(a) There's no such thing as "ethical hacking" (that's an Orwellian term designed to imply that testing conducted in ways unfavorable to vendors is "unethical").
(b) You don't require permission to test software running on hardware you control (absent some contract that says otherwise).
(c) But you're right, in this case, the researchers presumably did need permission to conduct this kind of testing lawfully.
Weird stance. Sure, you may disagree on the limitations of scope of various ethical hacking programs (bug bounties and such) but they consistently highlight some very serious flaws in all kinds of hardware and software.
Going out of scope (hacking a company with no program in place) is always a gamble and you’re betting on the leniency of the target. Probably not worth it unless you like to live dangerously.
His point is that the way the term is used, to protect vendors, has nothing to do with ethics.
If a researcher found a serious vuln, the ethical thing may very well be to document it publicly without coordination with the vendor, especially if such coordination hurts users.
I disagree with (a). Activities can be deemed ethical or unethical, and those norms are presumably reflected in our laws (as unauthorized hacking is). When they're not constrained by law (as certain publication and experimentation practices aren't), then they are constrained by social convention.
This is one of those cases, like "Zero Trust Networking" where you can't derive the meaning of a term axiomatically from the individual words. There is "responsible" and "irresponsible" disclosure, too, but "responsible disclosure" is also a specific, Orwellian basket of vendor-friendly policies that have little to do with ethics or responsibility.
"Responsible" and "irresponsible" are slippier words in the disclosure context. In the civil legal context, "responsibility" implies blameworthiness and liability arising out of a duty of care and a breach of the duty. But in the vulnerability disclosure context, since there's no duty prescribed by law, it has come to mean "social" vs. "antisocial" - getting along vs. being at odds.
My point is that it doesn't matter how slippery the underlying words are, because you're not meant to piece together the meaning of the statement from those words --- or rather, you are, but deceptively, by attributing them to the policy preferences of the people who coined the term.
Logomachy aside: "ethical hacking" was a term invented by huge companies in the 1990s to co-opt security research, which was at the time largely driven by small independent firms. You didn't want to engage just anybody, the logic went, because lots of those people were secretly criminals. No, you wanted an "ethical hacker" (later: a certified ethical hacker), who you could trust not to commit crimes while working for you.
I guess what I'm trying to say is that there is, and can be, such a thing as "ethical hacking," but perhaps it's not coterminous what vendors and others might claim it to be. The meanings of words evolve over time, sometimes for the worse (cough "literally"), and sometimes for the better. Groups have also reclaimed derogatory words through concerted action.
It's a complicated human activity, so of course there are ethics to it. But I'd strongly recommend not using the words "ethical hacker" next to each other, because that term has more meaning than you probably intend.
"Ethical hacking" is from the same vein as "responsible disclosure". These are weasel words that are used to demean security researchers who don't kiss the vendors' ass.
As a security researcher, my ethical obligation is not to the vendors of the software. It's to the users.
Ethically speaking, I don't care if my research makes the vendor look bad, hurts their sales, makes their PR team sad, etc. I similarly don't care if my research makes the vendor look good.
Are the users better protected by my research? If yes, ethical. If not, unethical.
Terms like "ethical hacking" are used to stilt the conversation in the favor of vendors.
> the database was running in the cloud, not on any computer they controlled.
If it's running in the Cloud, but in your Cloud account, it's morally equivalent to running on Your Machine. I'm not sure how the law will interpret anything, but given a compelling counter-argument, I don't imagine lawyers will argue differently.
No, because there's no such thing as "ethical hacking"; that's a marketing term invented by vendors to constrain researchers. You'd call what you're talking about "pentesting" or "red teaming". How you'd know you had a clownish pentest vendor would be if they themselves called it "ethical hacking".
There is no precedent for consequence-free probing of others' defenses. Unauthorized "testing conducted in ways unfavorable to vendors" is generally considered a crime of trespass, because everybody has the right to exist unmolested. Whether or not they have their shit together, you aren't authorized to test your kids' school's evacuation procedure by randomly showing up with a toy gun and a vest rigged with hotdogs and wires.
The way this goes in the digital space, people expect to break into my "house," see if they can get into my safe, snoop around in my wife's/daughter's nightstands, steal some of their underwear as a CTF exercise, help themselves to my liquor on the way out, then send me an invoice for their time while also demanding the right (or threatening) to publish everything they found on their blog. Unsolicited "security research" is a shakedown desperate to legitimize itself. Unlawful search/"fruit of the poisoned tree" exists to keep the cops from doing this to you, but it's totally acceptable for self-appointed "researchers" to do to anybody else I guess.
"Ethical hacking" is notifying the owner/authorities there's a potential problem at an address, seeing if they want your help in investigating, and working with them in that capacity-- proceeding to investigate only with explicit direction. Even if their incompetence or negligence in response affects you personally, that's not a cue to break a window and run your own investigation while collecting leverage you can use to shame them into compliance. That shit is just espionage masquerading as concern trolling.
You're doing the same thing the other commenters are: you're trying to derive from first principles what "ethical hacking" means. That's why this marketing trick is so insidious: everybody does that, and attributes to the term whatever they think the right things are. But the term doesn't mean those right things: it means what the vendors meant, which is: co-opted researchers working in collusion with vendors to give dev teams the maximum conceivable amount of time to apply fixes (years, often) and never revealing the details of any flaws (also: that any security researcher that doesn't put the word "ethical" in their title is endorsing criminal hacking; also: that you should buy all your security services from I.B.M.).
You can say "that's not what I mean by ethical hacking", but that doesn't matter, because that's what the term of art itself does mean.
If you want to live in a little rhetorical bubble where terms of art mean what you think they should mean, that's fine. I think it's worth being aware that, to practitioners, that's not what the terms mean, and that people familiar with the field generally won't care about your idiosyncratic definitions.
As a point of comparison, we don't talk about "ethical plumbing" as a term. If a company hires a plumber to fix their bathroom, they're just a plumber. If somebody breaks the law to enter a place and mess with the pipes, they're just a trespasser.
But the companies that brand themselves as selling "ethical" penetration testing, and sell certifications for "ethical hacking" would very much like you to lump other companies and other security researchers who are operated legally into the same mental bucket as criminals by implicitly painting them as "unethical".
(b) You don't require permission to test software running on hardware you control (absent some contract that says otherwise).
(c) But you're right, in this case, the researchers presumably did need permission to conduct this kind of testing lawfully.