Sunday, 26 February 2012

What colour is your hat? OR What is "ethical hacking?"

Morning sports fans! No, I don't care if it's not morning here nor where ever you are, but it's morning somewhere. Also it will eventually be morning, so I'm counting it. Well, my recent increased blogging is due to me being constantly mentioned on the HappyFace podcast, which is done by my friends. They have challenged me to post at least once a week so that they can talk about me more, so let's see how long I can keep it up. Now first (and only) order of business today is ethical hacking.

So, recently this happened (All the articles I have found say pretty much the same thing, so I won't link to anymore). Glenn Mangham has been sentenced to 8 months in prison for computer misuse, more specifically hacking Facebook. "But, wait! He's an ethical hacker. He's one of the good guys!" You say excitedly. No, dear reader, not quite. Yes, yes, there is the whole £7,000/$7,000 from Yahoo! and whatnot, but there is a slight twist to this little tale. So, lets start by clearing up exactly what we are talking about.

An ethical hacker, or white hat, is a hacker who spends their time finding vulnerabilities in systems, applications, websites and pretty much anything that's connected to anything. Once they find such a vulnerability, they record the details of what they did and send it to the creators and/or maintainers of this product. Companies respond in many ways to this, ranging from a thank you e-mail to cash rewards to a job offer.

A malicious hacker, or black hat, is not so nice. Upon finding a vulnerability, they will try and exploit it for personal gain, normally for money. Of course they can record the details and share it with others, but now with the makers of the product. Once they are found out, the companies tend to come down on them pretty hard and fines and jail time normally ensues.

So, that's all nice and clear cut and very much black and white, if you will pardon the pun. Sadly, the real world is not so clear cut, as evidenced by this case. There are times when a person will at times be a black hat and at times be a white hat, somewhat of a grey hat if you will. A white hat may use their skills for some personal gain, in a very black hat kind of way and on the flip side, a black hat may actually do some white hat work.

To illustrate this further, let's look a bit more at Glenn Mangham. He did some white hat work for Yahoo!, which is all well and good. But then he hacked into Facebook in a very devious manner. Now from what I gather, he uploaded some malicious code to the puzzles server which Facebook uses to test potential employees and gained access to the internal system. Now, here's where it gets really devious.

From what I have read it seem he managed to impersonate a Facebook employee, get his password reset and thus gain access to all of Facebook's servers. He then proceeded to download important data to an external drive and delete all evidence of his little visit, or so he thought. Turns out that Facebook actually found out about this and it cost them something to the tune of $200,000. Now that's a pretty penny and a chunk of change.

Two very important things come to my mind here and those are:
1) To the best of knowledge, Glenn Mangham didn't inform Facebook, thus disqualifying him as an ethical hacker
2) He entered a guilty plea
Having considered that, he is definitely guilty of hacking, or computer misuse in legalese, and should be punished for his crime. The whole argument that he is an "ethical hacker" hold no water whatsoever. There's not much more to say, so I;m going to leave it at that. Good night sports fans! (Again same argument as above :P)

No comments:

Post a Comment