Is there such a thing as a good hacker? Isn’t “ethical hacking” an oxymoron? Let me challenge your beliefs and the prevailing media message. Hackers are not evil; in fact, they generally want things to be safer and better for all. At this point, you’re probably ready to either label me as a lunatic, or give me a lesson about “hacker” vs. “cracker”. Let’s skip the historic definitions. The facts are simple. Public perception is that a hacker is evil, but within the hacker community, it’s a badge worn with honour. Hackers don’t ask what something does; they ask, “How does it do it”? Seeing hackers in a negative light just for seeking that information is unfair. They may have the knowledge to be harmful, but the current reputation associated with a “hacker” is about the same as labeling all martial artists violent and evil. Sure they have combat training, but most martial artists aren’t criminals making stealthy kills for fun or profit.
Having spent a number of years near the hacker subculture, I have to voice my opposition to their current reputation. The so called “hackers” I have met, are really the people keeping a watchful, protective eye on the government, private industry and the products we all use. If there was no one to point out security flaws, who would ever fix them? Who would even put effort into producing something secure in the first place? Who would protect your right to privacy? Protect your identity? Sure, criminals can exist in every trade but they don’t make the majority.
Anecdotally, I can tell you that most of what I learn and apply as a security professional (a much more socially acceptable label), doesn’t come from commercial seminars and tradeshows, but rather from attending self-proclaimed “hacker-cons”. There are no vendor talks. You just get the real scoop on the latest in attack techniques and appropriate defense measures. I should point out, that in more than 8 years of attending such events, I have never attended a session that talked about attack methods that didn’t talk about appropriate counter measures. Much like learning martial arts, you must learn the attacks to be able to defend yourself.
What I find most interesting is that even as a regular member of society, the overall hacker movement has generated a number of benefits for me. I have pretty good privacy (PGP) for strong encryption thanks to Phil Zimmerman. I have an operating system with fewer vulnerabilities that are harder to exploit than ever before. I have a wireless connection that someone can’t easily eavesdrop. These sharp, technical minds never take anything for granted and are constantly researching how things work, finding weaknesses and proposing ways to make things better. Without “hackers”, no one would have noticed that AT&T was cooperating with the NSA for illegal wiretaps, and there would be no Electronic Frontier Foundation (EFF) to take them to court and protect individual rights. The list goes on.
I expect that the general public will read a few media extravaganzas on credit card and identity theft and stereotype all hackers. What’s interesting is that even major industry certification bodies don’t seem to really understand this sub-culture. I run an annual security event called SecTor and one of the speakers last year was Johnny Long. The sponsor in question here was ready to pull out because a “hacker” was speaking at the event. Johnny is best known as “the grandfather of google hacking”, a technique he perfected working as a professional penetration tester. Best I can tell, Johnny has only ever used his hacking skills to help folks protect their intellectual property assets by limiting their google exposure, and he runs “ihackcharities.org”, using his skills and industry connections to get much needed support to children in third world countries.
So I encourage you, take a martial arts class and learn to defend yourself on the street, and take a hacker class and learn to defend yourself online. Then use neither skill for evil but do leverage your new understanding and stay safe.