Science Daily reports that associate professor Kevin Steinmetz of Kansas State University has published a research article in which he attempts to answer the questions: "What is a hacker and what does it mean to hack?" According to Science Daily, Steinmetz, who conducted an ethnographic study to find his answer, "Hacking is a late-modern transgressive craft."
This characterization reinforces the current and dominantly held definition of hacker. Steinmetz's might be an appropriate characterization for the purposes of criminology; however, characterizing all hacking as transgressive is incorrect. My observations after more than 40 years of working with hacking nee software development nee computer programming lead me to a different assertion, one I first attempted to describe an article, Security Hats: black or white, there is no grayscale:
All of the activities Steinmetz attributes are as readily applied to ethical hacking as transgressional.
The populist views of hacking - from pimply little social misfits who live in garages or basements and wreck havoc on governments or corporations for notoriety's sake, to Bondesque evil geniuses - portray only one segment of the hacker population. Another is recorded in Brian Harvey's, What is a Hacker?, where he describes hackers as asethete hobbyists. Harvey explores both hacker aesthetic and ethic and asserts, "To embrace the aesthetic life is not to embrace evil; hackers need not be enemies of society".
Let's review how Steinmetz compares hacking to craftwork. He uses eight analogs:
- A particular mentality
- An emphasis on skill
- A sense of ownership over tools and objects of labor
- Guild-like social and learning structures
- A deep sense of commitment.
- An emphasis on process over result
- A common phenomenological experience
- Tendencies toward transgression
Let's juxtapose several of Steinmetz' transgressional craftsman's characteristics against Harvey's ethical hacker. For this, I'm primarily using the characteristics I see among information security, security operations, and security research colleagues for comparison against the criminal characteristics I come to understand from my work with security communities.
A particular mentality. In my experience, the transgressional hacker is biased towards notoriety, self-interest or financial reward: some hackers may be transgressors because they hack to protest suppression of rights and their activities violate laws. The ethical hacker is biased towards fun, innovation, satisfaction. Where transgressional hackers may work grudgingly with others or by necessity, ethical hackers often seek others (particularly to share information) and work well in groups or teams.
A sense of ownership over tools and objects of labor. The nature and character of underground markets for trading tools and objects of labor supports Steinmetz' notion that transgressional hackers are possessive. But some protest- or resistance transgressors share their hacks, and ethical hackers are more generous: security or investigative software or web portals are quite commonly made available as open source, or free of charge, by individuals and security companies with commercial interest.
Guild-like social and learning structures. In my experience, criminal-transgressional hackers are not guild-like in the truest definition of guild, but rather a collection of conspirators. Ethical hackers are more characteristically guild-like, especially where such communities not only expect mutual respect and common purpose but require members to be vetted and adhere to strict acceptable use practices.
A deep sense of commitment. It's arguable that both transgressional and ethical hackers can be deeply committed, at the very least, the most talented hackers are aesthetes.
Based on these juxtapositions, I would alternatively propose to depict hackers along two axes: transgressional versus moral and public, and interest versus self-beneficial. For my purposes, public interest encompasses principles of "do no harm", "common good", and protest or "(civil) disobedience". Self-beneficial encompasses notoriety or financial gain, personal or corporately commercial.
In the figure to the right, I place a sampling of "guilds" in these quadrants, one man's attempt to fold aesthetic and ethic into the study.
Does this depict what a hacker is and what does it mean to hack more correctly than Steinmetz?
Share your opinion with me on Twitter @securityskeptic. Thanks!