Chris McKieThis week I’m at Black Hat, perhaps the most well-known hacker convention in the world. And, over the years, I have witnessed tremendous changes for this event. What was once a semi-clandestine security geek gathering, where noobs like me feared being hacked while at the event, today has taken on the look and fee of any other commercialized trade show. But one thing hasn’t changed, and that’s the disclosure of all sorts of new and interesting hacks.
My first Black Hat experience was 10 years ago. I was drawn into quite a controversial issue, one that some of you may recall, involving Michael Lynn, a researcher at ISS, and Cisco. It was quite the kerfuffle. More so, it generated a heated debate about ethical vulnerability disclosure processes and how IT vendors should respond to such “findings.” But, what piqued my curiosity ran much deeper… why do we even need hackers?
Taking a page out of Wikipedia, “a hacker is someone who seeks and exploits weaknesses in a computer system or computer network.” They key words there are “seeks and exploits weaknesses.” Wait a second, doesn’t that apply to just about every industry?
Sales and marketing organizations seek to exploit weaknesses of their competitors in order to gain market share. Professional sports teams seek to exploit weaknesses of their opponents in order to win championships. Medical researchers seek to exploit weaknesses within the genetic make up of diseases to find new cures. Lawyers seek to exploit weaknesses in testimony, the law, well, just about everything they can in order to win. Hackers are everywhere; it’s just the ones in computer security that tend to get the bad rap.
And why is that? My guess is that it has to do with the destructive nature of viruses and worms. Yes, I’m referring to things like Melissa, ILOVEYOU, and who could forget Code Red or Nimda? My personal nightmare came in 1999 with ExploreZip, which wiped out all the electronic files at where I worked. (Yeah, losing all your hard work tends to make people really angry.)
But that was so 2000. Things have changed and hackers (and malware) are way more clever and sophisticated. Enter today nation-state cyber warriors, international cybercrime syndicates and advanced malware like Stuxnet. These are the actors who comprise most of the annual $400 Billion lost globally to cybercrime.
But, there’s another side to hackers… the “White Hat” side, which is far more important and I would argue, has a greater market impact. I’m not just talking about pen testers, but really what I’m addressing are the “researchers” (i.e. hackers) who find the holes – the same holes – that allow bad guys to do their nefarious deeds.
We (and I mean everyone) need these kinds of hackers, and here’s why. Today, most electronic goods (hardware and software) are pushed to market under tremendous time and price pressures. Often, this translates to offerings coming to market with latent vulnerabilities. Now normally, internal quality assurance processes ferret out these vulnerabilities before goods become available, but many times these vulnerabilities are incredibly subtle and are missed until someone else finds them – our hacker.
Hackers represent our collective, crowd-sourced solution to making products better. They find the errors that were overlooked at the factory. They find the coding mistakes that allow others to insert malicious code. By working with the vendor community in an ethical and responsible way, they add tremendous value, which helps us all. And, this is why we need hackers.
Here I am at Black Hat, and I still consider myself to be a noob. I’m less worried today about being hacked at the show, but I’m more convinced that the industry need events like Black Hat, responsible hackers, transparency around privacy, and the sharing of information that makes technology better.
