Cyber Security: when Laws don’t protect hackers

Cyber Laws don’t protect ethical hackers: today we live in a very interesting time, where the Information security and the Legal System should be well intertwined.

However it seems that they are not on the same page, they use different terms and if they don’t well understand each other – in the complexity of cyber space: bits VS laws codes – the only result will be: an innocent will be prosecuted while the real guilty will remain free. And one more thing yet: what about the security policies to protect security researchers?

Is it right to break unjust laws?

A new project created by Alberto Daniel Hill and Ghost Exodous, together with their InfoSec Group, wants to change things and prevent well-intentioned hackers from legal action when they reveal security vulnerabilities. This means that white hat hackers should not face criminal charges if they find a flaw on an organization’s systems when they do it in good faith.

Ethical hacking and criminal activities are similar but deviate

Ethical Hacking and the Legal System
Alberto Daniel Hill was the first Hacker that served time in prison in Uruguay. Ghost Exodus was the first hacker sent to prison in the USA for hacking a SCADA system. This is their stories and their plans to make changes in a system that lacks of Justice.

Justice doesn’t protect ethical hackers: is it right to break unjust laws?

Is it right to break unjust laws? The truth with a capital T is that only we can decide how to resolve this question, but please consider that if a law becomes as ineffective as it is unjust, disobeying and transgressing it should be our only choice.

In the same way the rules cannot be arbitrary, nor made to strengthen the power of someone towards another: the bureaucracy has the duty to consider the individual when, the single acts become more significant than any law and contribute to questioning a wrong  – or considered unfair –  system. This becomes even more important when a law causes such a break that it cannot but follow a change of course in today’s society.

This, nowadays –  at the time of the publication of Alberto’s book, Login To Hell  – becomes even more important for what is happening in the world, which put us in a box.

Hackers, on the other hand – who are naturally undisciplined and reluctant to adapt to schemes – need to think and act freely. Yes, I’m talking about those hackers who built the Internet and whose mission has been, for many years, to free the knowledge wherever it was imprisoned.

They built programs, which they wanted perfect and wonderful, but their purpose was and still is, something more than writing interesting programs: it is to engage their best in facing challenges to overcome the limitations imposed, through a free and a constructive cooperation.

To be honest, I think that the only kind of collaboration provided by the bureaucracy is the one where it has the total control over things, that is irreconcilable with the research spirit of real hackers, who are considered a real threat, whoever they are.

However, this doesn’t mean that hackers don’t have their own ethical rules and at the very end it doesn’t mean that we don’t have to make a distinction between good and bad.

Hackers have their own ethical rules

Laws don’t protect Hackers but Hackers have their own ethical rules.

Well, yes, if you are worried about Internet security, you should be, but often the skills gaps in cybersecurity are also repeated in the security system, the same system that should guarantee protection to individuals. And that’s what happened to Alberto Daniel Hill.

So now let’s try to answer the question posed at the beginning and let’s look at it from the hackers’ point of view: are there people out there so knowledgeable about security that they they couldn’t be wrong in judging someone? Alberto is one of them, one of those defendants, who deserved prison for his hacking. He was arrested, interrogated, nobody ever told him his rights and he didn’t have a lawyer.

Because the fact is that everyone deserves a defense, every person matters. For some of you, this may be a surprising truth, especially when a high-profile defendant looks truly guilty. At the same time it is important that anyone accused of a crime, regardless of what they are and regardless of who they are, justice should allow them to defend themselves in the best possible way.

Alberto tried to help a company that had security problems that could potentially affect thousands of people. He did it randomly, therefore without permission but without any economic interest, personal profit or causing damages.

He did his best to do the right thing and everything turned against him. Not only that, he was hurt with everything they could use against him guided by statistics and we must remember that we are all in this trap, whose walls are not yet well defined. Today, after this experience, the result obtained has been to convince himself that he will never report a vulnerability like this again, “no matter how serious the problem is”.

The importance of not forgetting

The importance of not forgetting and explaining why it is important to do so, lies in the pages of this book, in the hope of being able to help change things, in his country, Uruguay, but also in the world. A consideration that might seem obvious at first sight, but which on closer inspection is not at all, in our contemporary society.

The central problem, in all his sad and terrible story, is perhaps that reality does not work like the Internet: most organizations – and security systems –  do not continue to learn and improve themselves, they only set parameters and maintain them. Most of the time they don’t realize the problem until someone reports to them, but it may be too late. 

And instead of thanking, all they do is accuse those who have tried to help them in some way. Why? Because the law assumes that no one should try to access a system to which they should have neither access nor credentials. And if you break this law, even if you are a security researcher you are in a grey area.

Even worse if you are not a security researcher: you can leave a trace and that trace – used by a criminal smarter than you – can frame you while the real guilty will remain free, if you – or anybody else – can’t seriously determine what really happened. This happened to Alberto, and this is a gap.

However, the ethical hacker and not the cracker – whose meaning we have forgotten – knows that there are rules and knows where to stop, what is right or what is not. He knows that it is not enough to write programs that work, but that everything must run as intended and desired. He knows that this is not a simple game, that if he makes a single mistake the entire structure collapses in a few seconds and this must not happen. It is not a simple game, if you damage a system and bring it to collapse you block the flow of information from which it benefits, it is the logic of the computer that teaches you.

To defeat a system that does not work and therefore correct errors and improve the world we live in, however, we need to know it so thoroughly that we should, as hackers, identify the bugs, to get to the bottom of it, undertaking a challenge with the same operating system.

It’s up to you, up to us to act, so that the revolutionary potential of network technologies could be able to flow to be translated into more democracy, knowledge, equality, opportunities, well-being, innovation and not the exact opposite.

Once when I told Alberto that we had to save the world he replied: “Olivia there is no spoon”. And it is a lesson that our global society will have to seriously face sooner or later. Action no more words.

Spoon boy: Do not try and bend the spoon. That’s impossible. Instead… only try to realize the truth. Neo: What truth? Spoon boy: There is no spoon.