Whilst doing my normal troll through various blogs and web sites looking for interesting information security stories I came across another story about Glenn Mangham http://nakedsecurity.sophos.com/2012/02/20/jail-facebook-ethical-hacker/ who has recently jailed for hacking Facebook.
What made this story jump out at me was the title of the story "Jail for 'ethical' hacker who bypassed Facebook security from his bedroom" rather the previous headlines about British student jailed for hacking. For those not familiar with this case Glenn Mangham had already obtained money from Yahoo for finding vulnerabilities in their systems and his defence for this offence was that he was an ethical hacker. Now my own understanding of what makes an person an ethical hacker as opposed to a criminal is that they have permission to test a system for vulnerabilities and then move on to exploiting them before they start the testing of the systems. The defence team argued that he was a white hat or ethical hacker but being luck and being paid by Yahoo rather than being prosecuted does not a person an ethical hacking. Whilst teaching students at a University on a computer security and forensics course, I often with the students discussed the terms white hat, black hat and grey hat, and made sure that they understood that any access to a computer system required permission from the legal owner; a person who had the responsibility with the organisation to give permission for access to be made, this was for vulnerability/penetration testing as well as for forensic investigation. In my view Glenn was never an ethical hacker and should not be described as such.
So the answer of what makes an ethical hacker legal is that there is an agreement between the tester and the legal owner of the system being tested that gives permission for the testing to be carried out.
In one aspect Glenn was luck that no one in America decided to try and extradite him to the USA to stand trial, where he would of been sentenced to more than 8 months in jail.
Very Informative Article.Thanks sir.
ReplyDeleteI should of said "a written and signed agreement between the tester and the legal owner of the system"
ReplyDelete