DON'T PUT A SPIN ON HACKING
I read your article in the November/December issue of Wireless Systems Design ("Balance Hacker Crime And Punishment," p. 15). You are way out on a limb here, dude. Hackers appear to be motivated solely by the recognition and publicity that their viruses generate. The idea that they are concerned professionals desperately trying to demonstrate security flaws in software to an unsuspecting public is ludicrous. Their activities are designed to generate as much damage (read that as publicity) as possible. Too many ex-hackers have used the publicity gained from their activities as a quick ticket to a job. What you advocate is redefining criminal activity as benevolence.
The idea that hacking is benevolent is a novel concept. If I apply this to a burglary, it means the criminal is doing me a favor by smashing my windows and breaking into my house. That way, I buy stronger windows. Then the burglar buys a bigger hammer. Where does it end?
Your "script kiddie" caused economic damage. You are rewarding him with publicity and advocate giving him a job in return for criminal activity. How about this for a solution: All convicted hackers are placed in a database. No one in the computer industry will hire anyone who appears in said database and no one in the industry will do business with any software company that employs an individual appearing in said database. I bet this would end software hacking in a hurry.
Director of Engineering, Dukane Corp.
Hi, Mr. Neltnor. Am I really out on a limb? Gnarly, dude! <grin> There are certainly plenty of hackers that fit your description (i.e., out to cause as much damage as possible). These folks should be punished to the full extent of the law. But did you know that reformed burglars as well as hackers have helped develop some of the most effective security measures for home and Internet safety? Hackers in the wired or wireless world understand how to breach security. These are the people you want to include in the creation of a robust security system.
I'm not advocating that convicted hackers—even script kiddies—should not be punished. Instead, I'm suggesting the age-old idea that the punishment fit the crime. If you can foil current security measures, a portion of your punishment should be to use your skill to create a more secure system. Is this really that much different than the current legal system of plea bargaining?
Benevolent hackers exist in far greater numbers than their dark counterparts. Try visiting www.2600.com. For more on this discussion, visit the WSD forums page: www.planetee.com/Forums/categories.cfm?catid=6. Select "How Best To Punish Young Hackers."—JB
HACKERS SHOULD BE PUNISHED
I would like to draw a parallel to your presentation. In this case, it is armor. Everyone has his or her armor and there are some "hackers" out there with cleverly and sometimes crudely designed spears or hooks that they use to get past our armor. In some cases, people lose their lives. But usually they only suffer maiming or a little bloodletting. You are suggesting that these "hackers" get recognition and acclaim for successful attempts. I, on the other hand, do not revere them for their unfriendly attempts to cause pain and damage. They have little regard for the property of others and are only interested in seeing what damage they can inflict.
If there are people that would like to HELP by showing where the defects are in our armor, they should approach the armor wearer and suggest that they demonstrate the weaknesses while the person is not wearing the armor. In other words, if the hacker contacts an organization and lets them know that there are weaknesses that he or she can reveal and could demonstrate for them, that person may reap a reward for providing a service.
I do not believe there is any good excuse for creating a virus that causes loss of services. Please do not make the excuse that the armor wearer may have been alive today if he had better links to defend himself from the teenager who ran a sharpened coat hanger through him.
Test Engineer, Hi-Speed Checkweigher
(a division of Mettler Toledo)
Hi, Bob. I fully agree that hackers (especially malevolent ones) should be punished with prison time, financial penalties, and job restrictions. But our government and many IT organizations seem incapable or unwilling to safeguard against even the simplest of attacks. So why not consider a solution that benefits the victim while punishing the attacker? Let me use your example: Here, the hacker must use his/her skills to design a better suit of armor. If the hacker fails, he/she dies or is sent to prison. If the hacker succeeds, he/she will have a much greater appreciation of the harm that has been done. Plus, the defender gets a much better system of protection.
Certainly, this approach would not work in all cases. Hardened hackers must be put away for a long time. But when was the last time anyone caught a truly malicious hacker? You don't catch these guys, but you can make their livelihood a lot tougher by including all possible viewpoints and experiences (from both non-malicious hackers and respected IT experts) into the security solution. The last thing you want to do is turn a potential asset (e.g., talented kids who enjoy hacking) to the dark side.
Let me make one more comment concerning your suggestion to approach the armor wearer with recommended improvements in their design. This just doesn't work! Recall the young man who tried to demonstrate the weaknesses in U.S. airline security by smuggling a box cutter onto a domestic flight. Were his efforts appreciated? No. He was charged as a criminal and the security weaknesses remain. The same is true with most corporate IT departments. I personally believe that a National Hackers Society (NHS) is not only do-able, but badly needed.—JB