Hack it up
The following is the unpublished first chapter of the Kevin Mitnick (MTN) which is available only on Internet. MTN is famous for ingeniusly hacking his way up:
It is a very interesting write-up and after reading it, feel that one needs to take a holistic view of hacking and take actions accordingly.
Few facts about Mitnick (MTN) as described in the article
● Stole data, software from Motorola,Sun, Nokia and Univ
● over 10 million damage
● starting firm – help companies prevent attack, being honest and productive
● Adviced govt on computer security
● Book – art of deception
● front page of NYT
● disputed Markoff's book
● refused movie contract
● cyber laws introduced later- hence not illegal
● naive – not unethical
● social engineering
● self- learner
● motivated by curiosity
● Stole data, software from Motorola,Sun, Nokia and Univ
● over 10 million damage
● starting firm – help companies prevent attack, being honest and productive
● Adviced govt on computer security
● Book – art of deception
● front page of NYT
● disputed Markoff's book
● refused movie contract
● cyber laws introduced later- hence not illegal
● naive – not unethical
● social engineering
● self- learner
● motivated by curiosity
John Markoff (MKF) is the CNN reporter who busted MTN. MTN alleges the following about MKF
● gave untrue information
● defamed MTN
● wiretapped FBI
● computers of NORAD
● no intentional damage
● journalistic ethics – relationship with Mitnick
● defamation
● personal animosity
● intercept phone call
● Shimomura – personal friend- cyber hero
● gave untrue information
● defamed MTN
● wiretapped FBI
● computers of NORAD
● no intentional damage
● journalistic ethics – relationship with Mitnick
● defamation
● personal animosity
● intercept phone call
● Shimomura – personal friend- cyber hero
So, the problems as I see here are as follows:
● MKF violated journalistic ethics and federal laws
● MKF printed unverified information on MTN
● what did MTN do with the data and information of other companies ?
● Did he sell it to competitors to gain money ?
● Did he leaked information to public ?
● Did he allow others to access that information ?
● Who benefited from that data/software – customers, competitors, government, society ?
● Is there proof that information leakage caused loss of intellectual property ?
● Is phone phreaking/social engineering a crime ?
● Did he actually do good by telling companies that there security networks were vulnerable ?
● Why did MKF take upon him to incriminate MTN?
● Why did NYT publish article without due verification?
● Did the government act proactively ?
● What message did government want to give public by jailing and releasing him?
Using Frames and Socratic method of questioning, we identify the problems from the following perspectives:
Hackers:
● Is revealing vulnerability in security systems of organisations a crime ?
● Are the laws limiting creativity and innovation among people ?
● Is revealing unethical and unlawful practices of some companies crime? Are we not doing good to society?
● Could we have been creative if we were given the job to protect the company's security rather than hacking it?
● We are intrinsically motivated with curiosity, challenge and desire to learn – is that wrong?
● There is no other practical avenue to practise rather than actually breaking into somebody else's system
● We are not geographically located so which country's laws should apply to implicate us?
● If we do not do it, then somebody else (even foreign hackers) can do it. So how can you control this virtual world?
Organisations:
● Overspending on security systems leading to higher prices for customers and less value to shareholders
● Everyday new means are being developed – good programmer's not able keep up
● Loss of intellectual property
● Information getting leaked to public domain. Information is power.
● Competitors are able to know secret details of company strategy, product information. Should I also use hackers to know their information ?
● Causing financial damage – not able to measure the damage as we are not sure about the amount of information stolen
● I have the responsibility to protect any information. Hence, hiring a good hacker will help company ?
Government:
● Have been reactive, undermined the information and security revolution
● New means of security breach coming up everyday – takes longer to make laws
● Are we making laws limiting creativity?
● How can we control the virtual space while we have only geographical jurisprudence ?
● Are we setting the right precedents by punishing cyber criminals ?
● Is hacking for public good a crime ? What is the measure for accusing someone of doing harm due to hacking ?
● What should be the nature of punishment – how long? What should they do after release?
● Can criminals be used to catch other criminals ?
● Can criminals be used to save society ?
● Can cyber criminals be allowed to live normal life and make money out of their experiences – thus aiding public in new ways of doing things?
Society:
● As a upcoming hacker – can I make money later like Mitnick ? Can I be like Mitnick?
● I have right to know if companies/organiations are doing illegal and unethical work – is right to information illegal ?
● As another organisation of hacked company – I need to compete and what matters is not the method by the final outcome. Getting to know free hacked or paid information is invaluable to me. Then the organisation can make profits and provide value to shareholders? Customers will also be benefited with a better rival product at competitive price if information allowed me to do this
● The hackers an other criminals are triggering imagination in the wrong direction for the masses. Hence they should not be allowed to tell their story and make profits.
● People by nature are curious – hence anything – laws, media that stops people from that is restrictive – hence should not be allowed
● The media should be allowed all necessary jurisprudence to let people know the truth – so they can violate federal laws
● The media should not be partial and reveal all details including personal information
● The media should not reveal unverified information
Using Analogy/Force Fit to generate solutions:
Used following objects – bat, water to find analogy to hackers and information
Characteristics of bat:
● Not seen by people in daylight - hackers also not visible to society
● Find prey by emitting ultrasound – hackers also use secret code to find prey
● Some bats are harmful to society – vampires. Some hackers are harmful to society as they do it for money or personal animosity
● Cannot see – hackers also cannot see they being unethical as they are confined to space or time. They are led by curiosity and intrinsic motivation.
Characteristics of Water:
● Flows freely, cannot be controlled – same with information
● People use it for sustenance – information is the sustaining force of organisation
● People use it when required – information is also same
● Can be of various forms like – river, lake, sea, rain. Information can also come in various forms – radio, television, internet, newspaper, public speech, people interaction
● Water can only be controlled for limited periods as in dams – so also information
● Water can cause harm – more of water -flood, less of water – drought. Such is also the case with information. More or less of it can damage society.
From the above analogy we can deduce that if all bats are not harmful to society, all hackers do not cause damage to society ? So, if bats be allowed to live, then hackers should also be allowed to make a living.
Secondly, from the analogy of information with water we can say that just as everyone has right to live and water being the sustaining force, so should information be allowed to be available for organisations to survive.
Hence, the problem now boils down to which sort of hackers should be allowed to operate and what amount of information should be controlled and for how long? Who should control that information – organisations, government and who should regulate the hackers – society or government ? Can cyber crime be controlled in the same way as other crimes ?
From the above problem it is clear that someone who can control the information can also control the hackers. However, government is not in control of the information, so they will not be effective be able to control the hackers. Also, government are also need of information to protect themselves and society at large. So, clearly cyber crime cannot be controlled in the same way like murder or financial deception is controlled. Because it has both useful and bad purposes for all stakeholders involved. Thus, hackers should not be eliminated or limited but remain in the ecosystem and also information can only be partially controlled and society decides how much and when. Society can however decide on what sort of information should ethically be revealed and who should have the license to do that. Since, organisations are part of the society, they should be responsible for protecting themselves and the society at large.
● MKF violated journalistic ethics and federal laws
● MKF printed unverified information on MTN
● what did MTN do with the data and information of other companies ?
● Did he sell it to competitors to gain money ?
● Did he leaked information to public ?
● Did he allow others to access that information ?
● Who benefited from that data/software – customers, competitors, government, society ?
● Is there proof that information leakage caused loss of intellectual property ?
● Is phone phreaking/social engineering a crime ?
● Did he actually do good by telling companies that there security networks were vulnerable ?
● Why did MKF take upon him to incriminate MTN?
● Why did NYT publish article without due verification?
● Did the government act proactively ?
● What message did government want to give public by jailing and releasing him?
Using Frames and Socratic method of questioning, we identify the problems from the following perspectives:
Hackers:
● Is revealing vulnerability in security systems of organisations a crime ?
● Are the laws limiting creativity and innovation among people ?
● Is revealing unethical and unlawful practices of some companies crime? Are we not doing good to society?
● Could we have been creative if we were given the job to protect the company's security rather than hacking it?
● We are intrinsically motivated with curiosity, challenge and desire to learn – is that wrong?
● There is no other practical avenue to practise rather than actually breaking into somebody else's system
● We are not geographically located so which country's laws should apply to implicate us?
● If we do not do it, then somebody else (even foreign hackers) can do it. So how can you control this virtual world?
Organisations:
● Overspending on security systems leading to higher prices for customers and less value to shareholders
● Everyday new means are being developed – good programmer's not able keep up
● Loss of intellectual property
● Information getting leaked to public domain. Information is power.
● Competitors are able to know secret details of company strategy, product information. Should I also use hackers to know their information ?
● Causing financial damage – not able to measure the damage as we are not sure about the amount of information stolen
● I have the responsibility to protect any information. Hence, hiring a good hacker will help company ?
Government:
● Have been reactive, undermined the information and security revolution
● New means of security breach coming up everyday – takes longer to make laws
● Are we making laws limiting creativity?
● How can we control the virtual space while we have only geographical jurisprudence ?
● Are we setting the right precedents by punishing cyber criminals ?
● Is hacking for public good a crime ? What is the measure for accusing someone of doing harm due to hacking ?
● What should be the nature of punishment – how long? What should they do after release?
● Can criminals be used to catch other criminals ?
● Can criminals be used to save society ?
● Can cyber criminals be allowed to live normal life and make money out of their experiences – thus aiding public in new ways of doing things?
Society:
● As a upcoming hacker – can I make money later like Mitnick ? Can I be like Mitnick?
● I have right to know if companies/organiations are doing illegal and unethical work – is right to information illegal ?
● As another organisation of hacked company – I need to compete and what matters is not the method by the final outcome. Getting to know free hacked or paid information is invaluable to me. Then the organisation can make profits and provide value to shareholders? Customers will also be benefited with a better rival product at competitive price if information allowed me to do this
● The hackers an other criminals are triggering imagination in the wrong direction for the masses. Hence they should not be allowed to tell their story and make profits.
● People by nature are curious – hence anything – laws, media that stops people from that is restrictive – hence should not be allowed
● The media should be allowed all necessary jurisprudence to let people know the truth – so they can violate federal laws
● The media should not be partial and reveal all details including personal information
● The media should not reveal unverified information
Using Analogy/Force Fit to generate solutions:
Used following objects – bat, water to find analogy to hackers and information
Characteristics of bat:
● Not seen by people in daylight - hackers also not visible to society
● Find prey by emitting ultrasound – hackers also use secret code to find prey
● Some bats are harmful to society – vampires. Some hackers are harmful to society as they do it for money or personal animosity
● Cannot see – hackers also cannot see they being unethical as they are confined to space or time. They are led by curiosity and intrinsic motivation.
Characteristics of Water:
● Flows freely, cannot be controlled – same with information
● People use it for sustenance – information is the sustaining force of organisation
● People use it when required – information is also same
● Can be of various forms like – river, lake, sea, rain. Information can also come in various forms – radio, television, internet, newspaper, public speech, people interaction
● Water can only be controlled for limited periods as in dams – so also information
● Water can cause harm – more of water -flood, less of water – drought. Such is also the case with information. More or less of it can damage society.
From the above analogy we can deduce that if all bats are not harmful to society, all hackers do not cause damage to society ? So, if bats be allowed to live, then hackers should also be allowed to make a living.
Secondly, from the analogy of information with water we can say that just as everyone has right to live and water being the sustaining force, so should information be allowed to be available for organisations to survive.
Hence, the problem now boils down to which sort of hackers should be allowed to operate and what amount of information should be controlled and for how long? Who should control that information – organisations, government and who should regulate the hackers – society or government ? Can cyber crime be controlled in the same way as other crimes ?
From the above problem it is clear that someone who can control the information can also control the hackers. However, government is not in control of the information, so they will not be effective be able to control the hackers. Also, government are also need of information to protect themselves and society at large. So, clearly cyber crime cannot be controlled in the same way like murder or financial deception is controlled. Because it has both useful and bad purposes for all stakeholders involved. Thus, hackers should not be eliminated or limited but remain in the ecosystem and also information can only be partially controlled and society decides how much and when. Society can however decide on what sort of information should ethically be revealed and who should have the license to do that. Since, organisations are part of the society, they should be responsible for protecting themselves and the society at large.
Ethically, it satisfies the Egoism, Utilitarianism , Kantian duty and Aristotelean duty. Information is good for most people. It upholds dignity of every stakeholder and also allow creativity to survive. So, people can improve upon the information made available to them for greater good.
Cyberspace does not have any geographical boundaries, hence there is need to come up with uniform law for all nations. There can be a treaty which provides for deporting cyber criminals easily and prosecuting them at an International Cyber court. I strongly feel that existing laws are not sufficient to tackle this rapidly changing world of technology and laws to curb menace if any.
Comments