The purported commandeering of a jetliner by an onboard security researcher has set off a heated industry debate over the ethical limits of White Hat hacking. According to White Hat Security founder Jeremiah Grossman, airline companies should design simulated aircraft systems for external security researchers to evaluate.
Grossman told Network World that corporate executives may be somewhat reluctant to participate in such a program, but says he believes they will eventually be more open to collaborating with the security community.
“Their first reaction is only authorized people can test their network. [Yet], Google got over it. Facebook got over it.”
Grossman also emphasized that security researchers should refrain from testing anything without ownership rights or written consent.
“Otherwise, you’re at the whim of the target,” he adds.
Paul Kocher, the President and Chief Scientist of Rambus’ Cryptography Research Division, told Network World the controversial issue of White Hat hacking is further compounded by various corporations wanting to publicly project a serene image of safety and security.
“[For example], if I’m operating a service, my financial interest is usually in trying to make my customers feel comfortable, which is not necessarily to disclose accurately what the risks are,” he explained. “If you want to have researchers providing [a certain] level of authentic, unfiltered information – at least when people are doing things badly – it’s going to be challenging.”
Kocher, who acknowledges that hacking has its gray areas, says that Rambus stays “very, very far” within the white zone.
“The question of messing with a flying plane’s avionics is pretty clearly for me in the black area,” he continued. “I see a lot of places where there’s a big debate, but I don’t see this as one where the shades of gray are as nuanced as they will be in future situations that will come along.”
One such area is the medical device market, which mandates a lengthy FDA approval process. Moreover, medical devices must be reapproved if any changes are made.
“But that doesn’t fit very well into your zero-day response cycles. How do you patch the Linux install running inside your implantable medical device? We haven’t worked these things out yet, and perhaps we never will. It’s just one of these horribly messy problems that we’ll be struggling with for a long time,” he concludes.