Skip to content

Ethics and Morally Ambiguous Security Pursuits

Most cybersecurity professionals understand moral ambiguity. Just ask Marcus Hutchins, the “accidental hero” who stopped the WannaCry ransomware attack in its tracks.

Hutchins was working as a security researcher when he discovered a critical flaw in the malware — its kill switch. Not long after, he was indicted on federal charges related to his previous work as a malware developer on HackForums – a bustling collective of young hackers.

Thankfully, Hutchins was eventually cleared of all charges. But his story highlights the murky ethical landscape that many security researchers operate in.

On one hand, companies and individuals are better off when security researchers find and disclose vulnerabilities. On the other hand, some researchers find – or develop – exploits to sell on the dark web. For budding cybersecurity researchers, it’s not always clear where the line is.

After reading Hutchins’ story, I thought a lot about the nature of communities. Communities in the Internet age, specifically, and how they can lead us to the best things the Internet has to offer, or to the worst corners of others’ minds.

Take YouTube, for instance – its algorithm is designed to serve content that pushes users deeper into a specific topic, often toward morally questionable content. The same is true of TikTok, Facebook, and a slew of others. This subconscious manipulation is one of many reasons why it’s so difficult to find a like-minded community where you can collaborate and learn.

Hutchins didn’t need an algorithm to push him into the dark side. He found it while poking around a young hacking forum. Pretty soon, he would go from admiring malware to building his own, with increasingly dark results. Eventually, Hutchins built his own community, amassed followers on the order of tens of thousands, and attracted the attention of Kryptos Logic. And thus began his white-hat path toward neutering WannaCry.

“There’s [a] misconception that to be a security expert you must dabble in the dark side,” said Hutchins. “It’s not true. You can learn everything you need to know legally. Stick to the good side.”

I can only wonder how much more good Hutchins could have done had he found the “good side” long ago. Or, how much good current black-hat hackers could accomplish with encouragement from the right community.

The Modern Security Researcher’s Tribe

In the early days of hacking, only a handful of people could exploit vulnerabilities and gain unauthorized access to systems. These individuals were self-taught, like Hutchins, and their skills were not widely known or understood. As the Internet grew, more and more people became interested in hacking culture, sharing their knowledge and developing new techniques.

It’s a constantly evolving field.

Researchers used to be seen as “lone wolf” operators, working in isolation to scratch an intellectual itch. But the cybersecurity profession has undergone a dramatic transformation in recent years. Today’s security researcher is less likely to be a lone wolf and more likely to be part of a team, working together to uncover critical vulnerabilities and exploits (CVEs) and develop solutions. They are also more likely to use sophisticated tools and techniques to find vulnerabilities in systems. And thanks to the power of the Internet, they can reach a global audience with their findings.

This shift has been driven by the increasing complexity of attacks, which require greater levels of expertise to defend against. Security research is now an essential part of the modern IT landscape, and it is only going to become more important in the years to come.

One thing is certain, though: The work of security researchers has a profound impact on society. They are the ones who find the vulnerabilities that can be exploited to cause massive damage – like WannaCry. But the vulnerabilities they find could just as easily end up in the hands of bad actors who are intent on ripping off people and/or harming critical infrastructure.

The job is a delicate balancing act, one that requires a great deal of responsibility.

It’s important to remember that security researchers are not immune to the same biases and motivations that affect everyone else. They need support, and people to hold them accountable when they come across that ethically dubious line.

There’s no question that security research is a vital part of keeping our online world safe. But where do these researchers thrive? In what types of environments do they do their best work?

For many security researchers, it’s all about the community. It’s here where groups of like-minded individuals share information and ideas. And there are numerous online forums and newsletters where they can share ideas, debate techniques, and collaborate. In addition, there are conferences and in-person meetups to discuss the latest trends and challenges.  

By working together, they can pool their knowledge and resources, making it easier to identify and neutralize threats. In addition, the security research community provides a supportive environment for new researchers, helping them to develop the skills and knowledge that they need to be successful.

Today, the security research community is vast and diverse. It includes individuals from all walks of life, with varying levels of expertise. Some security researchers are full-time professionals, while others are hobbyists or students. But regardless of their background or experience, they all share one common goal: to find and report CVEs. That’s why we developed vsociety – for security researchers to share CVEs and gain communal support.

Of course, not all security researchers need or want to be part of a community. Some prefer to work independently, researching new vulnerabilities and developing innovative new solutions to exploits. For these researchers, the lack of community involvement can actually be a benefit, as it allows them to focus entirely on their work as they see fit. And, for that matter, not every community offers consistent, genuine support.

Take Twitter, where many security researchers gravitate due to a lack of good online communities. Twitter can be a great source of support, but it can also be a breeding ground for new threats. In recent years, we’ve seen several cases of hackers on Twitter developing and releasing malware that caused real-world damage.

Yes, social media intelligence can be a valuable asset for gathering insights on threats or contextualizing current research. But the information found on Twitter needs a thorough scrubbing for veracity and reliability.

Why? Because Twitter is rife with fake news and content disguised to harm organizations or people. The proliferation of misinformation requires security researchers on Twitter to always use keen judgment. But some activities on social media can fall in a gray area; meaning they may be illegal in certain jurisdictions but do not violate Twitter’s terms of service. If a security researcher runs with such information, they could be compromised..

Indeed, it’s more important than ever to find a cybersecurity community that nurtures “good faith” vulnerability hunting. After all, we’re on the verge of the new age in security research…

A New Catalyst for Good Emerges

Security researchers work tirelessly to find vulnerabilities in software and systems, and they report these bugs to the appropriate parties so they can be patched. Many of these researchers also participate in bug bounty programs, which offer rewards for finding and reporting security vulnerabilities. In other words, they get paid to hack systems and find weaknesses. Without security researchers, we would be living in a much less safe and secure world.

While bug bounties can be a great way to crowdsource security testing and build goodwill with the bug-hunting community, it can also be great for adding a misdemeanor (or worse) to your record. The good news is that the U.S. Justice Department recently directed prosecutors not to go after hackers under the Computer Fraud and Abuse Act (CFAA). But only if their reasons for hacking are ethical. Ethical reasons include bug hunting, disclosing CVEs responsibly, and above-board penetration testing.

This is huge news.

While some believe the new policy doesn’t go far enough to protect individual bug hunters, it does provide more freedom for security researchers to find and report CVEs without the fear of legal repercussions. Still, individual security researchers must mind the ethical gap. If they unwittingly cross a muddled line (made even more indecipherable by the policy’s bureaucratic speak), they could be met with legal consequences—making it all the more important for security researchers to learn how to apply caution and ethics in their bug hunting.

A Tribe Called Home

“In my career I’ve found few people are truly evil, most are just too far disconnected from the effects of their actions,” wrote Marcus Hutchins. “Until someone reconnects them.”

A good community – if it does its job well – can reconnect even the most ethically disconnected individuals. But it’s essential for everyone – from individuals to companies to government agencies – to do their part to improve cybersecurity. Whether it’s investing in better security tools or simply being more careful about what information is shared online, we all have a role to play. Our role is in building a community that security researchers may turn to for education, collaboration, and thought leadership.

As technology advances, so must the methods used to protect our data. Cybersecurity professionals are constantly working to stay ahead of hackers by developing new security measures and techniques. At the same time, security researchers are working just as hard to identify potential vulnerabilities in these systems so that they can be addressed before they can be exploited. As security professionals, we are constantly trying to stay ahead of the latest threats and vulnerabilities. We need to be able to quickly identify attacks, respond to them, and prevent them from happening again. To do this, we rely on security researchers who help us understand how attackers operate and what new techniques they are using. It is a never-ending race, but it is one that is essential to the safety of our digital world. And in today’s digital landscape, community plays a pivotal role in driving security researchers toward “good faith” vulnerability hunting.

There will be plenty more people like Marcus Hutchins. Some of whom discover the “dark side” and transition over to the “good side.” And others who discover the “dark side” and remain. With positive support from the right community, we can better steer the Marcus Hutchins’ of this world over to the good side of security research.

#security #community #ethics #hacking #hackers

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.



Click one of our contacts below to chat on WhatsApp