Ethics, Morals, and Hackers, oh my!?!
There have been more than a few posts lately discussing things ranging from Bastards are all Hackers to a discussion on some report from Symantec (oh, let's all hold our breath and pay attention) My opinion on some report and a buck fifty will get you a cup of coffee.
Ok, sorry, that was a little blunt. I'm not attacking individuals here, but I AM singling out an attitude and manner of discussion lately that involves less of the proper intelligent debate and more of the fanboi bitch-n-moan-a-rama stance.
Ethics is not an exact science. Neither are communications or human interactions. I had a lengthy discussion with someone recently because he felt I was belittling him for of a certification he holds. Here's the root of the issue:
So he got all offended that I was saying he is worthless because he took some (very hard...his words) test and I don't think he's worth a damn. He got all of those personal attacks from the body of the email above. I don't know how, but that is what he felt.
Original internal email that has been purged to protect the guilty, sent Friday the 17th
Just some beer-30 musings from me on the Certified Ethical Hacker credential
from the EC-Council. http://www.eccouncil.org/CEHFAQ.htm
I have been considering testing for this fancy cert that means 'Trained
Pentester', for quite some time now. I was curious what the internet
consensus was on this cert, and found this blunt assessment from P.J.
Connoly at InfoWorld. While I somewhat agree with his sentiment of 'real
world experience is more valuable than certification', I also actually LIVE
in that real world and recognize that experience with NO certifications
makes you a MUCH harder sell to a client or employer. Experience must to be
tempered on the anvil of certification. (catchy, eh?)
But the point of this is his statement about the EC-Council's semantics,
"But pretending to "certify" someone as ethical is
downright dishonest. It's one thing to give a character
reference to someone you know personally or
professionally. It's another to claim they'll behave
ethically under every conceivable situation."
That really strikes home with me, being a former police officer and public
servant who swore an oath to defend and uphold the Consitution of the United
States, as well as the Laws, Charters, and Ordinances of my state and city,
and to defend life and liberty within our borders.
I'm not knocking anyone in our org who holds a CEH; personally, I'm a tad
jealous that you could legitimately put the word 'hacker' on your biz card and
smirk when your boss questions it. I'm still pondering if this certification of
knowledge and skill is what I would want to present to a client. But I do have
a problem with any business, non-profit or not, certifying others as 'ethical'.
To paraphrase one of my favorite David Spade/Chris Farley movies, "If you
want me to take a dump in a box and mark it guaranteed, I will. But for you
and your customer's sake, ya might wanna think about buying a quality item."
Our Consulting Group
This Big Ole Company, Inc.
O: 555-1212 F: oh, like anyone uses paper fax anymore!
"Hacker" is a word that is here to stay, and it will be (mis-)used by the press and individuals until it falls out of popular favor. What it means varies from who used it to what venue they uttered it in. How we use it to evoke a reaction from our audience will also vary.
How we choose to interpret a symbol is of pivotal importance. The problems in this world are oft rooted in miscommunications and a failure to heed the needs of our opponent.
Call yourself a hacker, a cracker, a fat-boy-slim macker. I don't care. I will try to recognize your perspective and position, and what your intent by using such symbols. In doing so I am bound to make mistakes, but I will *TRY*. But please recognize that I am one of many, many other individuals in this world who must also make an attempt to see your point of view...and most of them wont give a rats ass.
One man's hacker is another's savior. And a thirds terrorist. And a fourth's holy warrior. Ethics is a slippery slope of perspective, definition, morals, and personal judgement. CopyRight can take over this discussion now, if you are interested in pursuing the philosophy of ethics.
Intentions are not always obvious. Tools are not inherently 'evil' or 'good'. An attack may come from a compromised host, whose oblivious owner has nothing but good will for you.
Let's be careful before we start using labels, and judging others based on labels. It does more harm than we realize.
</tree hugging rant>