ZDNetAsia : Printer Friendly - Hackers: What are they good for?

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Asia.
--------------------------------------------------------------

Hackers: What are they good for?

By Will Sturgeon
Thursday, May 03 2007 11:02 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,62010265,00.htm

Security experts have hit out at the notion that there are benefits to be had from engaging with cybercriminals in order to better understand emerging threats.

However, many are calling on the industry and media to recognize the work of so-called 'ethical hackers' and to acknowledge that not all hackers are criminals.

Bruce Schneier, CTO at BT Counterpane, told ZDNet Asia's sister site Silicon.com: "Hackers are not criminals. Hackers are individuals who know how to subvert systems. I don't think we open a dialog with the criminals, like we don't open a dialog with the mafia but the techniques that hackers understand are very important for us to understand."

However, the line between ethical hacking and the more common notion that hacking is related to criminal activity is blurred for many people and creates considerable gray areas. But for one lawyer it is pretty clear-cut. Ethical hackers--to be considered as such--must have been authorized by the rightful owner or administrator to test a system or application.

John Fell, partner at law firm Pinsent and Masons, said the issue of authorization is critical. "Lawyers love definitions," said Fell. "'Black hat', 'white hat', 'ethical hacker'. But when you talk about ethical hacking there has to be some authorization."

Those working on their own initiative fall outside the legal definition, said Fell.

'White hat' hackers
Graham Cluley, senior technology consultant at Sophos, said the actions of some 'white hat' hackers who find and disclose vulnerabilities can be as damaging as criminal activity if disclosure is handled irresponsibly.

Peter Wood from First Base Technologies is a well-established ethical hacker--or penetration tester--and says he must tread very carefully in his line of work. Wood normally only begins his attempts to breach the defenses at companies hiring his services once HR and IT departments have given him sign-off.

However, beyond that, he said: "We try to take the same approach as people who attempt to break in with malicious intent."

The question of whether criminally motivated hackers can deliver value to businesses and help understand emerging threats also divided experts speaking to Silicon.com.

But First Base's Wood said many attackers now need no specialist knowledge due to the vast amounts of tools made available on the Internet. As such, the notion that hackers possess a gift for complex code is far from the truth.

Sounding a warning to businesses, Wood added: "Attacks are getting easier and easier for people who may not be that technical."

Will Sturgeon of Silicon.com reported from London.