All our sploits have come
Here, but now they're gone
Servers don't fear the hacker
Nor do the cache, the stack or the heap
(We can use ASLR)
Come on newbie
(Don't fear the hacker)
As the Chief Development Officer for an application security and software development company that specializes in cryptography, of all things, it should come as no surprise that I, like many other talented people, am a hacker.
Usually when someone publicly subscribes to this label, they're quick to follow it up with an additional label, such as "white hat". This tendency has the unfortunate consequence that it conditions people (and especially, companies) to believe that there are two or three types of hackers in the world. It doesn't take much of a logical leap to go from this black/grey/white-hat trichotomy towards an adversarial stance against anyone who isn't a perfect match for their personal opinion of what a white-hat hacker should be.
Unfortunately, in my experience, many individuals and businesses sit on the adversarial end of the spectrum, and it makes life difficult for all parties involved in the discovery and disclosure of security vulnerabilities. The consequences of this position reach further than you might anticipate.
It is my hope that anyone who reads this post will realize that hostility towards hackers is mostly pointless and self-destructive and distracts you from very real threats.
Stop Worrying So Much About Hackers
What is a Hacker, Really?
Hackers are people who find inventive solutions to problems. Hackers are not necessarily computer criminals.
This means that both the person who tries to solve the "design a secure public-key signature scheme that doesn't require users to provide a random nonce" problem and the person who tries to solve the "outsmart the credit card processor to steal money from innocent people" problem are both hackers, by definition.
I find the white/grey/black-hat distinction to be, in most instances, meaningless. Hackers are hackers. But most importantly, hackers are people, and people are incredibly diverse.
For example: Typically, when someone contacts you to inform you about a security vulnerability in your application or network, they probably aren't interested in committing crimes or hurting your business (or your customers), even if they were accessing your system and poking around without explicit permission. Though you could technically, in this scenario, file a complaint with the Internet Crime Complaint Center (or your local equivalent, if you're outside the United States) and the resulting prosecution would probably succeed (since the Computer Fraud and Abuse Act forbids "unauthorized access" to a "protected system" which is sort of silly in the context of a publicly accessible Internet), doing so will not make you more secure.
In a different vein: If you're the lead contributor to a popular open source software project on the Internet, and someone suggests that your code might be insecure, responding with disproportionate rudeness will only discourage hackers from trying to help.
What About the Criminal Hackers?
They do exist, but the majority of the malicious-all-the-time hackers lack sophistication. A motivated, sophisticated, and malicious attacker is a somewhat rare occurrence; most computer crime is opportunistic rather than ingenious.
What to Worry About Instead of Hackers?
A much bigger concern for most organizations isn't some malicious computer prodigy armed to the teeth with 0day exploits, it's their own people. Namely, one or more of the following:
- All employees have full access to everything on the network
- Employees bring their own devices and connect them to the network
- Employees take company-owned devices home
- Company laptops do not properly implement full disk encryption, and one gets stolen
- The physical security of the server is questionable (if not outright non-existent)
If someone can walk into your office during business hours and physically steal your server, hackers (malicious or otherwise) are the least of your worry.
A Brief Guide to Talking to the Hacker that Reported a Problem
- Do try to respond quickly (within a week at the latest, within 24 hours if possible).
- Don't make legal threats; they only show poor form.
- Do expect the hacker to eventually want to publish their findings publicly.
Don't demand "responsible disclosure"; do feel free to request "coordinated disclosure" with a reasonable time line.
- The qualifier "responsible" is opinionated, and often the responsible course of action is to immediately publish one's findings on Full Disclosure.
- Unless you have a bug bounty program that they are participating in: You don't owe the hacker anything. At the same token, they don't owe you anything (more time to deploy your patches, proof-of-concept code, etc.) either. Request, but never demand.
If you follow the above guidelines, you'll find that most hackers that are enthusiastic about information security are extremely helpful and cooperative. They're also usually much more sophisticated than most attackers, and you can often learn a lot from their advice.
The Internet has a thriving community of hackers of various backgrounds, skill-sets, and motivations. Very few of them are probably interested in attacking you or your business. Don't fear the hacker, try to understand them!