Men without hats are living on the edge

How to solve the Clash between ethics, personal integrity, “the system” and hacking? A special post for the holiday season.

By Uri Biber CISA/CISM/CISSP/CRISC, member of the Neuroleadership institute.

Should a hacker ever give up his values and belief system, and if so, when? This blog is about the clash of personal belief with reality, and why a newly defined international standard can help us reach a more universal definition of what is good and what is bad.

About a month and a half ago a gambling company located in Gibraltar contacted me. They found my CV on monster, they saw I was interested in a new role (still do) and so they asked me if I want to work for them. When I told my friends and family about it had brought upon me a rain of criticism from some of them who said to me “You? Work for the gambling industry? How can you work in such unethical place?”, and this brings me to the subject of this blog is – the explosive subject of ethics, moral, and universal truth.

 

Fast Forward

Watching the movie “The Ides of March” felt like watching a fast forward of my life as an IT professional. In the movie Ryan Gosling plays the role of the main character – a young man by the name of Stephen who is an idealistic staffer for a presidential candidate that gets a crash course on dirty politics during the campaign. The movie was directed by George Clooney and included amazing support actors such as Philip Seymour Hoffman, Paul Giamatti, Evan Rachel Wood and Marisa Tomei.

(The title of the movie “Ides of March” is based on the fact that the 15th of March was a day of festive day dedicated to the god Mars, and also the day that Julius Caesar was murdered, in 44 B.C. )

A lot of us start our career being very idealistic, which gives us a wonderful power – it motivates us to do more than others, it helps us make a bigger effort as we see the target in front of your eyes. We believe, and belief systems are what makes our perception feels the universe around us makes sense. Yet when reality comes crashing down on us, it is painful. The subject of losing your innocence during your professional life is something that is rarely being discussed openly during working hours by people. Sure, some people will find other people to share their disagreement with “the system”, but when we are being forced to do something which stand totally against either our professional or personal principles it leads to different reaction. Giving up our “core values” causes a range of reactions: Some will claim that what they did didn’t contradict their moral stand, and by doing so act like a rape victim that hides the trauma deep within their subconscious. Some will try to minimize it, others only talk about such events with very close friends, and some will not even talk about it at all. Most people rarely talk about this; the same way alcoholics do not feel that happy to talk about the fact that they are killing themselves.

Young and Naïve

When I moved to Brussels with my family at 2001, I was extremely happy. After managing the IT of a big pharmaceutical company I was offered a promotion – a position in Brussels, in the EMEA (Europe, Middle East and Africa) regional headquarter, doing a job I always wanted to do – coordinating various security and partner connectivity requests in our region. The role of my colleague and me was to help the business establish secure information exchange with various partners in the region. At least once a month we had a meeting with the people who were coordinating the activities on the other side of the ocean, at the headquarters which was located in US. One of my colleagues, an extremely smart guy by the name of Larry who worked in the field for many years had a sentence that he used to say from time to time, and I must admit that when he said it I sometimes got upset. The sentence was “ah…Uri, he’s so young and naïve”.

Larry said it because we used to get a lot of business requests for connecting our company to other companies (or vice versa), and sometimes I used to get a business request that made me feel as if someone is asking me to sell my little daughter. Let me think of one… OK, here’s an example, but please remember it is really not a real one (I hope LOL): “We wish to establish automated FTP to transfer information during a clinical trial. We need it by next week; can you please approve it ASAP so we could tell the network guys to implement it?”. As I was reading it, I was adding in my mind the missing parts in the request: “We wish to establish (insecure) automated FTP to transfer (of sensitive patient personal) information during a clinical trial. We need it next week; can you please approve it ASAP?”

This was usually the point in which I used to call the business unit that requested it, and explain to the person who sent me the request that we have a process in place that could give him a much more secure alternative. Most of the time the conversation worked, but sometimes I used to meet with very dedicated people who didn’t really give a $!@# about information security, and they wanted things to be done “their way”. Obviously I was unable to approve it…and obviously it ended up with that person complaining to his management (usually a VP) that “the IT security people are trying to destroy our clinical trials”. The fact that if that information had been leaked our whole company could have been facing a huge legal action was something most of them forgot to mention. This was usually the time when my refusal to give up security caused my manager to get involved (and give Larry reasons to mention again my naïveness).

I was extremely fortunate that my senior director, the person who was in charge of the IT operations in EMEA was a rare leader who gained a lot of respect by his professionalism. He backed us, even when we made mistakes he still backed us (but made sure we will learn from it), and having a manager who will fight for you is not an obvious thing. While I was fortunate to have such a managers in that company and others, some other managers I had were known for not providing the required back to the people who work for them, and when this happened, it brought a dilemma:

Should I stay or should I go?

At some point of your life as information security expert you’re going to feel like Stephen Meyers, the hero of the movie “The Ides of March”. You come to work with a clean ideological view of the security, and you than you meet reality, or the politics of business. That’s part of the game, and no matter how much other people tell you about it and warn you from it you will not understand it until you, yourself, will be required to make a decision – will you give them what they want (and by doing so do not follow your personal ethical standards), or will you move on?

I call it the coin point – you are given a coin, and you are being requested to make a decision which side to choose.

The first one side says “give them what they want” even though it stand against your professional or personal values. Some people say “I don’t care, it’s their own darn problem if something goes wrong”, which always reminds me a play called “Rhinocéros” that was written in 1959 by Eugène Ionesco. It’s a play about how people prefer to become part of the herd just so they will not need to face any moral dilemmas. So yes, you can choose to do so, but it comes with a cost of losing yourself. Some people give up on their moral stand because they understand that if they don’t you will not work there anymore, and leaving “a system” is a painful experience. At the beginning people tell themselves it’s the last time they will do so, but at the end of the day, when you give up your professional or personal values you position yourself at the same spot any beaten wife do when she (or he) tell herself (or himself) that it’s the last time they will do it. When you do it long enough the end result is that you will become part of the system.

The other side of the coin says “leave”. Now that’s a hard one – if you leave it means you give up, and hackers are not really known for giving up that easily. I don’t mean when someone leaves because he is getting a better offer somewhere else, or because of reorganization – I mean to leave because you felt the working place was not matching your professional or personal integrity. It did happen to me, twice in my life, and while it brought some unbalance to my financial state I think they were necessary steps during my personal development. I think when you’re younger it is easier to do so because either you don’t understand that this game is occurring everywhere, and also because when you’re young the consequences are usually much less problematic (“Hey mom/dad, I just quit my job – can I move back to your place for a while?”). And sure, sometimes leaving is not really an option:

Living on the Edge

This brings us to the last option. Each and every coin has an edge, and everyone knows how to spin a coin – you make it stand on the edge and by providing a burst of energy targeted at of its sides you can make it spin. Now spinning coins are amazing – they are shinning, they are fast, but also they are very vulnerable (and people do take advantage of this state of yours). You cannot spin forever, and any disturbance to the coin by unbalancing the surface it is turning on or trying to touch it will automatically make it fall on a side. So yes, there is a third option to a professional and personal dilemma – you can spin. You can choose not to choose, and try to pass the storm, but you can only do it for a short period of time, and only if you’re balanced enough (physically, mentally, emotionally and professionally). Most of the time, you risk falling on a side without any prior warning (and with or without people who will be “helping” you fall).

 

Back to Hack

The subject of breaking down ones’ innocence is a great theme for movies and a repeated pattern throughout the lives of most of us, but for hackers such event is usually very visible and most of the time carry very high personal penalty, regardless if they are inside the system or challenge it from outside. This was the subject of (yet another) movie called “Hackers wanted – director cut”. The movie was never released, and only been unofficially leaked to the internet last year (2010 – get the director’s cut which runs for 1:10:40). Directed and written by Sam Bozzo and narrated by Kevin Spacey, it explored the origins and nature of hackers and hacking by following the adventures of the hacker Adrian Lamo, and contrasting his story with that of controversial figures throughout history. To those who don’t know Lamo is, he is the guy the broke in 2002 to the New York Times, Yahoo, and Microsoft just for the sake of breaking in and showing their security failures. He is now hiding for fear of his life, after he turned in Bradley Manning that leaked hundreds of thousands of sensitive U.S. government documents to wikileaks. Kevin Mitnick, Captain Crunch, GeoHot and Lamo paid for their curiosity. Kevin Mitnick was thrown to federal prison for 4 years without trial (out of which 8 months in solitary confinement). Captain Crunch was beaten up by the mafia for refusing to tell them how he phreaked the telephone system and then when he was thrown into prison he was stabbed, causing him physical damage. GeoHot almost got into prison and was forced to commit to never hack any Sony system anymore after exposing the encryption keys of the PS3. And finally, in 2004 Lamo was sentenced to six months detention at his parents’ home plus two year probation, and was ordered to pay roughly $65,000 in restitution.

The examples above were just a hint of many examples I am aware of. On the one hand, organizations, governments, political and ideological groups use hackers all the time either to provide them protection or turn their knowledge into a modern electronic warfare human weapon. On the other hand, the same groups fear anyone who is hacking for what seems to those groups to be against their causes, and those people are being treated harshly and many times merciless. On the one hand, hackers are there to challenge the system, on the other hand the system they operate within can be viewed as a repeated process (true for any organization, if business, NGO or government) and due to the wish to optimize that process most organizations don’t like (hate?) changes and challenges.  The end result, in many times, is a Clash…

 

Ethics 101

This brings me to the reason I wrote this blog – the subject of ethics and hacking. Let’s start with a little Wikipedia:

Ethics, also known as moral philosophy, is a branch of philosophy that addresses questions about morality—that is, concepts such as good and evil, right and wrong, virtue and vice, justice and crime, etc.

How can you tell if you’re doing the right thing, ethically? After all, we all come from different cultures and one culture’s perception of good sometimes is viewed by other cultures as “bad”. What one people believe in might seems like a blasphemy to a big group of other people. Our world is diverse, so is our perception of it, and so are the ethics we “choose”. Ethical code is something very profound in humanity, something we all carry. The problem with ethical codes are that they usually a direct result of the environment they were created in, and are as such very subjective. Al-Qaeda have an ethical code which is based on Islam, the Mafia in various countries have a different ethical code (for example Italian mafia ethics are not the same as the Japanese Yakuza ethics). The western world has a Judeo-Christian ethical code, and this can go on forever. We look at the others and measure their values via our own perception, via our own ethical framework, and because the ethical language is different we sometimes see the others as morally wrong.

The clash between different ethical views can lead to horrible results. Take for example a middle aged Egyptian school inspector who came to the US in 1949 to learn about it’s education system. His name was Sayed Kutb, and his view of the ethical and moral view of the US influenced all of us. Kutb saw the American society as causing Americans to become isolated beings, driven by primitive animal forces. His belief system made him join the Muslim brotherhood in Egypt when his return to Egypt and he became one of the movement leaders. He was arrested after Nasser came into power, and was tortured by Egyptians who were trained by the CIA. This led him to become even more extreme in his views, and to see “selfish Individualism” as the root of all evil. One of his students was Ayman Zawahiri, the idiological leader of Al-Queda (You can watch Adam Curtis TV series “The Power of Nightmares” to learn more). Human history is filled with clashes between different groups with different ethical views.

The clash of ethics re-emerges in workplace, and sometimes you see one system (the country) and it’s regulations in clash with the ethical behavior of another system – a company. A good example to such ethical clash is Apple, who has a headquarter in the US and would never dare to demand from its employees to work under the same conditions the employees of its’ contractors work under. More about this soon.

Men Without Hats

When it comes to hacking we hear the word ethics endlessly. We have white hat, grey hat and black hat, and we define those terms based on the system they relate to – and I do not mean the technological system.

“white hat” refers to an ethical hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization’s information systems. Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing.^[2] White-hat hackers are also called “sneakers“,red teams, or tiger teams. 

“grey hat” refers to a skilled hacker whose activities fall somewhere between white and black hat hackers on a variety of spectra. It may relate to whether they sometimes arguably act illegally, though in good will, or to show how they disclose vulnerabilities. They usually do not hack for personal gain or have malicious intentions, but may be prepared to technically commit crimes during the course of their technological exploits in order to achieve better security. Whereas white hat hackers will tend to advise companies of security exploits quietly, grey hat hackers are prone to “advise the hacker community as well as the vendors and then watch the fallout”.

“black hat” refers to a computer security hacker who breaks into networks or computers, or creates computer viruses. He is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero‘s white hat.

Wikipedia

So in a broad sense, the definition of what hat you wear as a hacker really depend on the environment you operate in, or the system you operate from within. If you are hired by a company to find their vulnerabilities and to report to them on your findings – you’re a good guy. If you try to figure out by yourself different vulnerabilities – you’re might be considered as a suspicious dude. and if you’re writing code which has malicious intent – well, watch out.

But I think the idea of “hats” is sort of pointless. If you develop a code for a government that later use it as an offense against another government (or, one system against another) you’re not considered as a “black hat”. if you discover a vulnerability in a security product and your organization/government/system use it as an offense to learn about the weakness of another organization/government/system is it unethical? Not all the time – especially if the organization you’re targeting is a terrorist organization, or the government is a government that torture and kill it’s civilians just because they are gay, or wish to have a democratic election.

Chris MacDonald, Ph.D., is an educator, speaker, and consultant in the realm of business ethics. In a recent blog entitled “What’s Legal Isn’t Always Ethical” he explained that In all legitimate cases of law making, the law always has a moral purpose — generally, either to make people’s lives better and safer (e.g., seatbelt laws) or to protect some important right (e.g., food-labelling laws). But if everything which was legal was ethical, than there would be no possibility of finding a moral rationale for any new law.

So not only everything that is legal is always ethical, but also the opposite – not everything that is illegal is also unethical, or as Chris MacDonald said it:  “Anyone who tells you, or simply implies, that whatever is legal is also ethical is most likely indulging in self-serving rationalizations.“. This begs the question – how can you know what is ethical?

ISO 26000

As I wrote in the beginning of this blog, a new international standard might be able to provide us a much more objective and universal definition of what is good and what is bad. Last year a new ISO standard was approved. It is called ISO 26000, and it’s a standard for social responsibility. If you want to read the essentials of it, you can do so here.

The work on the standard begun in 2005, and it was created because countries around the world agreed that humanity need to ensure healthy ecosystems, social equity and good organizational governance. This International Standard was developed using a multi-stakeholder approach involving experts from more than 90 countries and 40 international or broadly-based regional organizations involved in different aspects of social  responsibility.  These  experts  were  from  six  different  stakeholder  groups:  consumers;  government; industry;  labour;  non-governmental  organizations  (NGOs);  and  service,  support,  research,  academics  and others.  In  addition,  specific  provision  was  made  to  achieve  a  balance  between  developing  and  developed countries  as  well  as  a  gender  balance  in  drafting  groups. The standard was approved with 94% of the countries supporting it (66 in total), and only 6% of countries have rejected it (5 in total – Cuba, India, Turkey Luxembourg and of totally (un)surprisingly, the USA).

A little bit about the standard. It covers 7 core subjects:

1. Organization Governance
2. human rights
3. Labour practices
4. The environment
5. Fair operating practices
6. Consumer issues
7. Community involvement and development

For all of those core subjects, social responsibility is defined as a responsibility of an organization for the impacts of its decisions and activities on society and the environment, through transparent and ethical behaviour that:

1. Contributes to sustainable development, including health and the welfare of society;
2. Takes into account the expectations of stakeholders (This means also customers, employees and the community which you operate in, not only shareholders)
3. Is in compliance with applicable law and consistent with international norms of behavior; and
4. Is integrated throughout the organization and practiced in its relationships

Last but not least, when it comes to ethics, the standard state that an organization’s behavior should be based on the values of honesty,  equity and integrity.

Here is a schematic overview of the standard:

The European Union via the European commission is already taking the standard seriously via a communication entitled “A Renewed EU Strategy 2011-14 for Corporate Social Responsibility“. If you want to understand why the US was against it, you can read the heritage foundation view on the subject, who were alarmed to see a statement such as “The Commission intends to… monitor the commitments made by European enterprises with more than 1.000 employees to take account of internationally recognised CSR principles and guidelines, and take account of the  ISO 26000 Guidance Standard on Social Responsibility in its own operations” in the document.

You can leave your hat on

I love ISO 26000 because it brings a new factor to our work in information security. It is an internationally agreed upon standard, which expand the range of responsibility of each and every one of us from being required to comply with one system into being required to look at the broad implications of our operations. Here is an example: If you are faced with an angry director who is trying to force you to implement a crappy security just because he think it’s a good idea to release an insecure system, you can look in the standard and see whether a security breach of that system could lead to ISO 26000 violations. After all, the standard talks about the fact that organizations that provide products and services to consumers (as well as other customers), have responsibilities to those consumers and customers. The standard also mentions specifically that organizations that collect or handle personal information have a responsibility to protect the security of such information and the privacy of consumers. If the system might leak customer information, it will make you ISO 26000 non-compliant. Or if the security of the system that you design might end up with a risk that the system will cause an environmental damage, it will be (again) a violation of the ISO 26000 standard. So IMHO I feel we can finally say we have a way to define what is good and what is bad, at least when it comes to a workplace because it expand the responsibility of the organization from only the shareholders to the stakeholders.

The standard also put more pressure on organizations because now, if they will be hacked, and they were not transparent, violation of ISO 26000 might result in financial implications in an international scale. In the near future you will not be able to be in the supply chain of big manufacturers if evidence will be provided that you violate the ISO 26000 standard.

And finally – if you work for the mafia, or for any other organization that does not take into account any of the core objectives of the ISO standard – congratulations – now you’re defined internationally as a member of organization that is operating against humanity, including in your own country.  You can leave your hat on – but if you are a real hacker you should also hack yourself and see whether you are a socially responsible hacker.

n

Happy holidays and a great 2012 to everyone

(C) All Rights Reserved 2011.