Who are ethical hackers? Hacker ethic

This is a discussion of who are ethical hackers. It is based on work I completed in a uOttawa PhD thesis (2020) on the topic of ethical hacking sociotechnology.

An identity and legitimacy crisis
A brief history of hackers
Hacker ethic
Hacker practice
The ethics of ethical hackers
Key skills of professional ethical hackers

You may also be interested in What do ethical hackers do?

An identity and legitimacy crisis

Ethical hacking as a profession suffers from a stigma stemming from confusion surrounding the identity and legitimacy of ethical hackers. The social stigma surrounding hacking and hackers harms society. The stigma is both a consequence and a cause of an identity and legitimacy crisis: it undermines ethical hacking education (acting as a reinforcing feedback loop–ignorance fuels the stigma and the stigma leads to ignorance because the topic becomes a taboo), raising crime risk to society. The stigma from confusion surrounding the profession and the roles of professional ethical hackers in organizations and in society can drive down student enrolment in hacking classes and the hiring of expert hackers as instructors and professors within higher education. The stigma is a reputation risk to businesses and higher education and can discourage professors from acknowledging their hacking skills/experience.

Finding an academic who has those skills, they are few and far between. We have to be very careful about our professional standing. There is certain amount of negativity looked at to hacking in general. As a professional, if I say, “Yeah, I built my hacking skills,” “Well, how did you do that? What did you break into?” There’s a certain amount of stigma against hacking, whether it be ethical or not, and so, for an academic to gain the level of skills so they can teach about it adequately is a bit of a challenge. (PPT3 – PhD thesis interview participant #3)

Interview Participants by Area of Expertise (table)

An identity crisis can be understood as a crisis of confusion regarding who are professional ethical hackers and what do they do. A legitimacy crisis can be understood as a crisis of confusion regarding the ethics and values of professional ethical hackers, and regarding their value (contributions) to organizations and society at large.

The following social and historical influences contributed to shaping perceptions about the identity and legitimacy of professional ethical hackers.

An appreciation of intellectual and historical influences on the conceptual development of the terms hacking and hackers – and by extension the terms ethical hacking and ethical hackers – from outside of the information security field (from the social sciences and humanities) includes a review of the role of the mass media and law enforcement in changing the original positive connotation of the term hacking from around the late 1980s and through the early 1990s to connote unlawful or criminal acts (Coleman & Golub, 2008; Thomas, 2005), the pioneering historical work of Steven Levy (1984) on hacker culture and hacker ethic (Hackers: Heroes of the Computer Revolution), and an anthropological analysis (taxonomy) of various hacker ethic based on idioms and practices (Coleman & Golub, 2008). Palmer (2001) offers one of the most authoritative conceptions of who are ethical hackers from inside the information security field.

A brief history of hackers

The meaning of the term ethical hacking can be understood in relation to the term hacking, as their history is intertwined. Hacking today “connotes pejorative attempts to gain unauthorized access to computers” (Thomas, 2005, p. 602).

But it wasn’t always this way.

When the term hacking began taking off in the early 1960s, it was used to refer to a group of pioneering computer aficionados at Massachusetts Institute of Technology who “typically had little respect for the silly rules that administrators like to impose, so they looked for ways around” (Stallman, 2001). In the 1960s to the 1970s, a hacker was “simply someone obsessed with understanding and mastering computer systems” (Levy, 1984, p. 602). A hacker (noun) meant,

1. A person who enjoys learning the details of computer systems and how to stretch their capabilities—as opposed to most users of computers, who prefer to learn only the minimum amount necessary.

2. One who programs enthusiastically or who enjoys programming rather than just theorizing about programming. (Palmer, 2001, p. 769)

The term hacker had a positive connotation in the 1980s and early 1990s among computer security professionals. Hackers typically had strong programming and computer networking skills. Some of their job duties were similar to those of today’s ethical hackers (Harper et al., 2011; Harris, Harper, Eagle, & Ness, 2007; Palmer, 2001; Sterling, 1993). The connotation of the term “hacker” would undergo a transformation in the late 1980s and early 1990s (Coleman & Golub, 2008; Thomas, 2005). Thomas (2005) traces the legacy of demonization of hackers to the rhetoric of media and law enforcement of the early 1990s.

In the golden age of hacking (late 1980s and early 1990s), the mass media began to frame criminal hackers as simply hackers instead of the more accurate description of “criminal hackers” thus associating hackers and hacking in the public mind with malevolence and crime. The early 1990s saw the commercialization of consumer-oriented computer technologies, and the rise of computer hacking incidents. “As malware and attacks emerged, the press and the industry equated the term ‘hacker’ with someone who carries out malicious technical attacks” (Harris, 2007, Ethics of Ethical Hacking, para. 27). The mass media began using the term hacker to describe individuals who break into computers for fun, revenge, or profit, instead of the more accurate term of criminal hacker. By the early 1990s, the word hacking had begun acquiring a negative connotation. Hacking and hackers became increasingly associated with computer intrusions and unauthorized telephone calls.

Meanwhile, law enforcement was influenced by a sense of “moral panic” regarding the rise of hacking incidents and began transposing terms used for criminal acts in the physical world to the online world (Thomas, 2005, p. 603). The origins of hacking “were grounded arguably in what the original participants saw as an ethical, even noble, pursuit. However, law enforcement agencies had a different metaphor, setting out on a mission to purify cyberspace from the invading vandal hordes” (Thomas, 2005, p. 603). Legal concepts such as burglary, trespassing and theft, “terms that have a reasonably unequivocal meaning in a world of material objects – became opaque, even absurd, when applied to cyberspace. Yet, prosecutors invariably used such legal terminology in their indictments.” By,

metaphorically invoking images of home intruders and thieves, legal rhetoric manipulated the meaning of hacking behavior to – some might say cynically – demonize the participants successfully. The indictments transformed ‘bad acts’ into formally sanctionable ones by creatively linking the act to more familiar predatory behaviors, such as ‘breaking and entering’ (e.g. US vs Robert J. Riggs and Craig Neidorf, 1990, 90-CR 0070 United States District Court, ND Ill. ED). (Thomas, 2005, p. 601)

In retrospect, the rhetoric of law enforcement and of other ‘moral entrepreneurs’ of the late 1980s and early 1990s can be seen as an example of how the symbolic manufacturing and pursuit of demons can lead to equally demonic excesses that may create ethical transgressions greater than those being controlled. (Thomas, 2005, p. 600)

The response of law enforcement in the golden age of hacking to incidents by computer hackers was “out of proportion to the threat” and reflected a “moral panic.” It focused on selected incidents as “symbolic signposts” and illustrates how hacking “both constituted and reflected ironic ethical ambiguity between the enforcers of the law and those who transgressed it.”

Perhaps the media were taking their cues from law enforcement or perhaps they were experiencing an episode of moral panic themselves, or perhaps the media opted for brevity so they dropped the word “criminal” from what should have been “criminal hacking.” Both the media and law enforcement demonized hacking and hackers and undermined the increasingly important role of hackers and hacking in society. The value of hacking, and by extension teaching students to hack, remains confused. Palmer (2001) writes that since calling someone a hacker was originally meant as a compliment, “computer security professionals prefer to use the term ‘cracker’ or ‘intruder’ for those hackers who turn to the dark side of hacking” (p. 770).

More recent studies have emphasized the original positive connotation of hacking as inquisitive tinkering, “highlighting the hacker ethic’s ability to emancipate its practitioners from the iron cage of late modernity and capitalism” and “recuperating hacking’s tarnished reputation” (Coleman & Golub, 2008, p. 256).

Hacker ethic

The hacker ethic is a philosophy and set of moral values common within hacker culture. The philosophy originated at the MIT in the 1950s-1960s. The hacker ethic is related to the concept of freedom of information as well as the political theories of liberalism, anti-authoritarianism, anarchism, and libertarianism.

Levy (1984) offered one of the earliest theorizations of hacker ethic (what hackers thought it meant to be a hacker), particularly in the early decades of computer technology in the 1950s and 1960s. Levy (1984) distilled the hacker ethic into six bullet points:

Access to computers—and anything that might teach you something about the way the world works—should be unlimited and total. Always yield to the Hands-On Imperative!
All information should be free.
Mistrust authority—promote decentralization.
Hackers should be judged by their hacking, not criteria such as degrees, age, race, sex, or position.
You can create art and beauty on a computer.
Computers can change your life for the better.

The hacker ethic as retold by McConchie (2015):

1) The “fundamental tenet of the hacker ethic is that information should be free, and that access to computers should be unrestricted” (p. 879); 2) Hackers see the creative reuse and repurpposing of technology as a hands-on way of learning about the world and becoming self-directed and self-reliant individuals; 3) Hackers believe that information should be decentralized and authority mistrusted; and 4) Hackers believe that hacking, in itself, can make the world better through the free exchange of information and hacking skills.

The mistrust of authority structures hacker ideas about socialization and self-organization within hacker communities; the community of hackers presents itself as a meritocracy wherein hackers ought to be judged solely on hacking skills, “not bogus criteria such as degrees, age, race, or position” (Levy, 1984, p. 35, cited in McConchie, 2015).

Hacker practice

Coleman and Golub (2008) saw various hacker ethic as representative of the subjective self. In this vein, they conceptualized three liberal moral expressions of hackers and hacking (cultural sensibilities or hacker ethics) revealed variably in the context of computer hacking: Cryptofreedom, free and open-source software, and the hacker underground.

Coleman and Golub (2008) argue that the literature on ethical hacking has tended “towards dichotomous representations of computer hackers as either unhealthy young men engaged in bold tournaments of sinister hacking” or visionaries “whose utopian technological lifestyle has the potential to disrupt the pathologies of capitalism and modernity more generally” (p. 255). This tendency threatens to obscure the cultural significance of computer hacking, they argue, because hacker morality “in fact exists as multiple, overlapping genres that converge with broader prevailing political and cultural processes, such as those of liberalism” (p. 256).

For Coleman and Golub (2008) it is reductionist to ignore the socio-cultural and historical context of hacker practice – breaking the law, and what it means to break the law are evolving ideas that can only be anchored in and understood within culture, specifically, hacker culture. The authors examined three liberal moral expressions (cultural sensibilities or hacker ethic) of hacking revealed variably in the context of computer hacking. The practices and ethics of computer hacking “afford an exceptional entryway for conceptualizing liberalism as a cultural sensibility with diverse and sometimes conflicting strands” (p. 256).

Coleman and Golub (2008) distinguish between three different, though overlapping, moral expressions of hacking in order to theorize liberalism “as a cultural sensibility closely wedded to what Charles Taylor has called the ‘expressive self ’ (1989) that in practice is under constant negotiation and reformulation and replete with points of contention” (p. 256).

An elaborate comparison is made of three modes of hacker practice– cryptofreedom, free and open source software, and the hacker underground. One example within hacker practice was Richard Stallman, the founder of the Free Software movement, the GNU project, and the Free Software Foundation. Stallman was a hacker who “realized his liberal ideals in a technological idiom and he linked his political goals to one of the most popular operating systems among the technical community, UNIX” (p. 263). By comparison with another form of hacker practice, the hacker underground espouse moral conventions and practices bespeaking “a Nietzschian notion of power and pleasure, and especially a critique of liberalism” (p. 263).

Table 14: Profiles of Hackers

Figure 2: Profiles of Hackers Graph

Other hacker taxonomies

Different types of hackers

Ethical and Unethical Hacking

The ethics of ethical hackers

Professional ethics
The social context
Professional ethical hacking is legal
Ethical hackers are trustworthy

Key skills of professional ethical hackers

Ethical hackers typically have “very strong programming and computer networking skills and have been in the computer and networking business for several years” (Palmer, 2001, p. 771).

They are also adept at installing and maintaining systems that use the more popular operating systems (e.g., UNIX** or Windows NT**) used on target systems. These base skills are augmented with detailed knowledge of the hardware and software provided by the more popular computer and networking hardware vendors. (Palmer, 2001, p. 771)

Further, the “best ethical hacker candidates will have successfully published research papers or released popular open-source security software” (Palmer, 2001, p. 772).

Table 9: Hacking Skills Coding Table (Network Penetration Testing)

Table 10: Professional Ethical Hackers Coding Table