[The Moral Dilemma]
In this week's article I discuss ethics and the role they play in conducting security research, as well as how a sense of ethics can sometimes result in having to scrap a write-up you're quite proud of.
Technical Difficulties
Howdy Hackers! Another Tuesday, another article for you!
First off, I want to apologize for the lack of technical content two weeks in a row. I have this nice, shiny... wonderful article ready for you regarding Hack the Box's new room, Mailing, which expired on the 11th... And only just realized that "expired" machines are not in fact the same as "retired" machines.
Hack the Box's terms of service (TOS) state that write-ups and video content may only be created for retired machines. While I had initially mistaken these terms, I did notice the discrepancy yesterday and my own sense of ethics is such that I cannot in good faith publish this article knowing it would violate TOS.
For this delay, I apologize. That said -- My content will still be centered around technical write-ups, though the material source will likely shift to recently retired machines and a mixture of other "hands-on" styled labs (i.e. PortSwigger's Web Academy).
If these topics interest you, get ready, I'm planning a busy week to ensure I can replace the content lost and put out some great reading material for you!
Thanks for your understanding,
--Eru
Ethics in Security Research
What are Ethics?
The Mirriam-Webster dictionary describes ethics to be -- "the principles of conduct governing an individual or a profession". Most often, these principles are derived from an individual or collectives desire to be morally good. In this sense, to be ethical is to follow these agreed-upon principles and uphold values such as integrity and morality.
Ethics in Security
At it's core, ethics in cyber security revolve around respecting others. Their privacy, peace of mind and general ability to use the internet without fear are all things that we strive to protect as information security professionals.
A common mistake, those who pursue the field of "Ethical Hacking" are often misunderstood to be akin to the bad actors that are responsible for so many security incidents across the world. Instead, these ethical hackers seek to challenge the concept of "Security through Obscurity", ensuring that companies and platforms of significant size put forth a fitting amount of effort into ensuring that their users are safe from actual threats.
Developing your Ethics
As an aspiring ethical hacker, there are many opportunities where you have to decide how you will apply your ethics to a situation.
This article is a great example of me applying my ethics. While I could try to argue that there are several people out there publishing write-ups for the completed seasonal boxes and that I'm not doing this for any sense of financial gain or otherwise... I would be arguing with myself. When I reread the TOS, I distinctly noticed the difference in wording between "retired" and "expired". I then took the time to look for related materials, and confirmed that the season 4 boxes were even still classified as "Active", a category clearly prohibited from being written about.
To me, moments like these are where your ethics are developed. When no one is looking, do you still try to do what's right?
Trusting Hackers
The field of ethical hacking fits a niche gap in security. We seek to find vulnerabilites such that they may be patched before they're exploited. With a focus bettering our Blue teams and conducting security research, hackers are able to contribute to the advancement of security as a whole.