The idea that hacking is benevolent is a novel concept. If I apply this to a burglary, it means the criminal is doing me a favor by smashing my windows and breaking into my house. That way, I buy stronger windows. Then the burglar buys a bigger hammer. Where does it end?
Your "script kiddie" caused economic damage. You are rewarding him with publicity and advocate giving him a job in return for criminal activity. How about this for a solution: All convicted hackers are placed in a database. No one in the computer industry will hire anyone who appears in said database and no one in the industry will do business with any software company that employs an individual appearing in said database. I bet this would end software hacking in a hurry.
K.D. Neltnor
Director of Engineering, Dukane Corp.
I'm not advocating that convicted hackers—even script kiddies—should not be punished. Instead, I'm suggesting the age-old idea that the punishment fit the crime. If you can foil current security measures, a portion of your punishment should be to use your skill to create a more secure system. Is this really that much different than the current legal system of plea bargaining?
Benevolent hackers exist in far greater numbers than their dark counterparts. Try visiting www.2600.com. For more on this discussion, visit the WSD forums page: www.planetee.com/Forums/categories.cfm?catid=6. Select "How Best To Punish Young Hackers."—JB
HACKERS SHOULD BE PUNISHED I would like to draw a parallel to your presentation. In this case, it is armor. Everyone has his or her armor and there are some "hackers" out there with cleverly and sometimes crudely designed spears or hooks that they use to get past our armor. In some cases, people lose their lives. But usually they only suffer maiming or a little bloodletting. You are suggesting that these "hackers" get recognition and acclaim for successful attempts. I, on the other hand, do not revere them for their unfriendly attempts to cause pain and damage. They have little regard for the property of others and are only interested in seeing what damage they can inflict.If there are people that would like to HELP by showing where the defects are in our armor, they should approach the armor wearer and suggest that they demonstrate the weaknesses while the person is not wearing the armor. In other words, if the hacker contacts an organization and lets them know that there are weaknesses that he or she can reveal and could demonstrate for them, that person may reap a reward for providing a service.
I do not believe there is any good excuse for creating a virus that causes loss of services. Please do not make the excuse that the armor wearer may have been alive today if he had better links to defend himself from the teenager who ran a sharpened coat hanger through him.
Bob Brackett
Test Engineer, Hi-Speed Checkweigher
(a division of Mettler Toledo)
Hi, Bob. I fully agree that hackers (especially malevolent ones) should be punished with prison time, financial penalties, and job restrictions. But our government and many IT organizations seem incapable or unwilling to safeguard against even the simplest of attacks. So why not consider a solution that benefits the victim while punishing the attacker? Let me use your example: Here, the hacker must use his/her skills to design a better suit of armor. If the hacker fails, he/she dies or is sent to prison. If the hacker succeeds, he/she will have a much greater appreciation of the harm that has been done. Plus, the defender gets a much better system of protection.
Certainly, this approach would not work in all cases. Hardened hackers must be put away for a long time. But when was the last time anyone caught a truly malicious hacker? You don't catch these guys, but you can make their livelihood a lot tougher by including all possible viewpoints and experiences (from both non-malicious hackers and respected IT experts) into the security solution. The last thing you want to do is turn a potential asset (e.g., talented kids who enjoy hacking) to the dark side.
Let me make one more comment concerning your suggestion to approach the armor wearer with recommended improvements in their design. This just doesn't work! Recall the young man who tried to demonstrate the weaknesses in U.S. airline security by smuggling a box cutter onto a domestic flight. Were his efforts appreciated? No. He was charged as a criminal and the security weaknesses remain. The same is true with most corporate IT departments. I personally believe that a National Hackers Society (NHS) is not only do-able, but badly needed.—JB