There has been several published works on the what the media calls hackers, the hacker underground, the information security industry, and the technorati class in general lately. Here are a few:
- Phrack #63 section 13 The death of the underground
- Zero For 0wned The “Industry check” section
- H Security All Around My (Black) Hat
- CNN Technology Hanging with hackers can make you paranoid
In order of relevance, naturally.
The topic of the increasingly organized crime aspects to the commons of technical adversaries and quality of technical achievement has been an ongoing and frequent discussion piece with nearly everyone clued that I know in the industry.
The truth of this is debatable, but the facts are not. The average technical practitioner, the opposite of the paper credentialed individual, is getting older. Skill sets, in general, are getting shallower.
My take on this is that the level of interest from the industry at large has shifted from one of the hacker mindset of wanting to know how things work and looking for elegant solutions to complicated problems to one of functionality and bad practice engineering.
Functionality and not structural integrity:
- Why debug a system or application when you can reboot?
- Why use hard proven technology when you can make a Web 2.0 AJAX application that has no native trust model?
Some of the heavy handed moves driven by the DMCA pose a question. What is gained by legislation effectively outlawing security research and reverse engineering by imposing enormous civil and criminal penalties?
I say that the answer is nearly none at all.
Banning of cloning research merely relocated the innovation centers overseas. It didn’t stop the development of that line of research, it just assured that those in the United States would not be a part of it.
Instead of reacting to problems by fixing the cause of the problems, it seems many corporate entities, and their friends in Washington, respond by lobbying for legislation outlawing practices that threaten their business as their answers and writing fraud off as the cost of doing business.
Instead of focusing on hard problems that need elegant solutions, we’re making examples of kids who modify consoles. The laws of the United States have limited influence to those who live outside its borders.
Where are we left when the innovators are Russian criminals and it’s left to academics to study their malware? Are we just left to study the malware left in crime scenes and the trash after their parties?
Let’s look at a real world example. Germany.
From Phenoelit’s .de webpage:
In June 2007, the German parliament passed changes to the computer crime laws, including §202c StGB, which states (unapproved translation):
Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to
- passwords or other access codes, that allow access to data or
- computer programs whose aim is to commit a crime
will be punished with up to one year jail or a fine.
Additionally, this new section is interwoven with other laws, including the ones covering terrorism. The current interpretation includes the acceptance of others committing a crime using your (or our) material as violation of §202c.
What did they, and THC, and others do? They left Germany. The JAP project was undermined. Tools, content, and discussion were sent beyond their borders. Oversight of them went along with them making sure that only seasoned criminals and not security professionals would work with them in Germany. I’ll look forward to the future release of case studies of breach disclosure and its relation to this legislation over time as several consultancies do not want to take their chances in providing penetration test work product there.
I’m really disappointed that a wake-up call has not gone out. The problem here is not full disclosure, free bugs, or video game console mod chips. It’s that we’re addressing the easy symptoms of a difficult cure.
Channeling this passion and genius to solve problems instead of outlawing and leaving it to criminals is ideal. I’m not going to try to wage the Fair Use war that Lessig and Change Congress are engaged in fighting, but I am advocating that we approach the right problem and not just attempt to wish it away.
Jail penalties larger than murder for jailbreaking iPhones or chipping an xbox strikes me as ineffective. Let’s get real about what is in the best interest of society here. I submit to you that the present course is not it.