A version of this article originally appeared on the EFF’s Deep Links blog
Earlier this month, an inmate in Texas was denied access to computers and an electronic messaging system because he ordered a copy of the information security handbook Hacking Exposed. Does simply ordering a copy of an information security handbook render an individual a threat to the safe, secure, and orderly operation of a federal prison? Almost certainly not.
Hacking Exposed was written by three well-respected information security professionals, two of whom work at McAfee, and is intended to educate infosec professionals about the threat landscape. But the warden of the prison, and subsequently a federal district court, found that just by ordering the book, Reginald Green constituted a substantial enough threat to the orderly running of the prison to ban him from accessing the TRULINCS electronic messaging system or using computers for the rest of his incarceration. Could the exploit information contained within Hacking Exposed be misused in the right environment? Sure, but so could lots of other things, like the hammers in the prison workshop or the weights in the prison gym.
This is an unfortunate, aggressive reaction to the social concept of “the hacker,” without pausing to consider the facts of the case. If the book had been called “Offensive Information Security” instead of “Hacking Exposed,” would it have been confiscated, or Mr. Green deemed a threat? We’ve seen many examples of security researchers and others calling themselves hackers and falling under undue and aggressive legal scrutiny because their motives and actions were misconstrued. This is in part because the term “hacker” can, in general parlance, mean anything from a DIY enthusiast building portable chargers in Altoids tins to a hardcore cybercriminal selling stolen credit card numbers on a deep web message board. Individuals either calling themselves hackers or dubbed so by the media have been repeatedly targeted for publishing information on how to jailbreak your own devices. For example, Sony sued members of the hacker group fail0verflow after they revealed at CCC that they’d mathematically calculated the keys Sony uses to ensure only approved code runs on the PS3. In the same suit, Sony also sued George Hotz, better known as GeoHot, jailbreaker of the iPhone, for publishing the PS3 root key, even though he made clear he didn’t do so to enable people to run pirated games. People have also been targeted for offering jailbreaking services commercially. For instance, prosecutors brougth criminal charges against Matthew Crippen for modding XBOX 360s to run DRM-free games, which were ultimately dismissed.
Whether you call them hackers, makers, tinkerers, or information security researchers, people on the hacking spectrum have been a boon to society for decades. They power innovation in all sectors and operate as a valuable check on the security and stability of the technology that forms the basis for our modern society. Their curiosity drives our economy and challenges entrenched corporate and governmental interests. However, the word “hacker” has changed since its origins in creative prank culture and innovative computing at MIT, and is now popularly used, more often than not, as a pejorative one that encourages fear-based knee-jerk reactions. Hackers are used as go-to villains by policy makers, who wave the nightmare scenario of rampant cybercrime and imminent cyberwar to justify legislative proposals that threaten to encroach on your digital civil liberties.
Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposed book, the warden in this case appears to have latched onto the word “Hacking” and overreacted. The security paranoia displayed in banning Mr. Green from the TRULINCS electronic messaging system and access to computers entirely also doesn’t bode well for their information security practices. Theoretically, if the Bureau of Prisons is truly concerned about users within the prison system compromising TRULINCS, it ought to have measures in place to prevent users from, say, uploading or downloading attachments, installing and running programs, accessing the Internet, or gaining admin access to the workstation or local network. If the system does potentially allow these actions, and is relying on the lack of knowledge in its user group to protect itself (aka security by obscurity), then that is a much bigger problem than one guy ordering one book. A Bureau of Prisons memo (http://www.bop.gov/policy/progstat/5265_013.pdf), states that an inmate can be banned from the system if they have “special skills or knowledge” of computers or the internet. Unless those skills or knowledge were used in the commission of a crime, the BOP wouldn’t necessarily be aware that an individual possessed those skills. So rather than strengthening the TRULINCS system against unknown, potentially strong actors (people who enter the system with “special skills and knowledge” or outside attackers), the BOP here appears to be opting to take punitive action against a known weak actor (if he had the requisite skills and knowledge to compromise the network, one would assume he wouldn’t have needed the book).
What is being attacked here is the ability of individuals to pursue technical knowledge. Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposedbook, the warden in this case appears to have latched onto the word “hacking” and overreacted.