Rule 8: Good and Evil Blend into Gray

All definitions of computer security contain an implicit conceit: that there are "good guys" and "bad guys" out there, or "white hats" and "black hats." Virtually every popular book and movie on the topic indulges in this conceit, from Clifford Stoll's The Cuckoo's Egg, where the wily Berkeley hacker hunts down international spies, to The Net, in which Sandra Bullock plays a system administrator stripped by identity thieves. In some ways, the adversarial nature of computer security reduces it to a kind of game. Unfortunately for the security practitioner, this game of judgement is "played against unknown adversaries plotting unknown harm at unknown times and places."¹ As someone concerned about the security of your systems, you might think of yourself as playing a part in grand drama, and this book and accompanying tools as props that can help you defend against nameless attackers who might be everywhere or nowhere at all.

I advise you not to fall into this conceit. You may be giving yourself too much credit and assigning too little to your "opponents." Don't overlook the fact that most security violations are perpetuated by company insiders. Your perpetrators might look a lot more like the suburban wallflowers that sit together in the lunch room than the techno-pop-addled ravers in the movies. Never forget that between every white hat and black hat actor, there are hundreds that wear gray.

The computer security profession includes a wide variety of practitioners, including highly-credentialed academics, retired military personnel, snake-oil salespeople from commercial vendors, and reformed crackers who have now seen the light. There is no central certifying body overseeing the development of the skills necessary for computer security professionals, nor is there an accepted canon of ethics. In this way, the profession resembles that of its opponents: the extended, multi-national, multi-cultural cracking community, from those who develop complex "exploits" to the "script kiddies" who learn at a tender age that computer crime is as easy as a double-click.

Rather than make a dichotomous break between those who protect systems and those that compromise them, consider how intimately intertwined the two are and the large numbers of people who fall into the gray areas in between. Consider the case of the "tiger team" -- computer security professionals who are hired to test the security of systems by attacking them. In some cases, these teams are composed of reformed system crackers whose former malevolence is generously rewarded. Even IBM advertises the services of its "ethical hackers." On the other hand, many a cracker has resorted to the educational defense -- claiming that, by cracking into systems, he is actually doing the victim a favor. Conversely, there are most likely more than a few professionals on the inside of almost any organization who have discovered that crime does pay.

Just as there is no clear line between the "white hats" and "black hats" in the computer security culture -- between the "ethical hackers" who find holes and the crackers who find holes -- there's no clear line between tools for improving security and tools that break it. A tool is just that. Any of the security tools discussed in this book can be used for good or evil just as a hammer can be used to build a house or break into one. A password-cracking program can be used to find weak passwords before an attacker does or it can be used by the attacker to gain entry. A security auditing program can help either a sysadmin or a system cracker to find holes.

Even tools and measures that appear to be purely defensive, like firewalls, are implemented by crackers in order to bolster their attacks. Only the most naive attacker doesn't account for the contingency that the victim may counter-attack. The most sophisticated crackers build sophisticated defenses to provide cover for their activities. Conversely, some organizations are adopting "strike-back" capabilities in order to bolster their defenses through deterrence.