Black hat hacking has often gotten a bad wrap. I mean, it makes sense naturally. You’re taking advantage of a system for some personal gain, in recent history cyber attacks have been quite lucrative, especially in the blockchain/cryptocurrency space. The original DAO hack cost millions in 2016, surmounting to billions in 2022 dollars. Was this a bad thing? Are the hackers actually bad people? The amount of change it incited, and so immediately, tells a different story. It caused such a ruckus that they were forced to fork ethereum into the ethereum classic/ethereum we know today. For a decentralized protocol, this is not a small change.
I view exploitation as a natural incentivization mechanism, one that follows us from our roots in biological evolution. If your population is exploited significantly, and you survive, you are almost guaranteed to have made some sort of change, for which the response time is often the determining factor, hence why humans are so micro-adaptive to our environments. Yes you can say that the exploiting biological force is unethical… but what if that force is a harsh climate instead of another rivalrous species? It murkies the water. What’s special about ethicality is the lens through which you peer(2peer) through, we believe we have an innate obligation to ethicality because we can perceive and communicate it very effectively. That’s all fine and dandy, especially when tangible physical suffering is involved. Veganism is something I’ve had mixed feelings about for quite some time and it’s especially relevant to this conversation. I don’t think you can really make an adversarial claim to these ideas unless you are 100% vegan. Once you’ve garnered this level of dedication to minimizing suffering, now you have to ask yourself “what about the plants I consume? Why do I have the right to exploit them for my own energy supply?”… and now you’re down the rabbit hole and if you’re anything like me, an existential crisis follows.
Note: I’m not an advocate of causing any suffering, especially unnecessarily on the physical level, I do not condone violence. On a more abstract philosophical plane, applying to the virtual world, I think it’s worth a collective discussion.
Ok that all sounds crazy. But you have to admit I have a consistent point, even if it discomforts you… now, back to exploiting software (also arguably sentient, but let’s save that discussion for another time ;)), is it really any different from the consumption of plants or animals for individual energy? It causes suffering on another party or set of parties, however it allows the inflicter to repurpose that energy for something potentially useful and stimulates the economy. If you’re a black/gray hat hacker and you find a vulnerability in some system, especially if that vulnerability causes the loss of millions of dollars, or even billions, for your own personal gain, you’re essentially expending energy to receive energy (aka money). Usually hackers aren’t just hackers, they have lives and interests outside of their gray area morality. Major governments try to prevent losses at a macro scale, which is why the US never recovered from 2008… because we never really felt it. What goes up must come down.
I think black/gray hat hacking is mostly unethical in the public eye because of the persuasion that large corporations (impacted the most monetarily by these hacks) are the ones that pay the price of the incursions of exploits. In reality, it depends on the motives of the individual hacker. Take for example the recent controversy with the colors javascript package, where the creator of the open source package was fed up with large corporations profiting off of their tireless open source work without any form of reimbursement, or even contribution to the open source community. It’s pretty insane, Microsoft’s recently acquired Github took action and froze his account, reverting commits he made to his own project…he was demonized by them, but for the green pilled we are empathetic and understand his gripes with the system. I’ll admit it’s hard for me to condone his actions because it didn’t just affect those corps, but tbh, it was a very benign “attack” with virtually no damages other than developer headaches from seeing a spammy console log.
If you have the skill to find an exploit, then make millions off of it, finally inciting massive change… good for you, and good for the universe. You made a literal difference, potentially saving that company/collective/protocol BILLIONS if it were to scale larger with the same exploit. I think we should rebrand black hat, gray hat, and white hat from the corporate lens to the sovereign people’s lens. If the public wants to collectively receive the benefits that a corporation used to have, we should be willing to amortize the losses that they also would incur. It’s part of the game. Exploit bounties are an alternate way for a community/corporation to keep the incentivization of exploits intact, while also allowing the path to rapid change with minimal damage to their users. It’s a commendable action, but not all entities can do/are willing to do this. In the absence of bounties, I still lean towards it being ethical to exploit for profit, it is in effect a bounty on its’ own.
However, I do think it’s potentially unethical for a hacker to refuse to report a bounty (if that bounty is a fair amount for the hack) especially for more nefarious intentions, like say causing physical harm. One example that comes to mind is hacking a nuclear launch site and firing nukes. That’s obviously a big no-no.
To further this discussion, where do you think the boundary of ethicality is for hacking? Do you think there are any cases in which smart contract hacking is unethical?
