Movies and television have convinced the average person that a hacker is a malicious individual whose nefarious motivation can generally be boiled down to personal financial profit. While these kinds of cybercriminals certainly exist, they aren't the only ones out there. In fact, there is an entire section of the hacking population who want nothing more than to make sure these malicious individuals don't get what they're after.
These good guys are called white hats or ethical hackers, and they play a vital role in modern cybersecurity. That said, these people walk a very fine line between legal and illegal, righteous and otherwise. One false move could easily result in a tarnished reputation or even jail time, which are horrendous outcomes for someone who's just trying to make the Internet a safer place. So what are the ethics of hacking?
"The computer expert must have permission from the system's owner to access a network."
What is considered ethical hacking?
To begin, it's important to demonstrate the distinction between ethical and immoral hacking. There is a lot of controversy here as to what specific actions can be considered proper, but the overall consensus is that the computer expert must have permission from the system's owner in order to actually access a network or machine, according to TechTarget contributor Margaret Rouse.
Although a yes or no is pretty cut and dry in terms of permission, the situation starts to get a little tricky when muddling through the concept of ownership in a digital world. Years ago, when you bought something like a tractor, you owned it completely. If you wanted to make modifications to your machine or improve it in some mechanical way, you had every right to do so. However, it would appear that manufacturers no longer want this to be the case.
John Deere announced recently that farmers using their tractors only had "an implied license for the life of the vehicle to operate the vehicle" rather than outright owning the machine. According to Wired contributor Kyle Wiens, John Deere is attempting to protect the software that it installs on its tractors, which means that it is very against any sort of hacking or modification. Whether or not this holds up remains to be seen, but this is a perfect example of how complicated ownership can be today.
This is why it's so important for ethical hackers to fully investigate the company they're being contacted by as well as the rights of users on that organization's network. A business undoubtedly owns the computer an employee uses on a daily basis, but do they own the user's Facebook data if he accessed this site with the company's machine? What about photos stored directly on the computer? It's a tricky situation that demands intense study as well as the need to simply go with your gut.
Moral ≠ legal
Another mistake people often make when thinking of this kind of hacking is that a moral action is automatically ethical or legal. This simply is not the case, with perhaps the best example of this being the recent events surrounding Justin Shafer. Shafer is a computer expert from Texas, and he has a reputation for sniffing out vulnerabilities hidden within dental data management software. When he previously found such a weakness, he contacted the proper authorities to ensure patient information was as safe as possible.
However, Shafer got himself into some trouble with the FBI recently concerning his actions surrounding a File Transfer Protocol server that was owned by Patterson Dental. This company, which helps doctors manage dental data through a platform called Eaglesoft, had somehow allowed for patient information to be accessed via an unsecured public server, according to The Daily Dot.
Shafer discovered this vulnerability when he was poking around Patterson Dental's database credential security system, and immediately attempted to inform the company about the potential threat. In doing so, Patterson Dental and the FBI are alleging that Shafer violated the Computer Fraud and Abuse Act. Basically, both parties believe Shafer had "exceeded authorized access," which means he wasn't given permission to access the server in the way that he did.
Although he hasn't yet been charged or convicted of anything, this incident shows that a moral act isn't necessarily an ethical or legal one. Shafer wasn't trying to steal information or teach others how to access the server in the way that he did, he was simply trying to ensure that the 22,000 dental patients involved in this debacle didn't have their private information stolen.
That said, it isn't really Shafer's job to do this. Patterson Dental owns that server, and they had every right to be angry that an outside person accessed it without their permission. Hopefully, this will be a wake-up call to the company to ensure that patient data is secure, but the point is that a hacker could be doing something morally right while still breaking the law. It's a fine line, and the complexity of this matter is one of the reasons why ethical hackers make so much money.
