Blog post

What Ethics Are Appropriate to a Hacker?

By Richard Hunter | July 02, 2013 | 3 Comments

IT risk

I’ve been thinking lately about Matt Honan, who wrote almost a year ago in Wired about his experiences with a hacker named Phobia who hacked Honan’s Apple account, and soon after used his access to the account to wipe out Honan’s electronic memories–everything Honan had acquired and stored on his Apple devices.  Honan later was contacted by Phobia, and in the course of their correspondance Honan asked why Phobia had done him such grievous harm:

I asked Phobia why he did this to me. His answer wasn’t satisfying. He says he likes to publicize security exploits, so companies will fix them. He says it’s the same reason he told me how it was done. He claims his partner in the attack was the person who wiped my MacBook. Phobia expressed remorse for this, and says he would have stopped it had he known.

“yea i really am a nice guy idk why i do some of the things i do,” he told me via AIM. “idk my goal is to get it out there to other people so eventually every1 can over come hackers”

The ethos expressed in those few words is close to monstrous.  Here’s what it boils down to:

1)       If I hack you, it’s your fault for being unprotected.  (As Clint Eastwood said in “Unforgiven” after being taken to task for shooting an unarmed man, “He shoulda armed himself.”)   Therefore…

2)      I have the right to hack anybody who’s vulnerable to hacking.  And that’s a good thing, because…

3)      I serve a higher purpose when my hacking wrecks the lives of people who are too careless or innocent to protect themselves.  As Phobia wrote to Honan, “my goal is to get it out there to other people so eventually every1 can over come hackers”.

Phobia is confused, to say the least.  You can’t simultaneously not know why you do the things you do, and purport to have a goal that represents the justification for doing what you do.   Beyond that, there’s an obvious hypocrisy in Phobia’s comments.  If you claim to be concerned for the welfare of others—for example, to care about whether they can protect themselves from some kind of harm—you don’t start your relationship with those others by launching a brutal surprise attack.  In a civil (read: moral) society, you don’t attack strangers on the street (or anywhere else) on the pretense that it’s a lesson to the vulnerable to make themselves less vulnerable.

Indeed, civil societies reserve special scorn and punishment for those who attack the most vulnerable.  As one obvious example, pedophiles are not commended for “teaching” little kids to protect themselves from sexual predators.  Responsibility in a civil society lies with the perpetrator, not the victim, not God.

Of course it’s important for all of us to take steps to avoid being victimized in all sorts of ways, but that’s not the point.  My being weak or defenseless does not make my attacker noble or justified, whether or not the attack is successful.  The moral measure of a person in a civil society is how well he or she treats vulnerable people, not how successfully he or she takes advantage of their vulnerability.   (I won’t pretend that there aren’t plenty of people out there who have achieved fame and fortune in modern society by taking advantage of the vulnerable; I’m saying that such people don’t get to claim the moral high ground, which is what’s happening when a hacker says he does what he does to make the world safe from hackers.)

In this sense, hackers like Phobia are not vanguards of a new cyber-civilization, as Phobia seems to fancy himself.   They are the precise moral equivalent of a street thug ambushing an old woman, or a man throwing acid in his ex-lover’s face (a recently popular activity in some parts of the world, and one that is also intended to teach the victim a lesson).  They are representative of the worst tendencies in humanity, not the best, and it’s discouraging that some very bright young people (Phobia is 19) have convinced themselves that victimizing the vulnerable is representative of high ethics.

I doubt that Phobia thinks of himself as religious, but his justifications are eerily similar to the tenets of any number of fundamentalist religions.   Many fundamentalists will tell you that if you’re attacked—by a terrorist, a cyclone, an angry dog, a fellow fundamentalist, or anything else—it’s God’s will (which is another way of saying “it’s your fault”).   If the fundamentalist hears from God (or the little voice inside his head that purports to be God) that you should be attacked, the attack will begin as soon as is practically feasible.  After you’re righteously punished, you will be more likely to heed God’s will; if not, God’s will is still satisfied, it being the will of God that the faithful seek relentlessly to destroy unbelievers.  No fundamentalist ever seems to think that it’s God’s will to be kind to everybody.  Nor does any hacker.  Once you’ve established a higher purpose that supercedes the mere interests of any individual, kindness has nothing to do with it.

Civil societies rely on due process and rule of law, which were developed painstakingly over centuries precisely to protect individuals and societies from arbitrary attacks by the self-empowered, be they bandits or kings.  Before due process and rule of law, life was (as Hobbes put it) nasty, brutish, and short, which is a pretty good description of a typical cyberattack (although of course modern attacks are recently tending to the ongoing and persistent, as opposed to the episodic).

Do hackers really want to return society to the law of the jungle?  Do they really want every man and woman to decide for themselves what “right” means, in utterly exclusive and non-negotiable terms, and to act without further ado to destroy those who stray from the path of righteousness? Do they really want to add to the world’s sum total of pain and anguish, of which neither will ever be in short supply, with or without the help of hackers?

We live in an era in which authorities of all sorts have been revealed to be both unethical and incompetent, and it’s not surprising that many in this era have anointed themselves as moral authorities with the right to mete out drastic punishment as they see fit.  But that doesn’t make it right.

If you’re a hacker, and you disagree with this argument, write and tell me why.

Leave a Comment


  • Paul Proctor says:

    I just want to differentiate between “hackers like Phobia” and hackers. I have long been involved with the hacking community as a volunteer at the Defcon hacker conference. I know a lot of hackers and they are some of the smartest, most dedicated, and driven problem solvers I know. They would not dream of the type of antics and meddling our friend Phobia engages in.

    The fact that Phobia has some of the same skills doesn’t mean everyone who uses the label “hacker” has the same need to wreak havoc. The typical hacker I know would condemn Phobia’s actions the same way you and I do.

    Hackers play a vital role in understanding why things work, why things break, and how we need to protect them.

    Who would you condemn more, the hacker who uncovers a serious weakness in a computer system that you use, or the corporation that threatens to silence the hacker rather than fix the flaw?

    Microsoft spent years trying to silence them but realized that they were a vital resource for managing security flaws in their software and have developed a close relationship with the hacker community. General Alexander is trying to recruit them into the cyber army.

    It is critical that we do not paint with a broad brush when we start condemning “hackers.” We need them.

  • Richard Hunter says:

    Point well taken. When I interviewed Eric Raymond, one of the leading lights of the Open Source movement, for my book “World Without Secrets” in 2001, he referred to people like Phobia as “crackers,” not “hackers,” putting as much distance as possible between himself and his peers—who, as I noted at the time, were utterly open, operating in a reputation-based gift culture–and those who amuse themselves by attacking strangers from a distance, anonymously. In Raymond’s view, “hackers” create; “crackers” destroy. There’s no question about which Raymond thought the better; he called himself a hacker. Unfortunately, the bad guys have co-opted the term in the popular media. I doubt that anyone outside the world of technology would hear the word “hacker” without immediately adding “criminal.”

  • Paul Proctor says:

    I agree that the media has co-opted the term hacker and that’s a shame. But the class of people we are talking about with the skills and the drive to do what they do should not be classified as “criminal” regardless of what term you use to describe them.

    On a different point, there was a piece in the WSJ this morning about the risk the NSA is taking by hiring people with hacker skills. Basically, even the ones that I support (which I believe are in the majority by far) are huge supporters of the EFFand against such monitoring. I agree that this is a huge risk for the NSA.

    However, I don’t put the likes of Snowden in the same category with Phobia. I don’t want to characterize Snowden because there’s already too much noise and opinion on that. I don’t want to play. However I will say he isn’t like Phobia, a malcontent, too imature to understand or appreciate the damage he causes. I think we can assume Snowden knew exactly what he was doing and exactly the impact he wanted.

    My point is hacker skills and drive don’t define the person.