I wanted to say 'It is not possible to crack systems and still be ethical.  To me there is a very important semantic distinction between hacking and cracking.'  I subscribe to the MIT definitions (2010).  But CBC (2010) reminds me, the rest of the world may not.  So I'm going to skip ontological argumentation and just talk about specific behaviors I think are ethical and unethical.  Never mind how I wish the words were used.

“White hat cracking” is just a job.  There is nothing questionable about it.  The client asks for a vulnerability assessment and we deliver.  It may blur into “grey hat” if the project plan is not specific about targets and modalities, or if it is specific that the scope is unlimited.  But so long as the project plan is careful and specific (for example, not risking crashing mission critical systems without warning) it seems pretty clear to me that “white hat” is ethical.

As we move into greyer territory the ethics get murkier.  Some clients might really want us to throw everything we have at their systems.  But to preserve our professionalism we need to understand if this is due to overconfidence on their part or if we might even be being used as a pawn in their own intraorganizational battles.  So it's dangerous to “grey hat crack” even with customer clearance (EFF, 1996).  Probably it is possible to be ethical but one must be very careful about communication and containing the potential for damage.

Even less ethically clear is vulnerability assessment without clearance.  It seems obvious that this needs to be done since vendors don't all have histories of being completely forthcoming about vulnerabilities (ITProPortal, 2010); some might not even have the skill-sets to accomplish it.  But this behavior gets very, very murky if the analyst probes on-line production systems without permission.  In fact, the only thing that distinguishes it from “black hat” is that the intention isn't to cause damage and that when vulnerabilities are found they aren't exploited outside of test systems.

Which brings us to the purely unethical.  Whether we call it “black hat hacking”, cracking or cybercrime the defining aspect is that someone gets hurt.  Systems are broken, money or sensitive data is stolen and lives can even be put at risk if the systems in question control critical infrastructure.

And finally, since I do believe that some ethics are beyond the law and that some laws are unethical I  accept the need for such activities as counterattacks and 'hacktivism'.  And I agree that 'if the focus of the definitions of cybercrime is on the methodsuch as the unauthorised access to secure computer systemsthere is a potential risk of confusing cybercrime with “hacktivism” (digital civil disobedience)' (Phillips, 2009) or justifiable counterattacks.

 

CBC (2000) Woe: Words and Wonder [Online].  Available from: http://www.cbc.ca/news/indepth/words/hack.html (Accessed: 6 May, 2010)

 

ITProPortal (2010) Microsoft Denies VirtualPC Vulnerability [Online].  Available from: http://www.itproportal.com/security/news/article/2010/3/18/microsoft-denies-virtual-pc-vulnerability/ (Accessed: 8 May, 2010)

 

Kegler, J. (1996) Intel vs. Randal Schwartz: Why Care? [Online].  Available from: http://w2.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case.intro (Accessed: 8 May, 2010)

 

MIT (2010) Hacks [Online].  Available from: http://hacks.mit.edu/Hacks/ (Accessed: 8 May, 2010)

 

Phillips, C. (2009) 'Professional Issues in Computing – Lecture for Week 6', Laureate Online Education [Online].  Available from: https://elearning.uol.ohecampus.com/webapps/portal/frameset.jsp (Accessed: 4 May, 2010)