Which Hat Are You Tipping?

"Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you."

-Friedrich Wilhelm Nietzsche

I was browsing through the Computer section of a major bookseller when I came across a book on hacking techniques endorsed by a computer science professor at Princeton, whose quote said, in effect, the only way to understand how to defend against hackers is to understand exactly how they hack.

Really?

The book went on to detail exactly how a rootkit hooks into the execution stack after a buffer over/under-run attack, new methods for launching DoS attacks and much more. In vivid detail.

To me, this is much like publishing a book with recipes for creating dynamite and then claiming it should be used to train a bomb squad.

Really?

Shouldn't the bomb squad's manual focus on detonators, timing devices, and contact switches to help squad members understand how to diffuse rather than make a bomb?

Likewise, aren't the principles for writing secure software that isn't prone to over/under-run attacks pretty well understood by now? Aren't the tactics for systems administrators pretty well defined? Subscribing to security newsgroups, applying critical patches, and following best practices with your own software seem like much more sound principles than studying the finer points of hacking to me.

The truth is that books with "hack" in the name sell. They sell more to teenagers who think they are invincible, that their actions don't have consequences, and that curiosity is always justified--much more than they sell to security experts. I have seen many people justify dubious behavior under the auspices of noble intentions. The security community is no exception, and the seductive quality of that sense of power that comes with knowing you could do harm is all too tempting and too real.

At what point does the information you discover obligate you to consider the potential damage it could cause in the hands of someone with different intentions? It is a question nuclear physicists and security experts alike have pondered. You say your work is for educational, informational purposes only.

I say, "Really?"

§ § §