论文部分内容阅读
幼儿园老师问我儿子爸爸做什么工作,他解释道:“他偷东西,不过没事儿,因为人家给他钱让他这么干。”
我儿子说得没错。
2我是一名黑客,并且管理着一支黑客团队。我们整天寻找方法强行进入可以与互联网相连的任何设备,如服务器、自动取款机、灯泡等,努力获取本不该被看到的信息。如果我们在罪犯之前获取这些信息,那么我们就尽到了自己的职责。
3正如医生或律师为他们所从事的工作感到自豪一样,我也对賴以谋生的工作感到自豪。然而得克萨斯州机动车管理局最近却对我的职业持批判态度。我为自己的爱车购买了个性车牌,该机构迅速将它们没收,声称“HACKING”字样的车牌支持违法和犯罪行为。
4尽管有这种反应其实不是出于好心没收我车牌的市政人员的错,但它却表明对我职业根深蒂固的曲解如何造成了错误的认知和刻板印象。
5好莱坞以及安防行业本身对黑客形象的描述促使“黑客”这个词成为“罪犯”的同义词。黑客经常被描绘成在黑屋里罩着帽兜敲击键盘从事非法活动的人,并且几乎清一色是男性。近年来,像电视剧《黑客军团》和电影《瞒天过海:美人计》也引入了女性黑客角色,但不幸的是男性黑客的刻板印象依然盛行。
6这些刻板印象并不适用于安防行业的大多数黑客。黑客不是独自工作的社会弃儿。我已经干了30多年黑客工作,并且不穿连帽短衫。一些黑客甚至选择穿正装上班。另外,剧透一下,女性也做黑客。进攻型的安防文化本质上是包容的:这种安防业务就是公司雇用能力更强的黑客在罪犯动手前抢先找出机构的失控点。为公司测试安全性并想出侵入公司的创造性方法需要多样化的团队和思维模式。
7“黑客”这个词的现代用法是20世纪50年代在麻省理工学院校内创造的。多年后,黑客定义为用电脑编程和解决问题的专家,可以拓展电脑和电脑程序最初设计的任务完成能力。
8黑客行为是一项活动,将任何一项活动与犯罪区分开来的通常是获得许可。人们有权自由驾驶,但没有权把车开到时速150英里,这是野蛮驾驶,是一种刑事犯罪。银行家可以将客户的钱转账,但如果没有获得许可而这样做,那就是侵占。你从未听说过有人仅仅因为是证券经纪人而被捕,因为没有人会因为选择金融领域作为职业而受指控,但如果他们参与非法活动,如内幕交易,就会被捕。
9多亏安全研究人员的黑客攻击行动,2019年发现了最常用Wi-Fi加密标准一个新版本存在的漏洞,使罪犯无法利用这些漏洞侵入家庭和商业网络。相反,就在此前的那个月,罪犯在安全研究人员之前发现了谷歌安卓操作系统的一个未知漏洞,让坏人完全控制了十多个手机型号。
10黑客行为本质上并不是犯罪。从事非法黑客攻击活动的人不应该叫作“坏黑客”,而应该称之为“网络罪犯”“威胁行动者”或“网络攻击者”。黑客是像我和我的IBM团队一样寻找漏洞的安全专业人士,希望抢在被罪犯利用之前找到我们电脑系统的薄弱环节。
11电脑犯罪分子分为两类:“黑帽”和“灰帽”。黑帽是恶意侵入的(如刺探情报、盗取数据),利用漏洞寻求经济或个人利益。灰帽是可能没有恶意但没有获得许可而侵入系统的人。某个特定的罪犯属于黑帽还是灰帽,描述的只是已经确定为非法活动的背后动机。
12发展进程中,安全行业也引入了道德伦理帮助解释黑客行为的正当性,给予我们“道德黑客”称号,给始于20世纪50年代的这个职业添加了一层人工防护膜。然而不幸的是,连安防资格证书也在其名称前面加上了这个形容词。我们不能也不应该指责公众将我们称为道德黑客,但请问:把某人介绍为道德证券经纪人听起来是否合适?道德工程师或道德教授呢?
13黑客在维护公司和个人安全方面发挥着关键作用。黑客未能正确地履行职责等同于让公司以为穿着防弹背心而事实上却穿着羊绒衫。在IBM,我的X-Force Red团队开展的一项工作是攻击自动无人驾驶汽车、飞机和火车,以便确保每台机器发货之前发现并纠正每一个可能出现的安全漏洞。想象一下如果这些运输工具在出厂前未能发现并纠正安全缺陷会发生什么糟糕的事情吧。
14对“黑客”一词的曲解不仅损害了进攻型安防行业,也扭曲了立法者对所有黑客的理解和认知。例如,《计算机欺诈与滥用法》严重依赖这个词及对它的误解。为了社会就安全研究和渗透测试展开公开和富有成效的讨论,我们需要澄清黑客到底是谁,他们做的是什么。与我交流的许多政府官员理解这一点。其他人则选择将我的车牌没收。
When asked what his father did for a living, my son explained to his kindergarten teacher that “he steals things, but it’s O.K. because he gets paid to do it.”
He wasn’t wrong.
I’m a hacker, and I run a team of hackers. We spend our days discovering ways to break into anything that can connect to the internet—servers, automated teller machines, light bulbs—in an attempt to access information that was never meant to be seen. If we get to it before a criminal does, then we’ve done our job.
I’m proud of what I do for a living, just like doctors or lawyers are proud of the work they do. The Texas Department of Motor Vehicles, however, recently took a critical stance on my profession. When I purchased vanity plates1 for my car, the agency was quick to take them away, claiming that a license plate displaying “HACKING” endorsed illegal and criminal activity. While this reaction really isn’t the fault of the well-intentioned municipal employee who took away my license plates, it’s a symptom of how a deeply rooted misrepresentation of my profession has created flawed perceptions and stereotypes.
The way that hackers are depicted in Hollywood and by the security industry itself has contributed to the word “hacker” becoming synonymous with “criminal.” Hackers are often portrayed as hooded figures in dark rooms who are engaged in illegal activity while jabbing at keyboards and are almost always male. In recent years, television shows like “Mr. Robot” and movies like “Ocean’s 8” have introduced female characters as hackers, but the male hacker stereotype unfortunately prevails.
The stereotypes don’t apply to most hackers in the security profession. Hackers aren’t social pariahs2 who operate in silos3 and work alone. I have been a hacker for over 30 years, and I do not wear hoodies. Some hackers even choose to suit up for the job. And—spoiler alert—women hack too. Offensive security culture is innately inclusive: This is a business in which companies hire hackers to outsmart them, to find an organization’s breaking point before criminals do. Testing a company’s security and coming up with creative ways to hack into it is something that requires diverse teams and diverse mind-sets.
Back in the 1950s, the modern use of the term “hacking” was coined within the walls of the Massachusetts Institute of Technology. For many years after, a hacker was defined as someone who was an expert at programming and problem-solving with computers, who could stretch the capabilities of what computers and computer programs were originally intended to do.
Hacking is an activity, and what separates any activity from a crime is, very often, permission. People are free to drive, but they do not have permission to drive 150 miles per hour—that’s reckless driving and it’s a criminal offense. Bankers can transfer their clients’ money, but if they do so without permission, that’s embezzlement. And you’ve never heard of someone being arrested simply for being a stockbroker, because no one is charged for choosing a career in finance—but they’d be arrested if they engaged in illegal activity like insider trading.
Thanks to security researchers’ hacking practices, in 2019 vulnerabilities in a new version of the most common Wi-Fi encryption standard (WPA3) were found before criminals could use them to break into home and business networks. Conversely, just the month before criminals found an unknown vulnerability in Google’s Android operating systems before security researchers did, giving the bad guys full control of more than a dozen phone models. Hacking isn’t an inherently criminal activity. Someone who engages in the illegal use of hacking should not be called a “bad hacker” but a “cybercriminal,” “threat actor” or “cyberattacker.” Hackers are people like me and my team at IBM—security professionals who are searching for vulnerabilities, hoping to find weak links in our computer systems before criminals can exploit them.
Those who commit computer crimes fall into two categories: “black hat” and “gray hat.” A black hat is someone who hacks with malicious intentions (espionage, data theft), seeking financial or personal gain by exploiting vulnerabilities. A gray hat is someone whose intentions may not be malicious but lacks the permission to hack into a system. Whether a particular criminal is a black hat or a gray hat is simply descriptive of the motivation behind what has already been established as illegal activity.
Somewhere along the way, the security industry also recruited ethics to help justify hacking behavior, giving us “the ethical hacker” and adding an artificial defensiveness to a profession that has existed since the 1950s. Unfortunately, even accredited security certifications use the adjective in their very title. And while we can’t and shouldn’t fault the general public for referring to us as ethical hackers, I ask you this: Does it sound right to introduce someone as an ethical stockbroker? How about an ethical engineer or ethical professor?
Hackers play a critical role in keeping companies and people safe. A hacker failing to do the job right is the equivalent to letting a company believe and function as if it’s wearing a bulletproof vest when in fact, it’s wearing cashmere. At IBM, one thing my team, X-Force Red, does is hack autonomous vehicles, planes and trains to make sure that every possible security vulnerability is found and corrected before each machine is shipped. Imagine what bad things could happen if security weaknesses aren’t identified and corrected before those vehicles are out the door.
The misrepresentation of the term “hacker” not only undermines the offensive security community but also distorts legislators’ understanding and perception of hackers overall. The Computer Fraud and Abuse Act, for example, relies heavily on the term and its misinterpretation. For society to have open and productive discussions about security research and penetration testing, we need to set the record straight on who and what hackers really are. Many government officials whom I’ve spoken with understand this. Others choose to take my license plate away.
我儿子说得没错。
2我是一名黑客,并且管理着一支黑客团队。我们整天寻找方法强行进入可以与互联网相连的任何设备,如服务器、自动取款机、灯泡等,努力获取本不该被看到的信息。如果我们在罪犯之前获取这些信息,那么我们就尽到了自己的职责。
3正如医生或律师为他们所从事的工作感到自豪一样,我也对賴以谋生的工作感到自豪。然而得克萨斯州机动车管理局最近却对我的职业持批判态度。我为自己的爱车购买了个性车牌,该机构迅速将它们没收,声称“HACKING”字样的车牌支持违法和犯罪行为。
4尽管有这种反应其实不是出于好心没收我车牌的市政人员的错,但它却表明对我职业根深蒂固的曲解如何造成了错误的认知和刻板印象。
5好莱坞以及安防行业本身对黑客形象的描述促使“黑客”这个词成为“罪犯”的同义词。黑客经常被描绘成在黑屋里罩着帽兜敲击键盘从事非法活动的人,并且几乎清一色是男性。近年来,像电视剧《黑客军团》和电影《瞒天过海:美人计》也引入了女性黑客角色,但不幸的是男性黑客的刻板印象依然盛行。
6这些刻板印象并不适用于安防行业的大多数黑客。黑客不是独自工作的社会弃儿。我已经干了30多年黑客工作,并且不穿连帽短衫。一些黑客甚至选择穿正装上班。另外,剧透一下,女性也做黑客。进攻型的安防文化本质上是包容的:这种安防业务就是公司雇用能力更强的黑客在罪犯动手前抢先找出机构的失控点。为公司测试安全性并想出侵入公司的创造性方法需要多样化的团队和思维模式。
7“黑客”这个词的现代用法是20世纪50年代在麻省理工学院校内创造的。多年后,黑客定义为用电脑编程和解决问题的专家,可以拓展电脑和电脑程序最初设计的任务完成能力。
8黑客行为是一项活动,将任何一项活动与犯罪区分开来的通常是获得许可。人们有权自由驾驶,但没有权把车开到时速150英里,这是野蛮驾驶,是一种刑事犯罪。银行家可以将客户的钱转账,但如果没有获得许可而这样做,那就是侵占。你从未听说过有人仅仅因为是证券经纪人而被捕,因为没有人会因为选择金融领域作为职业而受指控,但如果他们参与非法活动,如内幕交易,就会被捕。
9多亏安全研究人员的黑客攻击行动,2019年发现了最常用Wi-Fi加密标准一个新版本存在的漏洞,使罪犯无法利用这些漏洞侵入家庭和商业网络。相反,就在此前的那个月,罪犯在安全研究人员之前发现了谷歌安卓操作系统的一个未知漏洞,让坏人完全控制了十多个手机型号。
10黑客行为本质上并不是犯罪。从事非法黑客攻击活动的人不应该叫作“坏黑客”,而应该称之为“网络罪犯”“威胁行动者”或“网络攻击者”。黑客是像我和我的IBM团队一样寻找漏洞的安全专业人士,希望抢在被罪犯利用之前找到我们电脑系统的薄弱环节。
11电脑犯罪分子分为两类:“黑帽”和“灰帽”。黑帽是恶意侵入的(如刺探情报、盗取数据),利用漏洞寻求经济或个人利益。灰帽是可能没有恶意但没有获得许可而侵入系统的人。某个特定的罪犯属于黑帽还是灰帽,描述的只是已经确定为非法活动的背后动机。
12发展进程中,安全行业也引入了道德伦理帮助解释黑客行为的正当性,给予我们“道德黑客”称号,给始于20世纪50年代的这个职业添加了一层人工防护膜。然而不幸的是,连安防资格证书也在其名称前面加上了这个形容词。我们不能也不应该指责公众将我们称为道德黑客,但请问:把某人介绍为道德证券经纪人听起来是否合适?道德工程师或道德教授呢?
13黑客在维护公司和个人安全方面发挥着关键作用。黑客未能正确地履行职责等同于让公司以为穿着防弹背心而事实上却穿着羊绒衫。在IBM,我的X-Force Red团队开展的一项工作是攻击自动无人驾驶汽车、飞机和火车,以便确保每台机器发货之前发现并纠正每一个可能出现的安全漏洞。想象一下如果这些运输工具在出厂前未能发现并纠正安全缺陷会发生什么糟糕的事情吧。
14对“黑客”一词的曲解不仅损害了进攻型安防行业,也扭曲了立法者对所有黑客的理解和认知。例如,《计算机欺诈与滥用法》严重依赖这个词及对它的误解。为了社会就安全研究和渗透测试展开公开和富有成效的讨论,我们需要澄清黑客到底是谁,他们做的是什么。与我交流的许多政府官员理解这一点。其他人则选择将我的车牌没收。
When asked what his father did for a living, my son explained to his kindergarten teacher that “he steals things, but it’s O.K. because he gets paid to do it.”
He wasn’t wrong.
I’m a hacker, and I run a team of hackers. We spend our days discovering ways to break into anything that can connect to the internet—servers, automated teller machines, light bulbs—in an attempt to access information that was never meant to be seen. If we get to it before a criminal does, then we’ve done our job.
I’m proud of what I do for a living, just like doctors or lawyers are proud of the work they do. The Texas Department of Motor Vehicles, however, recently took a critical stance on my profession. When I purchased vanity plates1 for my car, the agency was quick to take them away, claiming that a license plate displaying “HACKING” endorsed illegal and criminal activity. While this reaction really isn’t the fault of the well-intentioned municipal employee who took away my license plates, it’s a symptom of how a deeply rooted misrepresentation of my profession has created flawed perceptions and stereotypes.
The way that hackers are depicted in Hollywood and by the security industry itself has contributed to the word “hacker” becoming synonymous with “criminal.” Hackers are often portrayed as hooded figures in dark rooms who are engaged in illegal activity while jabbing at keyboards and are almost always male. In recent years, television shows like “Mr. Robot” and movies like “Ocean’s 8” have introduced female characters as hackers, but the male hacker stereotype unfortunately prevails.
The stereotypes don’t apply to most hackers in the security profession. Hackers aren’t social pariahs2 who operate in silos3 and work alone. I have been a hacker for over 30 years, and I do not wear hoodies. Some hackers even choose to suit up for the job. And—spoiler alert—women hack too. Offensive security culture is innately inclusive: This is a business in which companies hire hackers to outsmart them, to find an organization’s breaking point before criminals do. Testing a company’s security and coming up with creative ways to hack into it is something that requires diverse teams and diverse mind-sets.
Back in the 1950s, the modern use of the term “hacking” was coined within the walls of the Massachusetts Institute of Technology. For many years after, a hacker was defined as someone who was an expert at programming and problem-solving with computers, who could stretch the capabilities of what computers and computer programs were originally intended to do.
Hacking is an activity, and what separates any activity from a crime is, very often, permission. People are free to drive, but they do not have permission to drive 150 miles per hour—that’s reckless driving and it’s a criminal offense. Bankers can transfer their clients’ money, but if they do so without permission, that’s embezzlement. And you’ve never heard of someone being arrested simply for being a stockbroker, because no one is charged for choosing a career in finance—but they’d be arrested if they engaged in illegal activity like insider trading.
Thanks to security researchers’ hacking practices, in 2019 vulnerabilities in a new version of the most common Wi-Fi encryption standard (WPA3) were found before criminals could use them to break into home and business networks. Conversely, just the month before criminals found an unknown vulnerability in Google’s Android operating systems before security researchers did, giving the bad guys full control of more than a dozen phone models. Hacking isn’t an inherently criminal activity. Someone who engages in the illegal use of hacking should not be called a “bad hacker” but a “cybercriminal,” “threat actor” or “cyberattacker.” Hackers are people like me and my team at IBM—security professionals who are searching for vulnerabilities, hoping to find weak links in our computer systems before criminals can exploit them.
Those who commit computer crimes fall into two categories: “black hat” and “gray hat.” A black hat is someone who hacks with malicious intentions (espionage, data theft), seeking financial or personal gain by exploiting vulnerabilities. A gray hat is someone whose intentions may not be malicious but lacks the permission to hack into a system. Whether a particular criminal is a black hat or a gray hat is simply descriptive of the motivation behind what has already been established as illegal activity.
Somewhere along the way, the security industry also recruited ethics to help justify hacking behavior, giving us “the ethical hacker” and adding an artificial defensiveness to a profession that has existed since the 1950s. Unfortunately, even accredited security certifications use the adjective in their very title. And while we can’t and shouldn’t fault the general public for referring to us as ethical hackers, I ask you this: Does it sound right to introduce someone as an ethical stockbroker? How about an ethical engineer or ethical professor?
Hackers play a critical role in keeping companies and people safe. A hacker failing to do the job right is the equivalent to letting a company believe and function as if it’s wearing a bulletproof vest when in fact, it’s wearing cashmere. At IBM, one thing my team, X-Force Red, does is hack autonomous vehicles, planes and trains to make sure that every possible security vulnerability is found and corrected before each machine is shipped. Imagine what bad things could happen if security weaknesses aren’t identified and corrected before those vehicles are out the door.
The misrepresentation of the term “hacker” not only undermines the offensive security community but also distorts legislators’ understanding and perception of hackers overall. The Computer Fraud and Abuse Act, for example, relies heavily on the term and its misinterpretation. For society to have open and productive discussions about security research and penetration testing, we need to set the record straight on who and what hackers really are. Many government officials whom I’ve spoken with understand this. Others choose to take my license plate away.