Security Paradox

[gghornet]

Do criminal(black-hat) hackers serve a useful purpose?It seems to me that a lot of "black hats" try to justify their actions by saying something along these lines.If there wasn't a criminal element in the computer world would security be near as advanced as it is today?

Then "white-hats" tend to counter this by saying that there wouldn't be a need for security if there wasn't a criminal element to deal with.

It seems to me that these are both good points,because although there wouldn't be a need for security if the criminal element was taken out of the equasion,it would be disasterous if somebody did try to bring down the worlds major computer networks.
Hmmmmmmmmm.What do you all think?

[Syini666]

I think the black hats basicallly keep the white hats in business. If there werent badguys out there, then the industry wouldnt need anywhere near as many of the good guys to protect and maintain it. Its kinda one of those yin and yang principles, one needs the other, and vice versa.

[SodaMoca5]

Here is the added dimension to the paradox, and I believe the critical one.

If the decision makers would listen to their security specialists and to the white hats who find holes and would act on that information in an expedient and honorable manner then security would be further and black hats far fewer.

Most security holes are discovered by White Hats. They are then exploited when the White Hat publishes the exploit on a security web site. This has become a very popular way to get the hole noticed and to force the company to take action. Often when the White Hat contacts the company directly he is rebuffed and threatened. If he is working for a company and points out a security issue he is often ignored. The issue is shoved under the carpet and the person has to choose between his career and forcing the hands of his superiors.

The aged but popular SATAN was written by one such frustrated corporate security tester. If I remember correctly he worked for Sun microsystems and got so tired of them not fixing known flaws that he wrote and published SATAN to force them to fix the holes it exploited. It worked too, they fixed them and they fired him and tried to prosecute.

I truly believe that if corporate managers would listen and open themselves up to the white hats then there would be no debate about whether we "needed" black hats. Black Hats or Crackers would be seen for what they are: criminals. White Hats would also be seen for what they are. Their testing, probing, and initiative would be rewarded by acceptance, praise, financial reward, and recognition. Then the L33T d00d would be the one who helps not the one who exploits. Until that glorious day it seems that the White Hats need the fear of the Black Hats to force the Dunce Caps to pay attention.