It is important that hackers follow The Hacker Ethic in the same way that it is important that police follow their code of conduct. An abuse of skill within the hacking world causing harm to others. Remember: It is almost impossible to gain respect at the expense of others.
The Original EthicEdit
Back when computers just started to reach universities and students had access to open systems, curious users began to show a certain disregard for the rules. These users would enter areas of the system without authorization, gaining access to privileged resources. With no Internet and no copies of Hacking Exposed or Security Warrior to assist them, they had to figure out how to enter the systems on their own.
Although these young students represented the first hackers, they had no malicious intent; they simply wanted knowledge, information, a deeper understanding of the systems which they had access to. To justify and eventually distinguish their efforts, the hacking community developed The Hacker Ethic as a core part of their subculture. The Hacker Ethic states two basic principles:
- Do no damage.
- Make no one pay for your actions.
These two principles fall hand in hand. The original hackers had an intention to learn about the systems they invaded, not to destroy them or steal valuable confidential information. They wanted to know how they worked, their flaws, their strengths, interesting functions of their design. They had no authorization; at the time, they made up for this by making a point of neither interfering with anyone's work nor costing anyone any money in the process of exploring the system.
Unfortunately this mantra does not provide a fully effective cover for your actions. Even disregarding the legal ramifications, such as the Computer Fraud and Abuse Act of 1986, your actions will have devastating unintentional consequences if not carefully controlled. Robert Morris created the Morris Worm to gauge the size of the Internet harmlessly; unfortunately, it loaded down the systems it infected due to exponential re-infection, causing tens of millions of dollars of financial damage. You must always remember to carefully consider the short and long term impact of your actions on any system.
Today we need to add one more rule to The Hacker Ethic, a rule that we should have added long ago. The Morris Worm illustrates why this rule exists, even beyond legality.
- Always get permission ahead of time.
Please remember to always get permission before acting. Your actions cause a major disruption to the targets you attack. Networks become slow, servers crash or hang, and you create spurious log entries. Any institution with a useful IA sector will notice your attack and panic, believing you to have malicious intent; they will invariably expend resources searching for back doors and trying to determine what confidential information you stole. All of this, even if you don't get caught, demands that you acquire permission ahead of time.
You always have authorization to hack into servers you own; likewise, if you participate in a Capture the Flag game or as Red Cell in a Red vs Blue competition, you implicitly have the right to hack into whatever you can get your hands on. In all other cases, you need to ask the owners of the machines for authorization; you can even ask them to pay for it, selling your services as penetration tests and giving them a comprehensive outline of their network's vulnerabilities and proper mitigation steps to improve their security. As long as you have permission ahead of time, and you remember the first two rules of The Hacker Ethic, you can do as you please with the network and the affected machines.