What’s in a color?
There are many widely held perceptions when it comes to hackers today. Those perceptions mostly evolve around people identifying hackers with a specific color, and that very color denotes their overall posture. By posture I mean are they benevolent, are their ethics questionable at times, or are they outright malicious? Well with the popularization of the internet has come a tidal wave of publicity about it. That has come in the form of many articles from the print media and movies from Hollywood. What this media attention has resulted in, is an often times distorted reality. I sit and constantly shake my head when I read articles in my local paper about hackers and their exploits. More often then not the paper’s writer has his or her facts quite wrong. With this confusing information in mind I shall try to dispel some myths about the various types of hackers that travel the Internet today.
With the best of intentions
Of all the various types of hackers out there today the one that is oddly enough not written about very much is what’s called the “white hat” hacker. One could likely infer from the color assigned, white in this case, that this hacker is benign in nature. Well you would be correct in assuming that, for much as the color white infers purity, the white hat hacker has excellent ethics. What do ethics really mean to a hacker though? For most of us an example of ethics would be in turning in a wallet that is found, with the money, and credit cards intact. Thing is though a hacker plies their trade on the internet, and not really the physical world as such. To illustrate my point I shall describe a scenario in which a white hat hackers ethics can be highlighted.
It bears mentioning at this point that in the purest sense of the word a hacker is someone who enjoys tinkering with things. Whether that be a program or a piece of hardware, it all comes down to a mindset. The hacker just wants to explore things, and likely make it work in ways it was never meant to. For example our white hat hacker has a keen interest in computer programming, as most hackers do. Our white hat decides to take a newly released program and disassemble it. During the disassembly of the program, and over the course of days or weeks the white hat finds a flaw. When I refer to flaw I mean that the white hat has found a piece of code in the program that was not properly written. This lack of proper programming has led the white hat to identify this flaw as a place that they can overflow ie: buffer overflow.
Well this is where the ethics part of it now enters for our white hat hacker. What do they do with this newly discovered flaw in say a popular FTP server? It is very much akin to the earlier mentioned example of finding a wallet full of money and credit cards. For our white hat hacker the decision is a very simple one actually. They contact the vendor of the program in question, and detail their findings to them. What they don’t do is go ahead and release to the masses via Bugtraq. To the white hat that would be very much irresponsible. Dealing with the vendor for a fix of the flawed FTP server is rather the chosen course of action. Though making such a splashy announcement would gain the white hat a lot of attention. They are more concerned with the security of the users who are presently using what is now a flawed program. This pretty much sums up an example of what a white hat hackers ethics are like. There are in actuality quite a few white hat hackers who thankfully represent some of the top computer security talent out there today.
Shades of grey
Many of us have an ethical standard that will and can vary depending on the situation. Hackers are no different in that aspect. Grey hat hackers just like us are not outright malicious, however they can justify their means by their own personal brand of ethics. That is very much where the grey hat hacker resides. There has been a lot of press coverage lately over the Cisco mess at the recent Blackhat convention. This recent debacle is an excellent example of grey hat hacking. If you have just read the hyperlinked page you will now understand more of what happened there. Either way, all said and done, the researcher in question should not have disclosed that information. That being said he did, and there was an ensuing legal battle.
What is different between our grey hat and our white hat is the way they go about their business. Some software manufacturers explicitly forbid reverse engineering of their products. While this would deter the white it in all likelihood will not deter the grey hat. After all there has yet to be a definitive ruling to my knowledge from the Supreme Court in the US over this issue. Furthermore, if a flaw is found, how long should a security researcher wait before disclosing the issue to the public? Many large companies are well over the sixty day limit normally given for correcting programming flaws. For grey hats the answer will vary as they very much go by their own code of ethics, which can be very different from another grey hat. So what differences between white hats and grey hats have we so far? Well reverse engineering products which explicitly state not to for one, and secondly our grey hat will not wait forever for the vendor to issue a fix. These changes may not seem like much, but once again we are talking about grey hat hackers, and the many shades of grey that represent them.
I will start off by saying that I personally know no black hat hackers, but there are people that I know who do. Well much like the color black and white, which represent the extremes of the color spectrum, they also represent the polar opposites in regards to hackers. We are quite often seeing in the papers, or watching on the news of a new case of identity theft. That or hearing of a new database break in, which has compromised millions of peoples personal information. That would be the handiwork of our black hat hacker. Our black hat has no personal ethics standing in their way. Being a black hat hacker does not necessarily mean either that the person is one of great skill. With the millions upon millions of computers out there, it is not a difficult task to break into the poorly secured ones. Should you doubt this then think of how worms propagate. They do so through unsecured computers. What about credit card number theft, and all of the other online scams in existence today. Once again that would fall into the realm of the black hat hacker. They simply don’t care about the every day niceties of the normal world, and consequently wreak havoc in the online one.
Well as we can see various hackers and their associated colors do have differences. Being a hacker does not mean either that you are a programming juggernaut, but rather have a combination of qualities. Hopefully more of our budding hackers will choose the right path rather then the wrong one. I sincerely hope this article was of interest to you, and as always welcome your feedback. Till next time!