Why Offensive Security Needs Engineering Textbooks

Offensive security—or, in plain English, the practice of exploitation—has greatly enhanced our understanding of what it means for computers to be trustworthy. Having grown from hacker conventions that fit into a single room into a distinct engineering discipline in all but the name, offensive computing has so far been content with a jargon and an informal “hacker curriculum”. Now that it is unmistakably an industry, and an engineering specialization, it faces the challenge of defining itself as one, in a language that is understood beyond its own confines—most importantly, by makers of law and policy. Currently, lawmakers and policy makers have no choice but to operate with pieces of our professional jargon that got publicized by journalists. But writing laws based on professional jargon is dangerous: it will be misunderstood by lawmakers and judges alike. It’s not the wisdom of the judge or the legislator that is in question, it’s their ability to guess the course of a discipline years in advance. Consider the concept of unauthorized access at the heart of (and criminalized by) the Computer Fraud and Abuse Act (CFAA). The un-anticipated, “unauthorized” uses of today will be primary uses or business models of tomorrow. When CFAA was written, connecting to a computer on which one had no account was pointless. Cold-calling a server could serve no legitimate purpose, as none were meant for random members of the public; each computer had its relatively small and well-defined set of authorized users. Then the World Web Web happened, and connecting to computers without any kind of prior authorization became not just the norm but also the foundation of all related business. Yet the law stands as written then, and now produces conundrums such as whether portscans, screen-scraping, or URL crafting are illegal, or even whether telling journalists of a successful URL-crafting trick that revealed their email addresses could be a felony (as in the recent US v. Auernheimer case). Even accessing your own data on a web portal in a manner unforeseen by the portal operator, as in case of ApplyYourself users who could see their admission status prematurely may similarly be a crime under CFAA (for discussion of these cases and different institutions’ reactions to them see S.W. Smith, “Pretending that Systems are