Slashdot Mirror
The Paradox of Grey Hat Hackers (windowsitpro.com)
v3rgEz writes: Troy Hunt, a security researcher who tracked breached websites, reflects on the recent "grey hat" hacking of VTech, in which a hacker downloaded millions of kids' photos, chat logs, and more, to blow the whistle on a serious vulnerability. The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act and maybe helped parents better understand the dangers of lax security. Is grey hat ok when it's done for the greater good?
A hacker group hacked my school's website last year... They posted about it on their facebook page and the kids from my school commented on the post. They responded that they were doing this to help the school website be more secure by showing one of the bugs. They even "backed up" our server data supposedly. If they hadn't pointed out the security bug by hacking the website and replacing it with a page showing their logo and asking us to like their facebook page (and playing pretty EPIC music by the way) our website could have been more at risk to another hacker with perhaps not so benevolent intentions. To think if this was a credit card company or something you would want to know if there were security issues or bad stuff could happen.
Hacking in and blowing the whistle without doing any damage can earn the same jail time as making a mess that cannot be ignored so at least the Judicial system does not see it as any worse.
Is it OK?
The people embarrassed or inconvenienced will always say no even if it is "white hat" hacking and even if it is to the great benefit of society as a whole.
Someone will always say no, it's not OK - so run like Snowden even if you are exposing crimes.
P.S. The sad reality is a lot of web platforms are shit that is full of holes run by people that don't care. Exposing a hole is like pointing out a starlet is not wearing pants - both to be expected and will get you in trouble if you provide evidence.
You will not win any medals by pointing out a way to get into a poorly secured website and even well intentioned reports have landed people in deep shit.
> Is grey hat ok when it's done for the greater good?
Yes. It's great for all the people who benefit. It sucks for the person who put their liberty at risk to bring those benefits to people.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Doing more damage than strictly necessary defeats the purpose: opinions will turn against the hacker. Now the hacker is the bad person, in stead of the company with bad security.
Another commenter already brought up Snowden. Snowden did exactly the same thing wrong: Snowden exposed way too much classified information. In doing so, he compromised national security and turned public opinion against him. Now the message of Snowden is mostly lost to the general public, which is a shame. The general public now thinks to know stricter laws are necessary in order to protect information. Stricter laws are needed to ban encryption. Stricter laws are needed to penalize hackers. Thanks Snowden. Good job.
This is your sig. There are thousands more, but this one is yours.
This dichotomy is the whole point for the Grey Hat moniker. There is no Black and White, it is always shades of Grey,.
One man's Black Hat is another's White Hat. Where many Black Hats believe they are fighting for the greater good and conducting Illegal activities but for ethical reasons and also so called White Hats acting legally but unethically while taking the corporate dollar.
The term intrigued me from title on and I hoped I'd find something to distinguish grey hat from white hat but couldn't find any in this case.
The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act
Yes, let's fight fire with fire. See how far that gets you.
8 of 13 people found this answer helpful. Did you?
When I was a kid, I didn't believe my mother when she told me not to touch the hotplate. The pain of burning my palm was a memorable lesson, though. Here, it's the difference between "I could have deleted your hard disk" and "So your hard disk has been formatted? Well, if you can explain to me how this could have come about, I might even provide you with a backup copy." It may not feel quite right to think of hacker kids as educators of the general public -- wasn't that a transient phase of the 80's? -- but while the current state of general irresponsibility in matters of systems security persists, we do need the occasional burnt palm.
What is most at issue isn't just the direct effect of the attack or the indirect effect on our awareness of security and vulnerability in terms of judging the entire umbrella of grey hat. Those two forms of effect are unique to each example and should be judged on a case by case basis. The issue that isn't dependent on case by case analysis is the one of rule of law. It is possible to violate the letter of the law without violating the spirit of the law, but if a culture of taking enforcement into your own hands and your own interpretation grows, harm will also grow no matter whether or not some cases were handled with all the care necessary to assure that their effect was altruistic, and no matter how altruistic your direct effects are as a grey hat, your publicity will promote the prevalence of grey hat culture. The positive effects cannot negate the negative ones, and the negative ones cannot negate the positive ones.
On learning of a vulnerability, most companies have demonstrated one of two responses:
1) Ignore it, or
2) Attack the messenger.
Given that corporate climate of "hostile indifference" to their own flaws, grey-hats fill a very necessary niche. No more of this kumba-ya "tee hee, would you mind fixing this embarassing massive security breach, Mr. Fortune-500 CIO" bullshit - Just name and shame right up front.
The "nice" way would work well if anyone cared; until it makes the NYT, though - No one cares. So lets stop giving Russian hackers an extra six months to exploit known problems, and skip right on to the NYT solution.
Nice worldview you have there.
Please do tell, on which side of that bold razor-wire-topped fence do you put teens interested in security and casually messing around with malformed Fiddler requests to see what they can get the server to respond with?
Not "professionals", so I guess you would classify them right along side the Russian Mafia?
An anonymous coward is someone who thinks their opinion matters when they express it anonymously.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Old discussion, rehashed. /. could use a "re-post my comment from 2002" feature.
There are two sides, and they will never reconcile. Some people think (based on past experience) that corporations generally won't take security seriously unless it impacts their business or their image, so only disclosure works. Other people think (based on past experience) that disclosure reads to the creation of exploit toolkits which leads to higher damage to more people and gives vendors not enough time to fix a problem. And a few especially delusional people think that a timer on disclosure and a few rules to make the whole thing "responsible" solves the unsolvable problem (it doesn't. Vendors will a good track record already fix quickly, vendors with a bad track record merely consider the delay additional time they don't have to do anything.)
And I think that pretty much sums it up, everything else is just elaboration.
Assorted stuff I do sometimes: Lemuria.org
Grey hat hackers will always be more useful than your white hats.
What sounds better to you.
WH: Hey guys!!!! I found an issues in your system, you should fix it.
GH: Hey guys!!!! I was able to see your credit card numbers using this exploit on your website, you should fix that.
Have you ever fallen asleep at the keybhanusdiog?
The only truly 'white' hat is the one paid to attempt a break in, with full knowledge and cooperation of the target, who delivers the results directly to the company paying the bill, without disclosing their results to anyone else. A 'Black' hat is the one that does a similar thing entirely for their own benefit and the specifics of the exploit used are never disclosed to anyone. As you can see by these definitions, there is a great deal of spectrum between those two extremes. Therein is also a reasonable definition of 'Grey' hat - one who discloses beyond the target, or at all.
And thus the problem. As in the story of The Emperor's New Clothes, calling out the 'nakedness' is fraught with peril. In doing so you are, among other things, saying 'I'm so much smarter than you' to the target. Most people don't appreciate that and will retaliate out of self preservation.
So what motivates a 'Gray' hat? Sometimes it is arrogance. Sometimes it is charity or a sense of the greater good. Sometimes it's just dumb luck when you stumble over something while testing out your latest kit. There are many shades of grey.
You go to the company first, not the fucking media.
Disclosing vulnerabilities directly to a corporation, without public disclosure, results in "solving" the problem by wiping it under the carpet. Sure, you can go to the company first. With the knowledge that nothing will be done to solve the problem until it is disclosed to the public.
So why wait?
I'd strongly advise those "teens interested in security" to find other interests.
That advice leads to effectively zero security experts, of any color hat, one generation from now.
Both Whitehat and Greyhat find that a particular make of bulletproof vest degrades after a year and no longer offers protection. They both notify the manufacturer, who blows them off. Then the paths diverge:
Whitehat: contacts a member of the press and demonstrates the problem for them by putting one of the vests on a mannequin and shooting the mannequin through the vest. (Extra points if he puts a DVD copy of the movie, "Mannequin," inside the vest and shoots a hole in that too.)
Greyhat: contacts a member of the press and demonstrates the problem by shooting people who happen to be wearing the vest in public.
The latter may be a bit better at getting the attention of the press, the public, and the manufacturer, but it's not an acceptable way to accomplish that goal. The ends do not automatically justify the means.
For your security, this post has been encrypted with ROT-13, twice.
Tell me if something about my definition is unusual:
White-hat: only cares for ethics, does not want money
Black-hat: only cares for money/power. is not concerned about ethics
Grey-hat: accepts that he gets money/power/advantages for his skills, but only within his ethical boundaries.
Please tell me why i should not consider this guy a white-hat (tipping off journalists is *not* publishing). Side remark: While responsible disclosure is reasonable, i understand (given the reactions of companies) that younger and more impatient white-hats have their issues with it.
THE GREATER GOOD.
... the hackers have reported an exploit to the owner and the owner just doesn't give a shit and the grey hat officially declares a grace period before going public.
Then, I could see the grey hat grabbing a SMALL amount of data, as a proof of concept, to share with the owner with the warning that if something isn't done during another grace period, the shit's going to hit the fan.
The grey hat had better have the sense god gives a piss ant to be anonymous, of course.
It little behooves the best of us to comment on the rest of us.
So do I! I don't need those snooty kids to muscle into my territory. They took my juuuuub!
No, seriously. We need those kids. I was one of them, and pretty much everyone I work with has at some point in time played around with computer systems and security. This ain't something you can sensibly teach in a clinical setting like a school. We need people with the "what does this button do?" mentality to computer systems who can not only press that button but also analyze the funny colors the various bits have that rain back down after the explosion and tell you why it blew up.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Call me consultant again and I'll replace you with a very small script! A consultant is someone who takes 500 bucks an hour from you to tell you what you already know, and if not you could have gotten that information from the cleaning lady by paying for her 50 cent coffee.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The problem is more the way corporations treat such events and the information about them being vulnerable.
Corporations consider such events first and foremost a problem of PR and goodwill. THIS is the actual problem. And they do so also because their customers treat it as such. It's not a technical issue, it's not a security issue, at least not to them. To them it is one of trust in a brand.
And they handle it as such. The first goal is to avoid damage to the brand. I.e. no disclosure. Zip. Nada. No info may go out that could damage the trust in our brand. That includes that the person who brings up the issue should preferably go away. Even if the company involved does actually want to do the "good thing" and deal with the issue (and not just sweep it under the rug), but the first thing that they want is no disclosure.
My job is in security. I do actually do that for a living, trying to break the security of networks and servers. The very first thing, even before talks even start, is an NDA that is shoved under your nose. And I'm certain if you didn't absolutely HAVE to know the company you're dealing with (since you're entering a contract with them), they would love to keep that secret from you, too, before you signed that NDA. Personally I'm rather astonished that companies don't go out and slap it on their webpage that they hired us. We're a rather well known company with a good name in security consulting, I'd probably scream it from the top of a mountain that I consider security SO important that I even afford (our company) to stress test our infrastructure to ensure your data is secure with me... nobody ever does.
Nobody wants to talk about security. Odd if you think about it. Security features in cars are huge selling points, car manufacturers brag how much money they spend on crash tests and show how their cars get slammed into walls to show off just how much they care about security. Why is this so much of a taboo issue in IT? Wouldn't people want to go to a data center that can show them their data is secure because they have one of the biggest and best security and emergency response team pretty much in house?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
it's o.k., if it's for the greater good.
Maybe Google can have a two week girls-only bootcamp for it. Then we'll have more highly skilled security experts than we could ever possibly want, right?
What we need is a business model for law firms to profit from suing insecure sites just as the music industry has law firms that support themselves entirely from suing copyright infringers. Said law firms would solicit for "expert witnesses" to provide information as to which sites may be insecure. The law firm then does research (through legal means) to find enough people, who have information on the site, to constitute a class action lawsuit. They file the suit and pay their expert witnesses a fee for their testimony. No one can retaliate against the expert witness because that would be witness tampering. The expert witness would be working on behalf of the plaintiffs rather than working independently.
So ... sodium chlorate and sugar didn't explode violently when you were a kid? And now it does, so it has to be banned?
I'm kinda confused.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.