Interview With A Hacker

Are hackers that draw attention to security vulnerabilities instead of exploiting websites for fun and profit really akin to terrorists? When do self-declared “helpful” hackers cross the line into becoming full-blown cyber criminals?

Something about the Still Secure After All These Years blog author Alan Shimel’s take on the hackers who publicized vulnerabilities on several security company websites has me thinking about that old expression about shooting messengers.

Shimel: “Softpedia has an interview with the Romanian hacker group that broke into several security company webs sites including Kaspersky, F-Secure, Symantec, etc.  Personally I don’t care what they have to say. I think giving these guys any play is akin to negotiating with terrorists.  What they did was illegal and wrong and they should not benefit from it.”

But the Softpedia interview makes clear that the hackers consider themselves to be doing a public service.

HackersBlog: “Luckily for the rest of the people, this union has not been based on an idea of destruction and mayhem oriented towards companies and websites, but on cautioning users about the dangers out there on the Web, as well as putting programmers on guard regarding the security flaws we find in their pages.”

Responding to Kapersky’s contention that making the vulnerability public only an hour after notifying the company directly shows a lack of ethics, the hackers respond:

HackersBlog: “Their complains (sic) about our "timely manner" are pitiful and shameful. They had about a day to take action. From our standpoint, one hour should be more than enough for a site of the caliber of Kaspersky, let (sic) aside the fact that it was bad that it was there, as we previously mentioned.”

Clearly, both the security companies and the hackers can improve their approach.

The security companies ought to remember Henry Ford's saying: businesses that exist to make money tend to fail. Businesses that exist to provide a product or service that fulfills people's needs or wants will succeed at that, and will make plenty of money as a side effect.

The companies want to provide real security that will fulfill their customers' needs. They should be grateful for the opportunity to improve their own security that these hackers are providing and try to work with them in a more encouraging manner, perhaps even compensating them for specific penetration test efforts if they really turn out to be that skilled.

To be sure, the hackers could also change their approach. If these hackers are truly all about putting programmers on guard regarding security flaws, then their condescending attitude will not encourage trust and good faith amongst the companies they're supposedly trying to help.

I think an improved attitude and better collaboration amongst the security companies and the hackers is possible, and this will help create a more secure wired world for everyone. I'd love to get comments from security company reps, whitehat hackers or anyone else interested in this topic to see whether I'm on the right track.