The Hacking Quandary

Is the cause always noble? And what happens when it’s not?

This summer, two different events affected two different worlds. First, Milan-based Hacking Team — a small group of programmers who customize malware to gather intelligence — was itself hacked, and more than 400GB of its internal data was leaked. A few days later, a South Korean intelligence officer who had been implementing tracking software killed himself, and his suicide note allegedly referred to Hacking Team. As a result, many professionals in software development and espionage are pondering their future.

Ever since the stories broke, security researchers and journalists have been combing the leaked data to identify the technical methodologies adopted by this secretive organization. Vulnerabilities have been discovered and quickly integrated. However, the implications of these events are far greater.

Hacking Team is not the only player in this field, and their customers are not all upstanding corporations. These services are marketed to everyone, including law enforcement agencies and governments that may engage in political oppression and have unsavory human rights records. And there’s more.

These episodes fit into a broad pattern of uncomfortable unity between the private and public sector. It began with tools designed by commercial entities for competitive intelligence gathering being put to work against political enemies to subvert democratic processes. Now, they’re being designed for that purpose. And of course, none of this happened overnight.

Back in 2002, AT&T technician Mark Klein found documents that showed the National Security Agency (NSA) was working with major telecoms to soak up massive amounts of email, search and other Internet records from more than a dozen global and regional providers. The process was being facilitated by a device known as the Narus STA6400, and had been installed in a secret room within the AT&T location responsible for coordinating the backbone traffic of the global Internet. (Narus Inc. was a subsidiary of Boeing.) In 2006 Klein became an official Whistleblower against AT&T and the NSA; years later, Edward Snowden gave a name to this program: PRISM.

Hackers are hacking hackers for the purpose of exposing the secrets of those who are in the business of exposing secrets.

In 2003, meanwhile, Hacking Team got going; its primary product was created to collect information: websites visited, screenshots, video and audio, Geo-IP coordinates, etc. As the company found an audience, other firms stepped up with competitive offerings. Some of those technologies inevitably made their way into the arsenal of law enforcement agencies here in the U.S., and that’s how we get to some of the ethically ambiguous issues.

First, the technologies come with confidentiality restrictions so stringent that they mandate the withholding of information from even other government officials. As a result, there are documented examples of serious criminal cases being dropped, specifically to prevent disclosure of the technologies used to conduct the investigation.

Next, there’s the inescapable irony. Much of this information has become public only through the efforts of the team that breached Hacking Team’s servers, and other such initiatives. This means hackers are hacking hackers for the purpose of exposing the secrets of those who are in the business of exposing secrets. Where does it end?

Moving forward, the cause may be noble, at least in some cases — fighting cybercrime, preventing terrorism. But can usage be contained to causes that truly are noble?

Finally, we need to ask: If companies that use software exploits to compromise targets in the public interest come to learn that other, less savory individuals are using the same exploits for ignoble purposes, do they have an obligation to disclose the problem?

Let’s hope we don’t have to wait till the next big data dump to find the answer.