Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ethical Lines of the Gray Hat

Posted by Hemos on from the what-hat-will-you-wear? dept.

Facter writes "There is a great article on CNET about the ethical debate between white/gray/black-hat hackers - interesting to note is that it reports the "fading away" of the "gray" definition between white and black, due to the DMCA hindering anything in between.."

3 of 249 comments (clear)

  1. Re:DMCA by Golias · · Score: 5, Interesting
    Gone forever are the days when hackers could roam through corporate systems, not really doing any damage, but just playing around.

    One could take that to mean that early "white hat" hackers served their purpose successfully. By roaming through corporate systems, they managed to call attention to a lot of gaping security flaws that ended up getting fixed.

    Also, roaming through corporate streams was a necessity for hard-core geeks in the days when Internet connectivity was prohibitively expensive. Much of what recreational hackers where "borrowing" other people's network resources for can now be done on a common consumer connection.

    --

    Information wants to be anthropomorphized.

  2. Nearly everyone's a grey-hat by xeno · · Score: 5, Interesting

    Bull. There's plenty of room in the grey-hat region, and plenty of population in it. The wiggle room for those who crack systems/software and then publicly announce the results is getting tighter. However there are an awful lot of people whose main concern is simply sharing results of bug/flaw discovery or other necessary activities that aren't good for vendor busines models. The fact that the DMCA seeks to redefine discovery and community notification as reverse-engineering and criminal collusion doesn't do a thing to shrink the number of people (admins, architects, programmers, dbas, etc) who simply need to do these things to do their jobs. The grey hat is still a thinking person's hat -- one abides by the letter of the law as best one can, and find ways around the obtuse or wrong-headed sections to accomplish primary goals of systems operation, data protection, and other work processes. Some prefer to skirt the line with black-hat-dom, while others simply protest bad law. Ain't nobody a white hat unless they utter phrases like "He was arrested so he must be guilty" or "The law is always right."

    Not too long ago, I sent a note to several of my friends about a conflict I saw between the DMCA-esque proposed Microsoft security certification -- requiring software bug hiding and notification of the software vendor before notification of the affected client -- and the codes of ethics binding those with CISA and CISSP certifications -- both of which require protection or notification of the potential target/victim. (My personal favorite part of the ISC2/CISSP code is "Tell the truth" which is anathma to the DMCA/bug-hiding camp.)

    Of course, since DMCA enforcement tends towards the corporate view of things (property, ownership, patents, royalties) rather than the societal view (ethics, trust, truth, community), if I follow the vendor-independent (societal) path, I get labelled as a grey-hat or a black-hat right out of the starting gate. Have I personally cracked and distributed software? No. But do I swear to uphold the right of the consumer to know of flaws in their software or implementation? Of course I do -- it's the core of my job as a consultant. But doing so may label me as a criminal, and not doing so is unethical and unprofessional. As the article point out, all you can do is try to do the right thing. Currently that may be illegal.

    Maybe some of us will go to jail for it, but that's what it'll take to change or repeal ill-formed laws such as the DMCA. Nothing induces judicial scrutiny like a situation where a judge is embarassed to enforce a bad law against a just person. But for anyone contemplating the notion of a "test case", keep in mind that the ACLU only picks up your legal fees if you keep your nose clean while you're doing the (illegal) right thing.

    J

    --
    I think not...(*poof*)
  3. I don't mind wearing a black hat by alexjohns · · Score: 4, Interesting
    You can call me white, gray, black, puce, ochre, whatever. I already break the law, every day. I speed; roll through stop signs; jaywalk; litter; drive after having a beer or two with dinner; try to get every conceivable deduction on my taxes; copy software and music CDs. In the past, I experimented with illegal drugs; shared prescription drugs; bought alcohol for minors; participated in sodomy in at least one state that outlaws it. Shit, the list's just too freakin' long.

    I'm already a criminal. I imagine most people on here are. Who the hell hasn't broken a law today. We're in a drought here in Maryland. Water a plant today, did ya? Broke the law. have you let a teenager bum a cigarette? Criminal.

    Why should anyone care what color hat they supposedly wear. It's an arbitrary label. I call myself a hacker. I don't break things. I don't steal things. I try not to hurt people I like. In my opinion, that makes me an OK guy. Of course, opinions vary.

    Oh, and you... yeah you. Stop looking over your shoulder. I'm running crack against your password file right now. Might want to go change a few of 'em. Especially root. You know, the one that's your girlfriend's name. (And we both know she's not really your girlfriend. All you really have to do is ask her out, but you're scared. Pussy.) I'm only telling you all this because I like you. Now go ask her out, wimp.