuted as such. Being a white hat does not imply exemptionfrom morally ambiguous dilemmas.For example, if a white hat hacker is doing their job and then comes across information showing that the business has been killing their employees. From a deontologist view point it would be unethical to share this information,yet from a utilitarian the adverse applies. Even though what a black hat is doing is illegal, it doesn’t mean that it goes against all conventional ethics. WikiLeaks is a whistleblowing platform that currently hasover 26,095 (Durden, T. 2016)(with plans to release a total of 50,000)of John Podesta’s -the chairman of Hillary Clinton’s campaign-private e-mails. (WikiLeaks. 2016). Whilst a lot of these contain mundane information pertaining to the everyday work of this man and his colleagues there are a precarious amount ofratherexplicit e-mails that contain information on topics such as racism or the influential power of Qatar and Saudi Arabia through bribery. (Stanley, T. 2016). The e-mails enlighten the reader on the darker side of the presidential race and offer a new face to Hillary and her party.From a consequentialismperspective it is not un-ethical to reveal these e-mails.Hillary Clinton is one of two lead candidates for presidencyof the United States of America; it is understandable that the public would like access to this data.

There is afundamentalneed for white hat hackers.It is absolutely imperative to protect ones’ data to theutmost if one truly wishes for it to be safe.An article posted by Wired -titled “Ethical Hacking is no Oxymoron”(2004)-relatesto a class of people being taught the skills of hacking. It conveys a powerful necessity for a higher level of awareness of the process of hackingto be conceived by the average citizen. The article was posted in2004yet the lessons it preaches are stillvalid, if not more so. Onestudent says “It’s an amazing thing how insecure the big corporations are. It’s just amazing how easy it is.”This is a rebarbativerevelation as it insights fear into one who cares for online confidentialityand safetydue to the ease as to which learning to hack appears to be.The article goes on to detail how with minimal effort on the first day the students managed to find information about influential people’s personal life.Between 16thand 31stofDecember 2015 there were 41discovered major cyber-attacks. With one even leading to power cuts all over Ukraine.(Passeri, P. 2016). Companies don’t have the correct facilities in place tolocate hacks let alone defend themselves from them,as the article by Paul Szoldra(2016)shows. It exhibits the cardinal place penetration testers have acquiredin today’s society.A visage of black hat maliciousness can be seen in the 2014 Yahoo! Hacks. The repercussions only now being felt. With at least 500 million user accounts(e-mails, passwords, names, phone numbers, birth dates and security questions)stolen by a group of hackers it is the most substantial data breach in history. The data went on to be sold on the dark web. (Ng and Hautala. 2016). Ina world where malicious hackers exist, so must hackers withwhose moral compassesalign with those of conventional morality and the law.“Not every action or affect admits of a mean [of virtue]. For indeed, some of them just by being named already implymoral badness, like for instance maliciousness, shamelessness, envy [among affects], and among actions, adultery, theft, and murder.”–(Aristotle, Nicomachean Ethics, 1107a, 350 B.C.E). Does the term hacker imply complete moral badness? No. Every hack isdone by someone with different motives or reasons. Yet, if you were to ask most hackers if what they were doing is morally just they would respond with a resounding yes. This was visible when Glenn Mangham was jailed, his defence stating that he had conducted the hack “to uncover security vulnerabilities at Facebook with the intention of getting them fixed”.In a way all hacking is ethical and yet at the same time no hacking is ethical.This is because a person’s ethics exist absolutelyin the individualsown mind. Hackers can be judged through the law yet paradoxically the law can be unethical as Chris MacDonaldstates in his article ‘What’s Legal Isn’t Always Ethical’. (2011).Which starts by stating tame points that are conventionallyunethicalyet lawful.There are threemain approaches to ethical theory(Brown, C. 2001), these are; deontology, virtue ethics and consequentialism.If the same quandary of “is hacking ethical?” was to be posed to each ideological theories,thedeontology methodology would consider if the hack would conform to the moral rules that are intuitively correct. Typically, these rules will be followed in regardless of consequence. So although the hack may provide helpful data that could be considered helpful to the general public, it would be morally appropriate to not hack if hacking is something that feels inherently bad. The theory of Virtue Ethics that Aristotle puts forthwould respond by asking themselves whether the hack is an act that a virtuousperson would conduct or a more callous act. Consequentialism has two separate paths, ethical egoism and utilitarianism. The theory of consequentialismencourages one to consider the consequences of fulfilling the hack. Utilitarianismdictates that one would think about how the act would impact onnot only oneself but everyone affected. The ethical solutionto that degreewould be one where the well-beingof the majoritywould increase.However, the ethical egoism approach would be tothinkabout the well-being of the individual.

What does the Law say?

In the eyes of the law an ethical hacking is an oxymoron as hacking in itself is an illegal act and thus shouldn’t be placed in conjunction with ethical. In terms of each three main ethical approaches, a hacking would be judged on a hack to hack basis. The only time a hack would be definitively not ethical would be when malicious intent is used and either the theory of deontology or virtue ethics are employed. An ethical hacker however cannot stand in the court of law with its current name. Since the ambiguity of this title is problematic in the discourse of the court, a new term (such as penetration tester) is better suited to the job description. Either there needs to be a tectonic shift in the definition of hacking or, more likely, a new name needs to be constructed.

Omake

This essay, written in the twilight of 2016, by myself in my first year of university, was the first essay I ever penned. As such, the language and tone read as a novice who is yet to learn of the industry. It actually won an award as ‘the best essay’ for my year, and I received a £100 Amazon voucher for my efforts (笑) but I couldn’t quite understand why it was marked so highly at the time (not to this day). I actually emailed my Security by Design professor a year after, asking him if he could mark this as he was an active practicioner in the field and thus could mark it more fairly, but he (sadly?) never did. The topic does still interest me and since writing this, I have delved deeper into Philosophy, so I believe a revisit will soon be in order. Let me know what you thought about this by emailing me at liam@netpaladin.co.uk.

References

Aristotle (350 B.C.E).Nicomachean Ethics. Greece: Penguin. 1107a.

Bentham, J. (2016). Of Motives. In: Bentham, JThe works of Jeremy Bentham, now first collected; under the superintendence of his executor, John Bowring. Delhi, India: Gyan Books Pvt. Ltd. 49.

Brown, C. (2001).Ethical Theories Compared.Available: http://www.trinity.edu/cbrown/intro/ethical_theories.html. Last accessed 23/10/2016.

Cluley, G. (2012).Jail for ‘ethical’ hacker who bypassed Facebook security from his bedroom.Available: https://nakedsecurity.sophos.com/2012/02/20/jail-facebook-ethical-hacker/. Last accessed 23/10/2016.

Durden, T. (2016).Wikileaks Releases Part 15 Of The Podesta Files, Bringing Total To 26,095 Emails.Available: http://www.zerohedge.com/news/2016-10-22/wikileaks-releases-part-15-podesta-files-bringing-total-26095-emails. Last accessed 23/10/2016.

Engebretson, Patrick 2013, The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Syngress; 2 edition(1 Aug. 2013)

MacDonald, C. (2011).What’s Legal Isn’t Always Ethical.Available: https://businessethicsblog.com/2011/12/22/whats-legal-isnt-always-ethical/. Last accessed 23/10/2016.

Ng, A and Hautala, L. (2016). Yahoo hit in worst hack ever, 500 million accounts swiped. Available: https://www.cnet.com/uk/news/yahoo-500-million-accounts-hacked-data-breach/. Last accessed 23/10/2016.

Passeri, P. (2016).16-31 December 2015 Cyber Attacks Timeline.Available: http://www.hackmageddon.com/2016/01/07/16-31-december-2015-cyber-attacks-timeline/. Last accessed 23/10/2016RT. (2016).

BuzzFeed News hacked: OurMine group carry out revenge attack.Available: https://www.rt.com/viral/361692-buzzfeed-website-hacked-ourmine/. Last accessed 23/10/2016.

Sadler, G. (2012).Is ‘Ethical Hacker’ an Oxymoron.Available: http://virtueethicsdigest.blogspot.co.uk/2012/08/is-ethical-hacker-oxymoron-part-1-of-2.html. Last accessed 23/10/2016

Stanley, T. (2016).The John Podesta email leaks expose the cosy, blinkered, radically liberal world of the Clintons.Available: http://www.telegraph.co.uk/news/2016/10/14/the-john-podesta-email-leaks-expose-the-cosy-blinkered-radically/. Last accessed 23/10/2016.

Szoldra, P. (2016).We watched a team ofhackers ‘fully compromise’ a power company in less than 24 hours.Available: http://uk.businessinsider.com/red-team-security-hacking-power-company-2016-4?r=US&IR=T. Last accessed 23/10/2016.

Oxford. ().Definition of a Hacker.Available: https://en.oxforddictionaries.com/definition/hacker. Last accessed 23/10/2016.

Wikileaks. (2016).The Podesta E-mails.Available: https://wikileaks.org/podesta-emails/. Lastaccessed 23/10/2016.

Wired. (2004).Ethical Hacking is no Oxymoron.Available: https://www.wired.com/2004/06/ethical-hacking-is-no-oxymoron/. Last accessed 23/10/2016