Recently, i engaged a few folks about the idea of a Certified Ethical Hacker. For those of you unfamiliar with this concept, it’s a program designed to ensure that people breaking into your system understand the ramifications of what they are doing and take proper measures to alert, inform and correct issues they discover.
When i heard about this program, i naturally thought of a plan that shares a lot of common ground.
Can you be an ethical hacker? Of course you can, but it’s not going to happen from going through some two week correspondence course and some freshly printed wallpaper.
If you have ethics, you already know what to do. It’s instinctual. You know that once you uncover a zero-day bug with a site, you contact the site owners immediately, inform them of your findings, how to possibly resolve the problem and how to set up tests against future such issues in the future.
You don’t charge for that work, because that would be blackmail (the site owners may seek to reward you for finding that problem, which is fantastic, but they may also not).
You don’t disclose the attack vector publicly unless you have made EVERY effort to have the problem addressed privately and given the site ample time to address the issue.
You don’t lambast the site owners or maintainers for being incompetent, because you managed to find this single exploit (if you find dozens or hundreds and the site specifies they are high priced “security experts”, feel free to go to town.)
In short, you treat the sites having the issue the way you would want to be treated. Possibly better, because you don’t know what other issues they may be facing.
If you’re not ethical, you wouldn’t do any of that anyway because you wouldn’t be thinking about it. You would need a checklist of actions because none of them would occur to you.
Think of it this way, if being certified is enough to ensure that a person or group will act in a proper and competent manner, would DigiNotar have been a problem?
Frankly, anyone who shows up with one of those would probably go on my watch list pretty damn fast. It’s the kind of distraction that would make Bernie Madoff proud.