Use and abuse of hacking

[arvindiyer]

In the context of the many discussions on ethics that are undertaken here, it will be instructive to hear the views of the many practicing developers in this community on what is an appropriate and productive attitude to adopt towards hacking.

Here is a broad outline of the terms of references, which is not limited to the criminal connotation of trespass that hacking has acquired, but also the often benign and value-neutral notion of tinkering.

- Access of resources via the 'trespass' of hacking for wreaking 'denial of service' seems to us intuitively on a different footing morally than hacking for a release or distribution or redistribution of resources. Such a Robin-Hood formulation may of course be countered by corporates saying that 'denial of profit' maybe a worse attack to the economic engine than 'denial of service'. Like a notion of 'just war' or self-defence as a legitimate reason for firearm-use, are there well-argued criteria to demarcate situations that justify hacking? A direct application of 'just war' and 'self defence' principles is arguing for wire-taps and email surveillance on national security grounds, but isn't there a downside to private vigilantes invoking such arguments? Are there historical instances or even plausible hypothetical instances where hacking of some kind was indispensable to access life-saving or mission-critical information?

- To what degree can corporations (or even startups) reconcile the Code of the Tinkerer with the need to be 'process driven', comply with 'coding standards' and use 'principled approaches'? Apparently, any reconciliation that has been attempted has met with only limited success, given how flamboyant hacker whiz-kids dread domestication by companies that demand lifestyle changes. Tinkering of the sort that invites serendipity and tournaments between tinkerers that encourages competitive innovation have yielded much in terms of technology. A case in point is the development of the RSA algorithm as a result of a mutual 'hacking game' of sorts played by the developers whose initials give the algorithm its name. What can complement initiatives like 'boot-legging time' or '20% innovation time' to give tinkerers and hackers the breathing room they need?

[Lije]

Instead of viewing hacking as something new, it can be placed in the context of what humans have always been doing for millenia. I think that would help in judging how ethical or unethical an instance of hacking is.

The cases where I think hacking is ethical::

1. You buy a product, but it has some feature restrictions. You are capable of circumventing them, but doing so illegal. You paid for the product. You are free to do whatever you want to with it. But it is not unethical. A good example is what RMS did with a printer.

2. There are cases where whistle blowing is seen as ethical. So hacking for whistle blowing is ethical.

3. White hat hacking where you fish around for vulnerabilities and inform the other party so that they can close the security holes. This is illegal in some cases, but not something I would call unethical.

Coming to the the cases I think are unethical, they usually involve some kind of faulty ethical reasoning:

1. The ‘luser’ is technically inept. It’s like someone driving a car without proper training. So it’s justified to hack and teach them a lesson.

An equivalent case is justifying breaking into someone’s home as they had weak doors. Here the responsibility lies not with the people who have weak doors, but with people who can't respect the right the other people have on their property/privacy.

2. Cases where DoS, defacing websites is considered to be a protest.

Protests usually involve people coming forward to express their objections. These people are willing to put themselves in the public and are ready to face consequences of of that. Of course, most decent governments allow some form of protests. When a protest isn’t allowed, the people protesting give themselves up for legal action. Their willingness to put a significant effort to attend a protest, and be persistent and put themselves in the line of fire if needed is what gives moral weight to the protest.

DoS or defacing websites are usually done anonymously. There are no consequences to be faced. There is not much effort involved either. So from the point of view of how serious your objection is, defacing websites don’t actually say much.

[arvindiyer]

Thanks Lije for the case studies and the timely reiteration of the need of transparency and accountability even in legitimate protest. That seems to be something often forgotten in the hailing and cheerleading of protest of the Wikileaks or Anonymous variety. For an expose to qualify as whistleblowing, it must result in the acquisition and delivery of credible and incriminating information in a manner that assists law enforcement or legislative action. It is by that standard that netizens ought to judge whether the ventures named above are indeed whistleblowing ventures, or simply intent of showing with a flair for graffiti antics how State-based lusers leave backdoors ajar.

The above post also served to jog my memory of an open-air talk delivered by RSM at the VJTI campus in Mumbai in February 2003, which he began with the printer story. The FOSS story is a constructive one in that its participants define themselves as developers living true to their creed rather than as wreckers of any business. Likewise, encouraging participation in a parallel open-access science-publishing industry to challenge the monopoly of paid journals, maybe a more constructive and also more transparent means of protesting inequitable access to information, than inflicting security breaches on existing journals.