Where do I start? *sigh*
So I recently found a nasty bit of email in my inbox. It seems a particular infosec professional has taken offense to me sharing how to hack APIs with the community. I’m not going to call him out here. That isn’t fruitful or the point. But calling me out as a hacker in a pejorative way completely misses the point and offers me the opportunity to educate him (and the community) on what hacking is really all about.
At least from my perspective anyways.
I want to raise awareness about the weaknesses in API security. Not to empower bad actors; they already know how to do this stuff. My goal is to continue good faith research that helps to find vulnerabilities before real threat actors do, and show you how to do it too.
Let me be clear. Hacking is NOT a crime. Hackers aren’t criminals. Criminals are criminals.
And I want to make sure you understand the difference.
A bit of backstory
It was the early 80s. I had my first Commodore VIC20 and I got my hands on a 300 baud modem. (Ya, I’m that old) I ripped the hand receiver off the phone, plugged the remaining cable into the modem, and manually dialed my first BBS. Software didn’t even exist yet to let the computer dial the target. Matthew Broderick had it easy.
While everyone was dialing into Compuserve, I was calling long distance to a rogue board down in the USA. I met my first hacker, a sysop going by the handle g0d. A strange deity-like character, but one that opened my eyes to the real potential of making computers do interesting things. He gave me access to the entire platform; I had access to resources developers were sharing that I’d never seen before that made the Basic programming language seem antiquated. Users were sharing text files with tons of phone numbers of interesting places that accepted calls from computers. It was a treasure trove of sensitive information that I had access to.
I was way over my head
I quickly learned though I was over my head; I still had a lot to learn. I was aware that my account was letting me in the front door, but I had no clue what new opportunities this system would expose me to.
It would only be years later that I understood the sensitive data I had access to.
The Computer Fraud and Abuse Act becomes a thing
Fast forward a few years, and a few upgrades later. The Computer Fraud and Abuse Act (CFAA) is released in the USA. While many of us are skilling up and learning how to write “more interesting” code, most users are careful to share their security research in mixed company. While most of us are hacking out of curiosity and an intense passion to learn, there are some that are exploiting vulnerabilities and publishing stolen data.
It’s around this time that John McAfee released VirusScan, one of the first commercial antivirus programs. Computer crime is a thing. And a business opportunity for some. Hackers are becoming criminals. Or CEOs.
Same thing, right? OK, maybe not.
Time to hide in plain sight
It’s around this time I realize identifying as a hacker is becoming risky. The media is starting to bind the terms hacker and criminal as synonyms. While no one around me even knew I was lurking in the digital underground, I decided then and there I would not let the real world know I was a hacker… because they just wouldn’t understand.
And for decades, I was right.
Hackers vs Cybercriminals: It’s all about ethics and legality
Fast forward through the 90s. Movies like Sneakers and Hackers perpetuated the stereotypes. It created polarity in society with the idea of whitehats vs blackhats. There were good hackers. And bad hackers.
Great movies. But they did little to help our cause. Where movies like WarGames inspired the creation of the CFAA, these movies got the Justice Department up in arms. Policy makers were sure binary bullets would kill them all. It was ridiculous.
It makes me laugh when I think back to how agents looked at the Hacker’s Manifesto in the movies. Contrary to their mischaracterization, being a hacker is an identity, lifestyle, and mindset.
Curiosity is NOT a crime. But unethical behavior is. And this is where the line really SHOULD be drawn.
I support HINAC. I think they do a great job summing this all up:
There’s a subtle distinction between ethics and legality that fall into four categories: ethical/legal, ethical/illegal, unethical/legal, and unethical/illegal. We do not under any circumstance condone or support unethical/legal or unethical/illegal acts. We do however, condone and support ethical/legal acts and seek to reform policies which criminalize ethical/illegal acts.
We therefore assert that all hackers are implicitly ethical. It is not just the motive by which our persona should be characterized, it is the intent by which it should be. Hacking therefore, should not be a crime because hacking is NOT a crime. It is an ethical endeavor of exploration and problem solving that must be decriminalized for the betterment of society.http://www.hackingisnotacrime.org (HINAC)
Expanding on the Hacker Ethic
The Hacker Ethic supports much of the beliefs of HINAC. The belief that information-sharing is a powerful positive good, and that it is an ethical duty of hackers to share their expertise is something I subscribe to.
Hence this blog.
Where I diverge is how I think about hacking systems I do not own.
The Hacker Ethic has a belief that system-cracking for fun and exploration is ethically OK as long as the cracker commits no theft, vandalism, or breach of confidentiality. In this day and age, I just don’t concur.
It’s more nuanced than that.
We live in a world that is so accessible via the web. I have real concerns with hackers approaching production systems of organizations that they don’t have good relationships with. A vulnerability improperly tested in an API attack can have cascading effects that impact millions.
When this happens, many organizations get defensive and we start to hear about legal teams getting involved. Not good.
The introduction of safe-harbor programs and VDPs
We have to act more responsibly with our API traffic. Thankfully, the industry is coming around and starting to put process and policy in place so we can have safe-harbor programs in place to protect us, and the company. Added to a properly documented Vulnerability Disclosure Program (VDP), we get clear guidance that demarks what is in and out of scope when it comes to API security testing.
There isn’t a need to have blurred lines in what we can hack, and how we create our API attacks. We can stay in compliance and look for vulnerabilities in areas of third party apps that have API security concerns. We can properly report our findings and offer our web app and API penetration services to help developers secure APIs without concern of legal recourse.
At least, most of the time.
Cyberspace is changing – “good-faith” hacking is a thing
Even with safe-harbor and VDPs, there have been instances where the value of API security testing has been obscured when little awareness is in place by front-line staff inside companies under test.
Sending in a report with the appropriate data (PoC exploits, PCAPs etc) can trigger some “interesting” responses.
I know several hackers who keep silent on what they find, for fear of repercussions and threats of lawsuits.
Luckily for us, in May of 2022 the US Justice Dept. announced that ‘good faith researchers’ will no longer face hacking charges. DoJ officials said attorneys should not bring charges when “good faith” researchers exceed “authorized access”, a vague phrase from the CFAA that has been interpreted to cover such routine practices as automated downloads of Web content.
The guidance defined good faith to mean API security research aimed primarily at improving the safety of sites, programs or devices, as opposed to exploration aimed at demanding money in exchange for withholding disclosure or exploitation of a security flaw.
Now comes compensation to drive the right behavior
Of course, a good bug bounty platform like HackerOne or BugCrowd help companies explain the service they are open to have tested, and how they may compensate security researchers who follow responsible disclosure and report their findings.
So good-faith hacking can become a profitable (and legal) operation. And researchers are raking in millions.
My pet peeve: the term “ethical hacker”
Before I close out this article, I want to address one last thing.
While things like HINAC and bug bounty platforms have started to change society’s view of what a hacker is in a positive way, it drives me nuts that some think we have to put the word “ethical” before the term hacker.
You don’t go and see an “ethical doctor”. Or get your teeth cleaned by an “ethical dentist”. We don’t need the prefix because we implicitly trust their intent is good.
I believe hackers are good too. Thus hackers are implicitly ethical. We don’t need the prefix.
When someone isn’t acting ethical when hacking, they’re criminals.
API hacking is not a crime. It’s a good faith research activity that should be encouraged and compensated.
The industry is coming around. We no longer need to hide in plain sight. We exist to help make cyberspace a safer place.
Decades later, when IRC is basically dead and the digital underground has dug deeper into the dark web, I think it’s about time we come up for air.
I believe that information-sharing is a powerful positive good, and that it my ethical duty to share my experiences and expertise. Doing so is to help application security to get better, so the apps you and I use in our daily lives become safer and more secure.
If you don’t like it, byte me. 🙃🤣
Ummm… let’s re-state that a bit “softer” with some respect and empathy…
If you don’t like it… feel free to stop reading my blog. Just remember…. your competitors and adversaries will continue to do so.
Still with me? Awesome! Thanks for continuing to be here. You’re my kinda peeps.