Michael Bauer published an essay, “Fear and Loathing in Information Security” discussing a couple of key misconceptions about “hacking” as a slippery slope from curiosity to crime. It’s a relatively long read for an opinion piece, but worth the time.

His key points:

Perhaps less irrational than the fear of boundary-pushing is the belief that hacking leads to crime. If you become too fascinated by how network attacks work, the story goes, you’ll eventually cave in to the temptation to conduct those attacks. And it is an incontrovertible fact that many people who commit computer crimes are hackers. But are they criminals because they’re hackers, or do they have other problems? I’m convinced of the latter.

I’m going to agree with Michael on this point. But I think the problem is much more systemic than that. I see large portions of American society today attacking and dehumanizing anyone who rocks the boat. People who rock the boat in a way they don’t even truly understand are just that much scarier.

Personally, I got into security because I was worried about what I didn’t know. Long ago and far away, I was a *NIX administrator. Whenever I brought a new server into production, I would go home that night and lay awake, convinced that I had overlooked some fatal flaw which was going to get my box cracked while I slept. For me, learning about security was both a fascinating extension of what I already knew (how to make machines do what they were supposed to do) and a cure for restless nights.

The fact that it was also an amazing opportunity to really challenge myself intellectually and become a master of my art is what kept me in. Securing systems, networks, applications, or processes has everything to do with understanding all that’s truly possible and the implications of each possiblity, then deciding which risks to mitigate and which to accept. It’s a rigorous and demanding activity. Why this sort of intellectual curiosity would necessarily equate to criminality is beyond me–the people who do this sort of thinking well tend to be highly risk-averse. Deliberately inviting trouble in the form of breaking into systems is not the hallmark of risk-averse people.

Another key point:

the vast majority of people who commit computer crimes are in fact script kiddies, that is, people scarcely skilled or creative enough to even be called hackers. If this is the case, that the least skilled hackers are most prone to commit crimes, then can it really be said that acquiring hacker skills leads to crime?

It’s true. Having been responsible for security for a large e-commerce site for 2 1/2 years, I can tell you that the Bad People were not skillful. The only thing keeping most of them out of jail was the fact that they weren’t able to cause enough trouble for the FBI to take an interest in them. Besides, breaking into systems is actually pretty monotonous. Depending on whether your target is a specific system or network or just any network, it either involves meticulously mapping potential vulnerabilities, then running exploits against them or just randomly scanning for hosts vulnerable to the hole du jour. Again, not much of a challenge.

When it comes right down to it, I don’t think it’s even that people hate “hackers” for being “hackers.” I think they are, on some deep, even subconscious level, jealous of anyone who posseses power that they can’t even understand, much less compete against.