In 1995, when I discovered SQL injection, I went on a website hacking spree for a few weeks. I would show off to my friends how I used rudimentary SQL queries to get information. It was exciting, but wrong. My spree inspired me to start Anitian.
More recently there is the case of Chris Roberts. While researching airplane flight system security, Roberts claimed to have discovered vulnerabilities that the airplane companies chose to ignore. While on a flight, he tweeted about hacking the flight systems. When he landed, he was arrested. There is plenty of media coverage on this event available here and here.
Mr. Roberts’ tale is a classic example of the ethical complexities of vulnerability research (or hacking as we will call it in this blog). On one hand, there is a case to be made that hacking under the guise of legitimate research is ethical. It serves the greater good through uncovering weakness which can be fixed to protect everybody. On the other hand, hacking is a crime. It is illegal and synonymous with breaking into private property. This makes it unethical.
Roberts’ flight systems hacking shows how, ethically complex this issue can be. Moreover, intentions are not always as pure as they claim.
To analyze this issue, we can use Roberts’ case to illuminate this complexity. However, we must make some assumptions about this case. Applying Occam’s razor (the simplest answer is often the most correct) to the news stories and messaging from Roberts himself, we can assume that Roberts did some kind of basic hacking to the flight systems. Furthermore, having known Roberts, I can attest that he did not carry out these attacks with overt malicious intent. Roberts is an intelligent and respected security professional. I have seen him speak many times before and he has a lot of passion and experience in information security and hacking.
Justifying Unethical Actions
We can begin with the elephant in the room question: is hacking ethical if it is unauthorized? The short answer is no. Hacking a system you do not own or manage without authorization is a crime. It is synonymous with lurking around someone’s home, finding an unlocked window, then using that window to break in. Once inside, you proclaim to the owners they have weak security (which is right about the time they call the police or shoot you.) Owners of websites, like owners of homes, have a right to the privacy of their site, even if that site contains your data. Just because a lot of people do not respect this, does not make it ethical.
However, what if there is somebody in the house injured and in need of help? Breaking into the house is still wrong, but the intent to save a life easily justifies the act. Likewise, hacking an insecure system to help protect people’s lives has a similar construct. There is a greater good that arises out of discovering a serious vulnerability and helping to fix it.
However, it is rare that human life is on the line with computer vulnerabilities, except when it involves flight systems on planes filled with people. This adds a complex dimension to Roberts’ behavior.
If we accept that Roberts’ intention was to help, then his unethical act has an ethical justifiable dimension. Roberts’ goal was to make the airline systems more secure and save lives from terrorists or pranksters.
Behavior vs Intent
However, Roberts’ case takes a quick turn back to unethical territory. When Roberts landed, he tweeted his discovery (or activities). This is a very public announcement. Moreover, it reveals Roberts true intention: he did not hack the airplane network for the greater good, he did it for attention. This makes his act far less altruistic.
In order for an unethical behavior to be justified, it must be done with the clear intention of serving the greater good. Breaking into somebody’s house to save a life is unethical, but justifiable. Breaking into every house in a neighborhood, with the hope of finding somebody hurt so you can get news coverage for your services is not justifiable. In fact, it makes the original unethical act of breaking in that much more wrong, because its selfish.
Roberts’ act of tweeting demonstrates that he wanted attention for his discoveries. Helping the airlines secure their flight systems was ancillary. If Roberts truly wanted to serve the greater good, he never would have publicized his discovery. He would have quietly sought out the responsible parties for the airline systems and offered to share his insights with them, confidentially.
Being ethical means doing the right thing even when nobody is looking. The public did not need to know these systems were weak. That public includes plenty of honest consumers, but also plenty of pranksters and terrorists who could use Roberts techniques to do more than Tweet. Roberts could have used his knowledge to help secure these networks in a professional and responsible manner. Instead he turned it into a media event. I suspect he underestimated the response to his tweet and now regrets doing it.
However, this case takes another turn. Roberts (as many researchers have said before) claimed that the flight systems manufacturers would not listen to him. In this case, do his actions become ethical? If Boeing (the presumed manufacturer here) refused to listen to Roberts, then how else was he going to get his message out there?
It seems that there are plenty of avenues for researchers to report their findings. He could have written a paper, given a talk, or collaborated with journalists to publish a story. For example, he could have given a talk at RSA on the insecurities in flight systems, and spoke in generalities. Tweeting about hacking flight systems while you are on a plane, filled with innocent people, is irresponsible.
Moreover, if Roberts deeply cared about the safety of passengers, then he could have take the moral high road and accepted the consequences of his actions. However, he seems quick to defend his actions as justifiable, rather than admitting wrong doing and accepting that was a small price to pay for the greater good.
Regardless of Roberts’ intent, his irresponsibility keeps his behavior in the unethical category. If the only way you can be heard is to scream “Fire!” in a crowded theater, then you clearly do not have very good communication strategies.
Such is the fundamental problem with so much of the vulnerability research being performed. It is not done for the altruistic desire to actually improve anything, it is done solely for attention and media coverage. Many of the big sensational hacks follow this pattern. The researcher finds a weakness, and rather than responsibly and confidentially reporting it to the vendor, they immediately pump out the press releases. Some security firms have their entire business model focused on this exact principle, to get attention at all costs.
In their defense, it works. They would not do that if people did not lionize the behavior. Black Hat and RSA conferences are absolutely addicted to sensationalist, panicky hacking demos. They keep promoting these because security people keep filling up the audiences. As long as there are a consumers, there will be providers.
The reason many of us are in security is because we like the intellectual challenge of protecting volatile, dynamic systems. Moreover, many of us got our start doing hacking, of some type. I started that way, hacking websites in 1995.
The measure of ethicality in hacking ultimately boils down to the hacker’s true intention. Hackers that genuinely want to make the world a safer place, do not need credit. They are willing to do their work without fame or attention. Moreover, they know where the lines of ethical and unethical behavior reside. A truly ethical hacker, who discovers a serious vulnerability, will freely donate the research or make use of a legitimate bug bounty program to report the findings.
Conversely, hackers who only do their hacks for attention are unlikely to control themselves when those ethical boundaries arise. They may have good intentions, but as soon as the temptation toward fame takes over, those intentions become irrelevant.
Roberts’ case is fascinating. I have no doubt that Roberts’ initial intentions were genuine. However, as the details emerge, it is equally clear that some of his decisions were selfishly motivated. I do not entirely fault Roberts. As a business owner myself, I respect the need to promote your business. However, once you step over some ethical boundaries, it becomes too easy to step over more, and more. Until one day, you have no boundaries at all and everything is fair game.
The boundaries of hacking are blurry. However, understanding intent can help clarify the ethicality of any activity. While many researchers claim they just want to help, their actions say something very different. You cannot simultaneously claim the moral high ground, while behaving irresponsibly and selfishly.
NOTE: Neither Mr. Roberts nor law enforcement had any input into this blog entry.