What about black hat hacking?
IRod22 opened this issue · 26 comments
Updated as GitHub Community is moving to GitHub Discussions
Overview
Since what has been going on in the past decade, especially with the Russo-Ukraine war, I've been noticing more cyber attacks lately on the news. If you all don't believe me, check out monitor.firefox.com/breaches to see how much damage has been caused by data breaches alone. I saw an even bigger loophole in the world of open source: a library/framework (ex. Angular, Lodash, Laravel, etc.) can be (ab)used not only by large organizations like Facebook, but individuals/groups as well. Essentially a developer's library/framework can be - and is probably being - used to cause massive collateral damage. For a library developer, knowing that they are enabling a hacker to cause more harm can be demoralizing.
Proposed Resolution
There's not much I can do here as I am not a legal expert, but I can tell you that there probably needs to be a way to make the vague concept of "no hacking/phishing[/...] allowed" into a less ambiguous phrase. However, I did post topics on Mozilla Discourse and GitHub Community (old) (new) that go deeper into the subject; these should help clarify the subject further.
Remarks
I would like to thank the group/organization behind this project for making a license for the greater good! I am hoping to make a few repos public, but I don't want to use current licenses that will allow harm.
I'm of two minds here. In most (all?) countries hacking is illegal and if you're already operating outside the law then you probably don't care about what the license of software you use to aid your hacking is. You'd have more luck enforcing criminal law and convicting for hacking than you would enforcing the incorrect use of software licensed under Do No Harm.
But maybe there's wording that's a little broader and would encompasses uses that are inside the law here, and appreciate that there are other things included in the license that are also illegal or unlawful in some countries.
If someone wants to suggest wording I think we can consider further.
According to FindLaw,
Hacking is broadly defined as the act of breaking into a computer system.
I will look for a more detailed definition of hacking.
How about this?
- intentionally creating any malicious backdoors or security vulnerabilities in the derivative work
- intentionally making any malware or spyware disguised as harmless available to the general public
In the interest of simplicity I think if we include this we should be looking for broad wording, otherwise we start to get into debates at a level of detail that aren't helpful for the goal of the license.
For example, to cover the whole realm of environmental protection in the license we have 4 simple points:
the extraction or sale of fossil fuels
the destruction of habitats for threatened or endangered species, including through deforestation or burning of forests
the abuse, inhumane killing or neglect of animals under human control
industrial processes that generate waste products that threaten life
Perhaps this could be combined with #58 and we have a general clause on cyber? Something like:
add to d: d. addictive or destructive products and services
- products that facilitate state surveillance or unauthorised access to a computer or network
I think we can go one step further with combining this issue, and issues #58 and #75 (because Google Analytics is technically surveillance, which itself deals with cybersecurity, as well).
I still want to reiterate the reason why I created this issue in the first place. The reason is because a license like Do No Harm is useless and contradictory to its mission if it cannot defend the end user from attacks that could lead to identity theft or a grid outage at worst due to a phishing site for example. If a framework as complex as Angular or Svelte were used, then a hacker can easily fool the average person into entering in their credentials. Cyber warfare, data breaches, and other attacks are not to be taken lightly, especially right now when the stakes are at their highest.
The reason is because a license like Do No Harm is useless and contradictory to its mission if it cannot defend the end user from attacks that could lead to identity theft or a grid outage at worst due to a phishing site for example.
I'm not sure I'm understanding your intent. The license is designed to ensure that the efforts a developer has gone to in creating software they release into the world are not used for harm, the license does nothing to protect the users of tools themselves – so protecting a user from malware, surveillance or attacks is beyond the scope of what the license can achieve. The license is only able to say to the developers of software that may be malicious that they are not welcome to use code licensed with No Harm.
A hacker can use software to harm millions of vulnerable people. Think about it. With today's modern technology, countries are at risk of having their energy grids taken out by black hats, and we now rely on these grids more than ever. Back in 2021, my state lost power for about a week due to a winter storm, and countless people died of trying to stay warm with almost three necessities going out. Now imagine the consequences of a hacker in Russia or Belarus hitting the power grid. Substations would be out for months, and without power, the modern metropolitan world would grind to a halt. All of this would result in no food and drinkable water at the dinner table and no heating and air to prevent our homes from freezing or burning up respectively. This basically results in the tragic deaths of countless civilians.
I'm not disagreeing with you that hacking is bad! My suggestion above would disallow this:
add to d: d. addictive or destructive products and services
- products that facilitate state surveillance or unauthorised access to a computer or network
However I was also just making the point that if someone is doing something illegal they probably don't care about what license their dependencies have so this is all fairly academic.
products that facilitate [...] unauthorised access to a computer or network
That's a dangerous phrasing, since it might, unintentionally, target white-hat hacking software. A phrasing that targets the act of accessing a computer or network without sufficient authorisation instead of the software would be better IMO.
Merging #81:
Basically, there are companies that specialise in finding zero-day security vulnerabilites in software (“zero day” stands for “zero days since the developer discovered the vulnerability”, meaning it hasn't been discovered at all). Since they sell that information to cyber criminals and even authoritarian countries, their business model directly harms the digital security of end users as well as our critical infrastructure. That's why I propose banning it altogether.
Possible phrase to be included in the licence:
the systematic trade with zero-day security vulnerabilites in software accessible to the general public, without disclosing them to the public, the developer or the responsible state authority
@realpixelcode, @tommaitland, at least we have it in there as adeterrent. The licensor has the deterrents in the form of this license to have the legal grounds to perform audits themselves, or the GitHub staff could open the gates to potentially private repositories to allow investigators to find the perpetrator. Even state supported hacking should not go unchecked.
@IRod22 I didn't mean vulnerabilities specifically in the licensed work, but generally in any software.
Got it. Sorry.
No worries :)
I found a good source that has what we need. According to Fortinet:
There are typically four key drivers that lead to bad actors hacking websites or systems: (1) financial gain through the theft of credit card details or by defrauding financial services, (2) corporate espionage, (3) to gain notoriety or respect for their hacking talents, and (4) state-sponsored hacking that aims to steal business information and national intelligence. On top of that, there are politically motivated hackers—or hacktivists—who aim to raise public attention by leaking sensitive information, such as Anonymous, LulzSec, and WikiLeaks.
A few of the most common types of hackers that carry out these activities involve:
Black Hat Hackers
Black hat hackers are the "bad guys" of the hacking scene. They go out of their way to discover vulnerabilities in computer systems and software to exploit them for financial gain or for more malicious purposes, such as to gain reputation, carry out corporate espionage, or as part of a nation-state hacking campaign.
These individuals’ actions can inflict serious damage on both computer users and the organizations they work for. They can steal sensitive personal information, compromise computer and financial systems, and alter or take down the functionality of websites and critical networks.
White Hat Hackers
White hat hackers can be seen as the “good guys” who attempt to prevent the success of black hat hackers through proactive hacking. They use their technical skills to break into systems to assess and test the level of network security, also known as ethical hacking. This helps expose vulnerabilities in systems before black hat hackers can detect and exploit them.
The techniques white hat hackers use are similar to or even identical to those of black hat hackers, but these individuals are hired by organizations to test and discover potential holes in their security defenses.
Grey Hat Hackers
Grey hat hackers sit somewhere between the good and the bad guys. Unlike black hat hackers, they attempt to violate standards and principles but without intending to do harm or gain financially. Their actions are typically carried out for the common good. For example, they may exploit a vulnerability to raise awareness that it exists, but unlike white hat hackers, they do so publicly. This alerts malicious actors to the existence of the vulnerability.
With this info in mind, we want to focus on protecting the White Hats, and we want to disallow the black hats. I included grey hats in the quotation because their actions can be interpreted differently depending on who you ask, so we probably need to take grey hats into account as well IMO. We need to see how we can phrase all of this in a broader definition.
A few ideas:
Hacking
Hacking means illegitimately and without authorisation infiltrating any third-party computer system or network and
- thereby causing material or immaterial damage to a degree not insignificant or obtaining sensitive information not known to the general public,
- thereby attempting or preparing to do so or
- without white-hatting.
Irresponsible sharing of zero-day vulnerabilities
Irresponsible sharing of zero-day vulnerabilities means the communication of security vulnerabilities, that are not known to the developer, the state authority in charge and the common public, in software programs to any person, organisation, company or other entity, without white-hatting.
White-hatting
With regard to a security vulnerability in software, white-hatting means taking responsible measures necessary
- to prompt or initiate the closure of the vulnerability or
- to enable as many users of the software as possible to protect themselves from the vulnerability,
especially by disclosing the vulnerability
- to the developer of the affected software,
- to the state authority in charge or
- to the general public.
I know this is really long, but it's very difficult to define those terms in a concise manner.
@realpixelcode I like the terminology, but the main difficulty is that this will be hard to integrate with issues #72 and #77 and consequently PRs #79 and #80. I think we need a third and a fourth opinion about the wording and to figure out how to integrate the definitions onto the license/summary.
Since starting the NoHarm license the thing we've wanted to avoid is playing a game of whack-a-mole with all the things that could harm out there – as that would lead to a very large, very fragmented license. Instead, we take broad strokes of the things that are the most harmful, and where the license would have the most impact.
For that reason I don't think we should be adding definitions on the different forms of hacking to the license – it's just way more specific than this license needs to get.
I think adding accessing a computer or network without sufficient authorisation as suggested above by @realpixelcode is adequate to cover hacking and zero-days however I think it would be better again if there was a more generalised way to capture all kinds of cyber harm.
So to summarise:
- I don't think we need to go into too much detail defining hacking
- I think we have a draft addition here but we should wait or investigate if there are other cyber areas the license should cover to bring in broader or more inclusive wording
@tommaitland Got it. Do misinformation, illegal gambling, the black market, child pornography (I won't include a more simple term for the sake of sensitive and younger viewers), or any of these need to be included or are any of these covered by the license?
The license already covers gambling but generally we’ve taken the approach that the license doesn’t need to cover things that are already generally illegal - as we don’t want or need the license to repeat criminal codes. That was also why I initially resisted hacking.
Misinformation is something we’ve included in our version of the license at https://raisely.com/who but hasn’t made it here yet.
Note that misinformation is not a synonym for deliberate disinformation. Possible definition:
Disinformation means the dissemination of claims that contradict established facts, about which there is common scientific consensus or which are otherwise proven beyond reasonable doubt, in the absence of scientific evidence or otherwise sufficient proof for such claims.
Sorry fat fingered.
The wording we’ve used in the past is not a definition, just a simple exclusion:
misinformation, disinformation, or any incorrect or misleading information presented as fact
@tommaitland That looks good. @realpixelcode how does it look to you?
I'd at least call it deliberate disinformation, since we're not trying to ban accidental incorrect information.
Good point @realpixelcode. We just need to see what @tommaitland thinks about that first. After that, we'll need to discuss how to integrate it into the license/summary and existing issues/PRs.
I'd just like to quickly point out that instead of using the word "hacker" when you mean cybercriminal, instead just use cybercriminal. Hackers are just people who are curious, technical, and shouldn't be lumped together with criminals.