Suddenly, hacking has given research a bad name.
The evidence comes from Richard Clarke, U.S. president George Bush’s computer security adviser, who made headlines Thursday at the Black Hat conference in Las Vegas. Clarke pointed out (quite rightly) that most major computer vulnerabilities
are first discovered by independent users. These hackers have an obligation, he was quoted saying, to break into systems and find those errors, and report them responsibly.
Clarke’s comments come in response to Hewlett-Packard’s threats of fines and imprisonment to a group of researchers called SnoSoft for publicizing a vulnerability in Tru64 Unix. HP invoked both the controversial 1998 Digital Millennium Copyright Act and computer crime laws.
According to PCWebopedia, a “”hacker”” refers to “”a slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s).””Not any more. The online dictionary goes on to note the way popular media have co-opted the term to describe “”individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data.”” Hacker, therefore, became synonymous with criminal.
Under Clarke’s definition, a hacker is a researcher. Under HP’s, that researcher is also a criminal. Finding a vulnerability and posting it for public examination, as a SnoSoft researcher did, potentially gives others the tools to invade programs and cause harm. This is just as much about avoiding bad publicity as it is protecting intellectual property.
In an ideal world, we wouldn’t allow this “”research”” to happen, because what they do has considerable potential for danger. Users must accept a certain amount of risk when they buy software, just as they do with anything else. If you are considering the purchase of a new home, for example, you don’t wait until someone has broken into it first in order to see how difficult it is to do.
In the real world, however, the level of vulnerability in most software — including industry-leading applications from Microsoft — has eroded that trust to the point where the market faces a crisis of credibility.
One step towards rectifying that is the promotion of improved software testing within vendor companies, which have designated such work as a junior-level position where the best minds seldom stay. Another is to clarify the difference between “”hacking”” (it should be called “”cracking””) and research, where the intent is obviously different. We also need to define the rules of disclosure for the results of this research to protect the copyright holder of the technology in question but offer opportunities to fairly warn the individuals who use it.
Once this is accomplished, maybe we can leave those who truly love using technology can go back to being hackers — in the original sense of the term.