The basic definition of a hacker is relatively easy: someone driven to deconstruction to see if reconstruction can lead to a different outcome. Categorizing a hacker into moral, amoral, or immoral is less easy. In this edition of Hacker Conversations, SecurityWeek talked to HD Moore for a better understanding of the finer details.
For HD Moore (we’ll call him HD throughout), a hacker is “somebody who likes exploring the edges of technology”. It is the method and purpose of that exploration that separates moral (often described as a researcher or pentester), amoral (often simply a curious youngster ‘poking’ around on the internet), and immoral (usually termed blackhat or malicious) hacking.
The first two are not normally classified as illegal. However, warns HD, “If you bypass any technical measures or barriers, that tends to be the definition of a crime.” But it is still difficult for the moral hacker to remain legal, and for law enforcement to prove immoral hacking is illegal.
HD gives the example of dismantling a clock and repurposing it as the firing mechanism for an IED. If you own the clock and all the mechanisms that are used in the repurposing of the device, it can hardly be called ‘malicious hacking’. But if you use that device to harm other people, the purpose is certainly illegal. Even if you use the device to blow a hole in an empty field, just for fun, you may be guilty of damaging someone else’s property, and you may be guilty of illegally possessing explosives.
It’s not so much hacking the clock, but the purpose of hacking the clock that is the important consideration. “It’s not illegal to have a lockpick,” he adds, “but it is illegal to have a lockpick that you use to burglarize a house.”
Is HD a hacker? He avoided direct classification but admitted to a love of exploring the world. You must stay on the right side of the law; you must not modify someone else’s system; but, he added, “There’s lots of ways you can cross the line.”
The young HD Moore
“I grew up pretty poor. We moved frequently, so I was often in a new place without any resources. Dumpster diving – even for food and clothing – was a way of life.” He became attracted to computer labs and started dumpster diving for discarded computer parts.
“I started looking for computer parts and trying to build a computer because then I could have something I could play with and control. Just from an emotional standpoint it gave me some control over my own life. I could program it, and it would do what I told it to do – and if it didn’t, it was my own fault, not someone else. That’s a really freeing experience.”
But he also admits that it is potentially the start of a slippery slope. What is the difference between dumpster diving and hopping over a telco’s fence to look for discarded parts and possibly finding router passwords? How harmful was it to engage in phreaking for additional resources when you had none of your own?
“Many things in the early days of computing were definitely in the gray area of whether it was legal or not; but there were so few prosecutions that it didn’t really matter – unless you did something super flagrant or really harmed somebody, you weren’t going to get prosecuted for poking around.”
The next question is whether growing up with computer skills in a deprived area can lead people to the dark side of hacking. He answered in the abstract. “Definitely. If you move around a lot, you tend to get involved with a lot of the casual criminal class – kids who sell drugs and burglarize houses. If they steal a computer, and you’re the only one who knows anything about computers, they’re going to reach out for information on how to sell it or make money from it.” Kids on the street grow up with hoodlums, and it’s an easy route from stealing physical credit cards to stealing credit cards online.
Did HD ever cross the line to the dark side? Again, he answers in the abstract. “I’m not sure anyone who was good at pentesting or security assessments in the 2000s wasn’t breaking a few laws in the 1990s. Look at all the great security companies that grew up at that time. The reason these folks started new companies or were hired by existing companies was because they could do things other people couldn’t. I’m sure there are people out there able to write exploits and do good stuff without breaking the law – but the majority were doing something sketchy at some point to get there.”
‘Something sketchy’ remains difficult to define and classify. From HD’s own younger days, “Early on, I was involved with warez groups, trading pirated software – the normal kind of internet drama of the day. Fourteen-years old kids trying to feed off each other and stupid things like that. It was the kind of drama of the times.”
He added, “But then there were other kids asking me to break into networks to dox each other, and beyond that a really super toxic group of attackers who threatened to firebomb houses or get someone fired from their job and arrested by planting child pornography on their computers. This was scary, and I never got along with those people.”
It’s difficult to know where it came from, but HD’s moral compass – his ultimate belief that you should do as you would be done by – stopped the slippery slope becoming a downhill helter-skelter. You could say the young HD came up to the line and even straddled it a bit – but he never crossed it. “Don’t do something to intentionally hurt somebody else. That’s pretty much it,” he said.
The crime and punishment of hacking
If you ask independent ethical hackers about their biggest problems, the answer is likely to be ‘not breaking the law and remaining out of jail’. The bugbear is the Computer Fraud and Abuse Act (CFAA). This effectively makes any unauthorized poking about on systems or software illegal.
It’s difficult to fully condemn the lawmakers who are required to pass laws to protect property. Software is never sold: it is licensed to the lessee but remains the property of the developer and must therefore be protected by law. Developers have often used this to prevent criticism of their product with the threat of prosecution and jail. ‘To have discovered this ‘flaw’ you will have bypassed our barriers and defied the license and must go to jail because of it.’
Ethical hackers and researchers are primarily driven by the desire to improve things, especially for the users of flawed software. So, technically, they will often break the law for moral purposes. Matters are improving, but have not been resolved, with many companies now welcoming and rewarding the responsible disclosure of flaws.
Cyber research often falls into that gray area, where it does no harm, potentially does good, but remains technically illegal. “In the early 2000s,” said HD, “I built a scanner that went and found all the FTP servers on the internet and built a big index that would be just searching for stuff. So, if we were looking for a router firmware file or something else we needed for some work, we just searched around a little mini database of FTP stuff and it was great, we could find anything.”
Of course, the database also had ‘tons and tons of passwords and credit cards’. “We found things like private copies of source code for telecoms, and automotive source code. But I didn’t use this data for anything. I didn’t go to those credit cards to buy something with them. And anytime we could, we tried to notify folks and have them fix whatever the exposure was.”
Nevertheless, he admits, “The exploration side was always really fun for me, even though it’s right in that gray area. Could it be considered malicious intent, does it violate this law or that law?”
Law enforcement has finally recognized that good things can come from defying the CFAA. In May 2022, the DoJ announced that ‘good faith security research should not be charged’ under the CFAA. But nothing has really changed.
“The only significant changes to US policy on the prosecution of CFAA have all been on the enforcement side,” explains HD. “The changes have nothing to do with the legislative side. There has been no change to the definition of the crime, only a new definition of what specific behavior should be prosecuted. This is not a great place to be. It means there are many things you can do where, if prosecutors decide they don’t like you, your action can be treated as illegal. And that has a chilling effect across research.”
HD Moore is best known as the founder and original developer of Metasploit, which has become the de facto exploit development framework containing more than 2,000 exploits. These are made available so that pentesters and security teams can test their systems’ resilience to known and exploitable vulnerabilities. Of course, while this is a legitimate purpose, the framework can equally be used by malicious attackers.
When asked why he would do this, HD replied, “The short answer is ‘angry gangster’.” But the long answer is more subtle.
In his early 20s, he worked for a company as a pentester. He felt that finding a theoretical vulnerability in a customer’s systems was not enough – he needed to verify that the vulnerability was exploitable. “So Metasploit started life as an internal toolkit designed to make our operations more consistent and safe. We didn’t want to use some random testing tool, which might have a backdoor, and use that when we were testing some bank’s website. It started off as a kind of curated, cleaned up version of other tools.”
Over time, people realized that Metasploit was more than some silly script kiddie tool, but an effective and reliable way to keep track of exploits. “But what really drove the project,” said HD, “was the disclosure aspect. People would find a vulnerability in a product but would have a hard time getting the vendor to address it.” Receiving a vulnerability report along with a working exploit for that vulnerability (an exploit that was available to both pentesters and attackers) focuses the mind of the developer on fixing the vulnerability.
The origin of Metasploit was the development of a tool to help HD, the pentester. Its growth came through the realization that it could help all pentesters not merely do their job, but get their voices heard. “It gave some leverage back to the folks who were doing rational research so they could be heard without being sued or arrested. We proxied a lot of exploits for folks. Researchers would submit an exploit to the project under a pseudonym and we would then handle the whole disclosure and publication process so they wouldn’t get fired or arrested, but the issue got resolved.”
Nevertheless, Metasploit brings HD yet again right up to and straddling the line between moral and immoral hacking. Has he ever been threatened with or by the law over Metasploit? “Vaguely, a few times,” he replied, “usually driven by the vendors and one in particular. Other times the media would be used, with articles saying, ‘look at this horrible, irresponsible thing’.”
But there wasn’t a great deal of direct conflict with the law. “On the legal side there wasn’t quite as much. There were a few subpoenas and scary letters in the mail and being contacted by a federal agent. Usually, you know, it was pretty quick.”
Metasploit is now owned and maintained by Rapid7. HD Moore is now the chairman and founding CTO of runZero (formerly Rumble), with an asset inventory and network visibility solution. The history and development of the young HD almost made the evolution of Metasploit inevitable. And the history and development of Metasploit has been a major force in making the IT industry more responsive to vulnerability disclosures. It is an open question whether this and the evolution of modern bug bounty programs is a response to the ‘full disclosure’ movement and HD Moore’s own development of Metasploit.