They say that timing is everything, and that there is something to be said for being in the right place at the right time. When I was a kid growing up in the 1980s, I was accepted into a special school that focused on math, science, and technology. This was the first time that the program had been offered and it was long before anyone had coined the term “STEM education.” Because of the nature of the program, the students learned things that they could not at the time learn anywhere else. Of course with kids being kids, some took what they had been taught and used it for purposes that were, shall we say, frowned upon. The school didn’t teach hacking, for example, but it wasn’t exactly a stretch to figure out how to take what we had learned in computer class and use it in an illicit manner. Today the world is a very different place. Hacking techniques are openly taught by various institutions, and hacking information is readily accessible on the Internet. White-hat hacking, where computer programmers look for vulnerabilities and report their findings to the proper authorities, along with bug-bounty programs that pay white-hat hackers to find exploits, is an important part of cybersecurity.
A move to ban white-hat hacking?
Having said that, though, there was a move earlier this year to ban hacking tutorials. YouTube maintains a list of community guidelines that govern the types of videos that may be uploaded. The section on Harmful or Dangerous Content specifically bans videos about “Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data.” as shown below. The Verge is reporting that YouTube is now permitting white-hat hacking videos, but as you can see in the screen capture, YouTube’s Harmful or Dangerous Content page does not distinguish between white-hat hacking and black-hat hacking.
Regardless of whether or not YouTube is allowing white-hat hacking videos, the question of whether or not instructional materials related to hacking should be banned seems to be coming up much more frequently lately. As such, I wanted to take the opportunity to weigh in on the question.
Harmless and beneficial
In my opinion, white-hat hacking education is not only harmless, but it can also be beneficial. Of course, the biggest argument against hacker education is that it essentially teaches students how to commit a crime. Even so, there are other, arguably better places for a would-be hacker to get this information.
Banning white-hat hacker education is not going to stop someone from learning house to hack. Hackers by their very nature are creative, and criminals do not play by the rules. Eliminating white-hat hacker education is not going to stop hackers. Remember my earlier example of the school kids who used what they learned in computer class to figure out how to hack? Nobody explicitly taught them anything about hacking, and yet they were able to put together the pieces and figure it out for themselves.
Even if you were to put all ethical issues aside, there is one big reason why I have absolutely no fear of white-hat hacking courses being made publicly available. That reason is that these courses are almost always behind the curve. Let me explain.
Over the last several years, I have been given the chance to develop several different video-based training courses (none of these courses have been related to hacking). In doing so, I have discovered that it is nearly impossible to build a course that contains everything that you want to include. I once created a Windows course, for example, that was almost 10 hours long. In spite of the course’s length, there were several different subjects that I wanted to include in the course, but simply could not because of logistical reasons and deadlines.
The point is that as a course author, you are forced to make decisions as to what material to include in a course, and what material to omit. In the case of a hacking course, I think that it is probably a safe assumption that most instructors focus on the mainstream hacking techniques that have been most influential in the development of security policies. Most instructors probably aren’t going to spend a great deal of time discussing obscure techniques that the students are unlikely to encounter in the real world.
Similarly, IT-related courses can become outdated relatively quickly. A new exploit that is discovered a week after a course has been released isn’t going to make it into the course because the course is already finished at that point. That’s what I mean when I say that hacking courses are almost always behind the curve. New exploits come out all the time, but incorporating those new exploits into existing courseware poses a significant challenge.
The point is that course authors tend to focus on mainstream exploits, and those exploits are already well known. As such, it is almost certain that patches and procedures exist to guard against those particular exploits. In other words, a mainstream exploit that is being taught in a white-hat hacker course has almost no chance of being successfully used against an organization that adheres to security best practices.
Additionally, some white-hat hacking courses are specifically designed in a way that prevents the techniques being taught from being used in the real world. Several years ago, for example, I attended a Microsoft conference in Orlando. One of the best sessions presented that year was on how to protect your Windows network. The session demonstrated a few different hacking techniques and then showed how Windows could be configured in a way that would completely mitigate those techniques. Although the presenters demonstrated 90 percent of what was needed to hack a Windows network, they left out certain key details to prevent anyone in the audience from using those particular exploits.
An essential part of IT training
The No. 1 reason why I am all in favor of white-hat hacking education is because I consider it to be an essential part of IT security training. Even though the various hacks that are being taught might not necessarily be something that can be applied in the real world, white-hat hacker education teaches security professionals house to think like a criminal.
Perhaps even more important, white-hat hacker education gives security professionals a much more in-depth understanding of the systems that they are tasked with protecting. It’s one thing for a security professional to know which settings to enable to harden a particular software product. It’s quite another thing for a security professional to understand what is going on behind the GUI, and what implementing a security policy actually does at the system level. Having an in-depth understanding of systems and their underlying infrastructure (a level of understanding that can only come from attempting to hack the system) allows IT professionals to better defend the systems that are under their care.
Featured image: Shutterstock