Bryan Owen

23-Dec-2011 Are hackers naughty or nice?

Blog Post created by Bryan Owen on Dec 23, 2011

Rodney Dangerfield was a hit with his "I don't get no respect" jokes. Maybe every profession needs to lighten up a bit - especially security professionals and hackers. 


But first let's qualify hacking a bit more.  As Joel Langill summarized in his vCampus Live! presentation, when a hacker gains access is the point of no return and the activity becomes an attack. Of course perpetrators of malicious attacks are criminals and for this discussion no longer considered hackers. Criminals are definitely in the naughty category, but what about hackers?


Hackers often exploit bugs that can lead to full control of an application, server, or even a control system. In this light, bug hunting is a profession that is kind of dangerous and doesn't seem to get respect.  Think about it, a hacker does all this work to find a big, scary bug but then what?  If a hacker doesn't tell anyone the bug might go unnoticed and not get fixed (thus remain open to criminals).  On the other hand someone else might find the same bug and receive credit for all that hard work.  Obviously there is lots of incentive to report the bug.


However, how a hacker chooses to disclose vulnerability is often a matter of philosophy or in some cases a business policy. Regardless who should be told remains a very controversial topic. In the case of industrial control systems, ICS-CERT provides an official channel for vulnerability disclosure. Nice hackers report to ICS-CERT.


Like hackers, vendor coordination with ICS-CERT is voluntary. OSIsoft and other major vendors in the industrial control system community of interest have well established channels with ICS-CERT.


In other words, the effectiveness of ICS-CERT in providing good information to operators of critical infrastructure relies on nice hackers and respectful vendors. So be nice everyone and give a hacker some respect.


Happy holidays and best wishes to all of you.