PiSquared Blog | Index | Tags | About me

PiSquared Blog

Blog about geeky stuff, computers, physics and life.

Discuss the argument that hackers do public service by finding and publicising computer security weaknesses

Tags: English, opinions, essays, university
Created on Tue, 10 Feb 2015

context: We have to write an essay for a course at University. But first, we have to submit a draft, then be assigned to read drafts of other people and mark them. Which in the end doesn't matter at all.

BTW, Честит рожден ден, тати!

Number 1. Oh my Random, not another essay!

Of course they do. Is there really an argument for the other side?

Let's first define hacker – a highly controversial term for the regular dumb man/woman/unidentified (henceforth referred to as a “cuggle” – a computer muggle. Muggle, in the Harry Potter universe, is someone who lacks any magical abilities and was not born in the magical world, often denying the existence of magic itself [1]). Now, cuggles believe that a hacker is bad word. They see it as someone who does bad things with the aid of computers like stealing money, blackmailing or lunching rockets by getting hold of NASA computers. While this is not unseen in real life [2] (IRL [3]), it is rarely the case when the term is used by cizards (a computer wizard)[4]. What cuggles are confusing the word with is usually a cracker [5].

The problem is not just semantics. While in the cizarding world hacker is used many times as a compliment to someone's abilities and highly applicable computer knowledge, mainstream media (and apparently University of Glasgow professors [6]) confuse the terms as of early 2015. This leads to much time wasted by graduating students trying to fake arguments from both sides of a useless argument, copying references of the References sections of wikipedia.org and spending their most precious hours of their 20ies in academic Sisyphean labor [7] (the mythological Greek dude who apparently wrote essays and pushed them off a cliff only to find there are more on the desk behind him).

So the question becomes – are highly intelligent people who are curious to see if they can break the thing that their fellow cizards built and when they do, then they expose the information of how they did it to the public (rather than lunching U.S.A. Ministry of Defence's missiles) in order to protect crackers from assuring mutual destruction, at a fault of doing that? Well, apparently there are at least two sections of the argument, so let's dive.

Number 2. First section of the argument

In the introduction I used my own words [8] to state the proposition. I tried to use Michael Jackson's words, but there were two problems I faced: 1. he is dead [9] and 2. he has copyrighted his words. Now I am going to argue against it because we all like to play crazy every once in a while.

As software becomes more and more complex and as every programmer depends on millions of lines of software written by other people, sometimes even provided by competing companies (e.g. Google's Chrome used originally Apple's WebKit as a webpage rendering engine), cizards are aware that no matter how much you test a product, you will end up with bugs crawling at some dark places of your code. As Dijkstra said it “Program testing can be used to show the presence of bugs, but never to show their absence!” [10] That's why Google [11] and many other companies with significant online presence cit needed have issued a step-by-step guide of how to report vulnerabilities in their systems. Usually the process is disclosing the found problem(s) with the company responsible for issuing and maintaining the software and giving it time to fix it. Often, there are rewards for people discovering vulnerabilities in the public space and following the said protocol [12] rather than publicizing it directly.

In some cases however, this is not possible. Last year's example of the so called heartbleed vulnerability was found in the open source project OpenSSL [13]. Open source projects are projects which everybody could read the source code and contribute to and they are often used even by big companies as projects have licenses permitting that. While the intention is sharing the love and the knowledge that humanity as species has acquired and even though millions of eyes have looked at the code, sometimes serious vulnerabilities could creep in. Discovering this particular problem and disclosing it in the public space gives the chance to crackers (sort of the Deatheaters, remember) to do malicious things for their personal gain until all the companies using the software have patched the bad code.

Was the person discovering the bug a hacker in the cuggles' eyes? Certainly not (that is if cuggles even understood what happened among the ocean of information about Miley Cirus shaving her head) – he was a good guy that discovered that other good guys made a mistake. But in cizards' eyes he definitely was one – a smart guy who saw what other haven't seen. He hacked the system. He was smart enough to see it and instead of destroying the world, he decided to protect the world by publicizing the information. However by doing so, he allowed for crackers to possibly steal bank accounts' money of everyday people.

Vulnerabilities are found every day and logs of vulnerabilities in unpatched software exist in the not-so-deep web. With enough determination, everybody could become a cracker. Exploits are created by cizards, crackers and hackers and everybody who can google and want to do something malicious to people with unupdated software could use these scripts without even understanding exactly what they are doing. These are also known as script kiddies [14]. It's like a wizard giving magic potion to a muggle to make someone fall in love with them – the muggle doesn't need to know how the potion was made, he only wants the result. Is this ethical? It is a matter of opinion of course, but this is my essay and my opinion is that if the company maintaining the software has been given enough time to create a patch and push it to users in a seamless way so that cuggles don't even know that anything was fixed, then yes, it is ethical. As in history, it is good to put out information that shows how stupid we were once and how smart we are now. Or is that not the point of history?

Number 3. Second section of the argument

In the previous section I tried really hard to explain why it might be bad for the world to know things. “Ignorance is bliss” as some smart dude once said. If it was not convincing enough, I propose that you start following a religion if you don't already. It will lock you in a box, explain you many of the things you find uncomfortable in life and it will provide you with the security of knowing what happens after you die, how the world began and will give you the power to tell other people who are not following your religion that they are going to a bad place after they die. Which for most of us is either fire or worms' gut [15].

For the rest of us who like knowing things and trying to make the world a better place by using the scientific method, discovering problems in software that half of the people on the planet [16] use daily is a thing we need. While giving the information straight to the media is at least stupid if not downward idiotic way of boosting your ego, disclosing information first with the responsible companies is a smart thing to do. Now if the company stubbornly doesn't want to fix the software that millions of people use, because “it will not meet financial numbers” and thus giving the opportunity to crackers to pwn someone's machine, well then, what else could a good hacker do than ruing the reputation of a stupid company by showing how stupid it is. It deserves it, doesn't it? A company is supposed to serve in the best interest of people. If it tries to appear to do that but it doesn't, then by all means it deserves to be humiliated publicly.

I don't really know what else I can say here. If you don't like it, choose a religion. Or a Linux distro and shovel it down everybody's throats. I'm tired of pushing rocks.

Number 4. Conclusion

Everybody can have opinions for things. What I said, is what I truly believe in and don't really see how I could've written it differently if we lived in a free world. Now I am the kind of person that holds to his believes until proven wrong. And then I change them. Opinions are not you, opinions are things that you put in a basket and carry with you. Discussing them in an essay is something that I like doing but I don't like being forced to express them in a particular academic way, I don't like being put in a box of unclear rules of what makes a good essay. This is not exact science – some people like it, some people don't. If there is a measurement, it would be numbers. Criteria like “Very well structured; very interesting” is highly subjective. On this subjective criteria, an absolute number will be given which would represent itself IRL as an absolute mark number. How does that make sense, I couldn't understand for 16 years in education system. Of course, you dear draft reader, are probably reading something that would not make it to the final submission. Nevertheless, I hope you enjoyed it!

Now, you have to write a critique that wouldn't even matter in the future as marks. Follow Nike's slogan: Just do it! Shamelessly! Critique my references, style, grammar, inappropriate use of words and abbr. Explain how I can't discriminate people based on religious believes, or that my evidence is not strong enough. Praise me for something random so that we follow the balance principle of our democratic society and move on. Don't spend more than 5 minutes, just type something, and go to a party. I am deeply sorry that you had to read this piece of shit, but it was not my call. I would not make you do it, but I tried to make it just a bit more interesting to you than it would have to be in the final one. Which will be another boring discussion of a random topic so that I can finally prove that I can use words, I have developed my critical thinking, be able to solve problems under time pressure, deal with stress and anxiety, work in a team and decide which animal would describe me the best.

Have a nice day!

  1. Rowling, J. K. Harry Potter and the Philosopher's Stone. London: Bloomsbury Pub., 1997. Print.

  2. http://digital.asiaone.com/digital/news/hackers-leak-bank-data-240-poly-alumni Retrieved Feb 10, 2015

  3. http://www.urbandictionary.com/define.php?term=IRL Retrieved Feb 10, 2015

  4. http://jargon-file.org/archive/jargon-1.5.0.dos.txt. Retrieved Feb 10, 2015

  5. http://catb.org/jargon/html/C/cracker.html Retrieved Feb 10, 2015

  6. http://moodle2.gla.ac.uk/pluginfile.php/372358/mod_resource/content/3/Assignment3.pdf Retrieved Feb 10, 2015

  7. Homer, Iliad VI 152ss (From now on assume they were all retrieved today, 10 Feb 2015)

  8. http://moodle2.gla.ac.uk/pluginfile.php/340319/mod_folder/content/0/11.Essay-launch.pdf?forcedownload=1

  9. https://michaeljacksonnotdead.wordpress.com/ ...or is he...?

  10. Dijkstra (1969) J.N. Buxton and B. Randell, eds, Software Engineering Techniques, April 1970, p. 16. Report on a conference sponsored by the NATO Science Committee, Rome, Italy, 27–31 October 1969.

  11. http://googleonlinesecurity.blogspot.co.uk/2010/07/rebooting-responsible-disclosure-focus.html

  12. http://www.google.com/about/appsecurity/reward-program/

  13. http://heartbleed.com/

  14. http://www.urbandictionary.com/define.php?term=script+kiddie

  15. https://www.youtube.com/watch?v=nqOITqLfnkc

  16. http://www.internetworldstats.com/stats.htm

cit needed https://xkcd.com/285/