Those of us in the biz know the difference between hacker, cracker, attacker, and so on. Those outside of the biz, not so much. As an example of this point, let's turn to a recent ruling from the US District Court for the State of Idaho.
First some background. The Battelle Energy Alliance (Battelle) is the company that manages and operates the Idaho National Laboratory (INL). INL was involved in an initiative to develop “Sophia,” which is software “aimed at protecting the United States’ critical energy infrastructure (oil, gas, chemical and electrical companies) from cyber attacks.”
Battelle wanted to license Sophia, which was tax-payer funded through the US Department of Energy. Sophia developer Corey Thuen wanted the program to be open-source. Thuen eventually left INL, founded Southfork Security, and developed a program called “Visdom.” Visdom is functionally similar to Sophia in that it identifies new communication patterns on Incident Command System networks.
So Battelle files suit against Thuen, alleging that he stole Sophia and violated agreements and blah blah blah. The Court ordered the seizure and imaging of Southfork Security hardrives on this basis: (pdf)
The Court finds it significant that defendants are self-described hackers, who say, “We like hacking things and we don’t want to stop.” …
The Court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy, as the discussion of the case law above demonstrates. …
The tipping point for the Court comes from evidence that the defendants – in their own words – are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act. (underline added) And concealment likely involves the destruction of evidence on the hard drive of Thuen’s computer. For these reasons, the Court finds this is one of the very rare cases that justifies seizure and copying of the hard drive.
Battelle asserts generally that defendants who have the technical ability to wipe out a hard drive will do precisely that when faced with allegations of wrongdoing.
This seizure and imaging was ordered without prior notice to the accused.
For the most part there's nothing extraordinary here. Developers move on to new projects and some of those new projects end up being similar to prior projects and there are lawsuits. Southfork might even be guilty of the allegations. This post doesn't care about any of that. This post cares about the use of the term “hacker.”
What does “hacker” mean to you? Merriam-Webster says a hacker is “a person who secretly gets access to a computer system in order to get information, cause damage, etc.” The Free Dictionary has multiple definitions, including ” One who is proficient at using or programming a computer; a computer buff.” Your humble Chief Blogger defines a hacker as someone who wants to learn in unconventional ways. Tim Ferris is a body hacker. Myth busters are myth hackers. Everyone who plays with Raspberry Pi is a hacker.
We're pretty good at hacking things. The idea is:
- Identify what you want looked at
- We hack it
- You fix it
Your customers love you and you gain a little bit more peace of mind. We wouldn't mind bringing your people in to participate and see first-hand how an attacker views your system. We'd love to train ourselves out of a job.
Based on the context found on the Southfork website, we can assume that Southfork employees labeled themselves as “hackers” to promote the security testing they provide for clients. This was a marketing claim; they weren't labeling themselves as bad guys. And if they didn't call themselves hackers, would the Court not have realized that Southfork Security defendant would still have the capability to destroy evidence on the hard drive? A security specialist can do that as well as a hacker.
What do you think about all this?
Barracuda offers a line of security products that can help you protect your infrastructure and resources. To learn more about our security products such as the Barracuda Firewall, Barracuda Web Filter, and more, visit our products page. You can get a risk-free 30-day demo of our security products through this page.