Hacking Software: Free and Legal?

By Ken Kajihiro

Should hacking software be free and legal? If you are reading this and thinking well, surely, hacking software is only available to cybersecurity professionals and is illegal for the public to own; you would be wrong! Hacking software is free and legal for the public to own![1] A simple Google search will result in many free and legal hacking software resources posted online for the public to download.[2]

How is this possible?! It is illegal to knowingly access a computer without authorization from its owner.[3] Thus, as long as you are given the authorization to hack into someone’s computer it is not illegal.[4] In fact, many businesses, organizations, and even Federal government agencies authorize and pay ethical hackers to hack into their computer systems with the goal of identifying vulnerabilities in their cybersecurity defenses before bad actors have the opportunity to exploit them.[5] An ethical hacker is one who uses their hacking skills “for good by helping [entities] protect themselves.”[6] These ethical hackers may or may not be actively employed by said businesses, organizations, or Federal government agencies, but may operate through what is commonly called a “bug bounty program.”[7]

The idea behind the “bug bounty program” is to make ethical hacking more lucrative than illegal or malicious hacking by allowing hackers to report their successful hacks to an entity in exchange for rewards or, most commonly, monetary compensation.[8] For example, Microsoft is offering numerous bounties in their Microsoft Bug Bounty Program, with a bounty award of up to $250,000 for a single ethical hack.[9] Google, alone, has paid out more than $15 Million since the inception of Google’s Vulnerability Rewards Program in 2010, Google’s version of the bug bounty program.[10] Many ethical hackers use free and legal hacking software resources posted online to participate in the various bug bounty programs.

To answer the initial question, should hacking software be free and legal, we must first answer the question, do bug bounty programs actually work? In 2014, Google was hacked, despite having a bug bounty program; approximately 5 million Gmail passwords were leaked.[11] In 2016, Uber was hacked, despite having a bug bounty program; approximately 57 million riders and drivers had their data stolen.[12] In 2020, Twitter was hacked, despite having a bug bounty program; approximately 130 high-profile Twitter accounts and $121,000 in Bitcoin were stolen.[13] Also, in 2020, Microsoft was hacked, despite having a bug bounty program; Microsoft’s source code was viewed by hackers.[14] These incidents may indicate that bug bounty programs do not work.

However, before concluding, let us take a look at some hacks where companies did not have a bug bounty program. In 2017, Equifax was hacked; more than 148 million people had their personally identifiable information stolen – that is more than 40 percent of the population of the United States – costing Equifax in total more than $4 Billion.[15] In 2018, Marriot was hacked; approximately 500 million worldwide travelers had their hotel reservation data stolen.[16] In 2019, MGM Resorts was hacked; more than 142 million worldwide travelers had their hotel reservation data stolen.[17]

Do bug bounty programs actually work? Unfortunately, the answer is an inevitable “maybe.”[18] That’s kind of how security works; you just do not know whether your security is working because either a breach in security has not occurred, or hackers do not even try to breach your security because they know it has already been screened for vulnerabilities, or the hack that did occur was just unavoidable.[19]

This being said, back to the initial question: should hacking software be free and legal? Congress could simply ban and make hacking software resources illegal to the public – forcing all websites to remove their free, public hacking software resources. However, we must think about how, or more so, where computer software can be developed. Answer: anywhere; including at home. Apple Inc. was created in Steve Jobs’ grandma’s house.[20] Facebook was created in Mark Zuckerberg’s college dorm room.[21] The same can be said of hacking software: if it’s not publicly available, bad actors would make the hacking software themselves.[22] In addition, some countries have seen a reverse impact of the laws created to regulate hacking software and increase public safety – overall cybersecurity awareness and innovation have decreased, leaving the public more vulnerable with the laws than without the laws.[23]

In conclusion, a ban on hacking software resources may do nothing but shift the power from the public to the bad actors. Although it is unclear whether the bug bounty programs work, at least the safety of the public is in the hands of the public.

[1] Silvia Mazzetta, Top 15 Free Hacking Tools for Ethical Hackers, Ma-No Web Design (June 19, 2020), https://www.ma-no.org/en/security/top-15-free-hacking-tools-for-ethical-hackers.

[2] Id.; Henry HMFIC, Best Hacker Tools of 2021, Concise AC, https://www.concise-courses.com/hacking-tools/top-ten (last visited Feb. 19, 2021).

[3] 18 U.S.C. § 1030(a)(1) (2021).

[4] See id.

[5] Roger Grimes, What is Ethical Hacking? How to Get Paid to Break into Computers, IDG Communications, Inc. (Feb. 27, 2019), https://www.csoonline.com/article/3238128/what-is-ethical-hacking-and-how-to-become-an-ethical-hacker.html.

[6] Katie Brigham, How Hackers are Making Millions – Legally, CNBC LLC (Jan. 18, 2020), https://www.cnbc.com/2020/01/17/why-companies-like-google-facebook-and-uber-pay-hackers-millions.html.

[7] Id.

[8] Id.; Megan Kaczanowski, What is a Bug Bounty Program? How Bug Bounties Work and Who Should Use Them, FreeCodeCamp (Dec. 7, 2020), https://www.freecodecamp.org/news/whats-a-bug-bounty-program/#:~:text=Bug%20bounty%20programs%20allow%20independent,hardware%20flaws%2C%20and%20so%20on.

[9] Microsoft Bug Bounty Program, Microsoft, https://www.microsoft.com/en-us/msrc/bounty?rtc=1 (last visited Feb. 19, 2021).

[10] Eric Griffith & Kyle Kucharski, 7 Huge Bug Bounty Payouts, PC Mag Digital Group (May 14, 2019), https://www.pcmag.com/news/7-huge-bug-bounty-payouts#:~:text=The%20largest%20single%20payout%20last,in%20Google’s%20Cloud%20Platform%20console.

[11] Kashmir Hill, Google Says Not to Worry About 5 Million ‘Gmail Passwords’ Leaked, Forbes (Sept. 11, 2014), https://www.forbes.com/sites/kashmirhill/2014/09/11/google-says-not-to-worry-about-5-million-gmail-passwords-leaked/?sh=658dc3617a8d; Griffith & Kucharski, supra note 10.

[12] Uber Fined $148m for Failing to Notify Drivers they had been Hacked, Guardian News (Sept. 26, 2018), https://www.theguardian.com/technology/2018/sep/26/uber-hack-fine-driver-data-breach; Uber Bug Bounty Program, HackerOne, https://hackerone.com/uber?type=team (last updated Feb. 12, 2021).

[13] Rob Sobers, 134 Cybersecurity Statistics and Trends for 2021, Inside Out Security, https://www.varonis.com/blog/cybersecurity-statistics (last updated Feb. 1, 2021); Twitter Bug Bounty Program, HackerOne, https://hackerone.com/twitter?type=team (last updated May 30, 2019).

[14] Microsoft Internal Solorigate Investigation, Microsoft (Dec. 31, 2020), https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update; Microsoft Bug Bounty Program, supra note 9.

[15] Josh Fruhlinger, Equifax Data Breach FAQ: What Happened, Who was Affected, What was the Impact?, IDG Communications, Inc. (Feb. 12, 2020), https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html; Sobers, supra note 13.

[16] Lily Hay Newman, The Worst Hacks of 2018, Wired (Dec. 31, 2018), https://www.wired.com/story/worst-hacks-2018-facebook-marriott-quora.

[17] Catalin Cimpanu, A Hacker is Selling Details of 142 Million MGM Hotel Guests on the Dark Web, ZD Net (July 14, 2020), https://www.zdnet.com/article/a-hacker-is-selling-details-of-142-million-mgm-hotel-guests-on-the-dark-web.

[18] See George Hulme, Metasploit Review: Ten Years Later, Are We Any More Secure?, TechTarget, https://searchsecurity.techtarget.com/feature/Metasploit-Review-Ten-Years-Later-Are-We-Any-More-Secure (last updated Oct. 2012).

[19] Mike Elgan, How to Know if Your Cybersecurity Tools are Actually Working, Security Intelligence (Aug. 30, 2019), https://securityintelligence.com/articles/how-to-know-if-your-cybersecurity-tools-are-actually-working.

[20] Megan Chovanec, My Grandma’s Los Altos Garage is Where Apple was Created, Insider Inc. (Jan. 31, 2015), https://www.businessinsider.com/my-grandmas-los-altos-garage-is-where-apple-was-created-2015-1.

[21] Marguerite Ward, Mark Zuckerberg Returns to the Harvard Dorm Room Where Facebook was Born, CNBC LLC (May 25, 2017), https://www.cnbc.com/2017/05/25/mark-zuckerberg-returns-to-the-harvard-dorm-where-facebook-was-born.html.

[22] Hulme, supra note 18.

[23] Id.

Image Source: https://www.itpro.co.uk/hacking/30282/what-is-ethical-hacking-white-hat-hackers-explained

The first exclusively online law review.

Hacking Software: Free and Legal?

Related

Hacking Software: Free and Legal?

Related

No Need to Hedge with a State-Sanctioned Edge: How FanDuel Hit the Virginia Sports Betting Market First

Virtual Voir Dire in the Age of COVID-19