Hack the planet?
Well no ones laughing now. Yesterday, Marcus Hutchins, known to some as MalwareTechBlog and before that by other names on IRC servers and forums was detained.
Initially no one knew who by or where he had been taken or on what charges which was initially piqued my interest.
Since the news rippled underneath and then surfaced onto every single major news channel in Europe, other worrying things have come to light. The date the indictment was issued indicates it was before Hutchins even landed in Las Vegas to attend Defcon. He spoke to the FBI without representation. He’s 24. He’s British. He was on holiday, basically. He must have been very scared and very disorientated. As far as I can work out from his last tweets he was sat in the airport lounge when he was detained.
So why does this matter to you?
Hutchins single handedly stopped Wannacry, the ransomware which took down most of Britains NHS and hospitals recently, among others. He says it was an accident. Not the words of an arrogant idiot. He maintains he was just poking around and decided on a whim to register the domain which was signalled as the killswitch inside the malware code.
I was following his tweets that night. There was a very clear path of problem solving, deep thinking, curiosity and persistence that led him to register that domain. What’s normal for him is not normal for most.
What’s normal for him isn’t normal for most
And there’s the rub. What we are dealing with here in terms of ethics and morals is someone who is part of a much large group who self refer as security researchers but whom the wider world call hackers.
The inherent problem with that is there are two clear camps of hacker which the single word use doesn’t differentiate. One is white. One is black. This is how it’s been for more than 20 years. I’m not going into how I know this or why I know this. It’s not relevant. Just assume I have friends who know things, for now. It’s easier that way.
50 shades of grey
Inbetween the white hats (don’t break the law, ethical hackers, help people, sometimes employed as ‘pen testers’ sent to deliberately try and break into systems to test their security) and black hats (the opposite) are 50 shades of grey. Because isn’t there always.
It’s a funny career path, becoming a security researcher. By its nature you have to know how to do the black stuff in order to defend against it. You have to have copies of it on your system to examine and test what works in stopping it. You have to know how to write a thing to defend against a thing. Essentially, you have to have read the Art of War to defend yourself even if you never intend to attack.
It’s a tricky line to dance around. Even way before that, most people’s access point into hacking is ‘what does this do?’, ‘what happens if I press this’ and historically ‘what happens if I dial this number using my modem’. I should imagine it’s all to easy to suddenly find yourself right where you shouldn’t be, having left a trail a mile wide behind you, pointing that it was you with a big big finger floating above your head.
Ethical learning frameworks
At some point, someone, a government agency or a big multinational company, is going to have to take point in this. They’re going to have to acknowledge that the curiosity which drives some of their biggest allies in the war on information and network security also drives them to accidentally trip into black areas sometimes. That sometimes, people start in the black intentionally, when they’re young and don’t know any better, cross through the grey and into the white and stay there for the rest of their career.
At some point, someone needs to build or open a framework which allows and encourages that curiosity, nurtures it, informs it, educates it and hones it, and with no hidden agenda other than ‘investing in the future’. Because nothing will make people run faster away from such a thing is a sniff of a hidden agenda, stored IP’s, data collection or any other kind of nefarious below board behaviour.
The Princess Bride
In my experience, white hat hackers, security researchers if you like, are some of the most well intentioned, intelligent, ethical and honourable people you’ll ever meet. Restless in their desire to learn and better themselves. Relentless in their desire to know more, create more, make more.
I don’t think it’s an exaggeration to say that their cooperation is crucial if we are to continue to retain some illusion of security around healthcare, government, nations security and infrastructure security in the future. We really don’t want to annoy them.
So it might be an idea, say for example, when detaining them, to have your communication ducks in order and not make people know globally within and outside a community as one of the good guys, disappear off the face of the earth for 22 hours.