The Paradox of Grey Hat Hackers

v3rgEz writes: Troy Hunt, a security researcher who tracked breached websites, reflects on the recent "grey hat" hacking of VTech, in which a hacker downloaded millions of kids' photos, chat logs, and more, to blow the whistle on a serious vulnerability. The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act and maybe helped parents better understand the dangers of lax security. Is grey hat ok when it's done for the greater good?

"helpful" hackers point out security bugs

A hacker group hacked my school's website last year... They posted about it on their facebook page and the kids from my school commented on the post. They responded that they were doing this to help the school website be more secure by showing one of the bugs. They even "backed up" our server data supposedly. If they hadn't pointed out the security bug by hacking the website and replacing it with a page showing their logo and asking us to like their facebook page (and playing pretty EPIC music by the way) our website could have been more at risk to another hacker with perhaps not so benevolent intentions. To think if this was a credit card company or something you would want to know if there were security issues or bad stuff could happen.

Re:"helpful" hackers point out security bugs

[slashdot_commentator]

What we need is... Bathacker. A man with the skills to track down these nefarious hackers, and give them the beating of their lives. That will stop sociopathic hackers from ever breaking into a school's website!

Sounds ridiculous? So does your suggestion. No one hacks a website, and then make a public spectacle of it, in order to do "good". They do it because they're (relatively) computer talented attention whores. Just think about what you're suggesting. "Oh gee, if the crooked school administrator only stole a small amount, then nobody would really be harmed."

Furthermore, you don't know if this problem was first pointed in the manner you suggested. District superintendents are hired by local politicians called "school board members". You can have people who are housewives basically making decisions on finance and corporate operations. School district superintendents are basically Fortune 10,000 CEOs; small company business owners. Yes, they have a requisite managerial background, but that doesn't make their staff good at hiring competent system administrators (or able to justify their salaries to district voters).

A hacker group publicly embarrassing a system administrator is only a symptom of a much larger problem. The problem doesn't go away by convincing hackers to be more "discreet" at first.

Re: "helpful" hackers point out security bugs

[loufoque]

Then it would just be ignored. I speak from experience.
People need to be hacked to act on vulnerabilities, especially the less tech-savvy.

Re:"helpful" hackers point out security bugs

I graduated in 1999, and our school had just put up their website for the first time. One of my friends reported to school officials that when they put up the website, they didn't change any of the default passwords for the website software they were using (Perl based, if I remember right). and on top of that, they had opened up VNC to the world with no password. He didn't change anything and only logged in once to see how far he could get.

He was quickly suspended from school and arrested for a huge list of crimes that included computer tampering, misuse of public property, etc. All the charges did end up getting dropped, but he missed most of the last semester of his senior year, didn't get to graduate with us and sat in jail for 3 months.

Every time the website got defaced for the next few years (it happened a lot because the IT at the school didn't know what they were doing), he got a knock on the door from the local police and was taken into custody.

So, yeah. Being the good guy isn't always a good option either.

Someone will always say no - so run

[dbIII]

Hacking in and blowing the whistle without doing any damage can earn the same jail time as making a mess that cannot be ignored so at least the Judicial system does not see it as any worse.
Is it OK?
The people embarrassed or inconvenienced will always say no even if it is "white hat" hacking and even if it is to the great benefit of society as a whole.

Someone will always say no, it's not OK - so run like Snowden even if you are exposing crimes.


P.S. The sad reality is a lot of web platforms are shit that is full of holes run by people that don't care. Exposing a hole is like pointing out a starlet is not wearing pants - both to be expected and will get you in trouble if you provide evidence.
You will not win any medals by pointing out a way to get into a poorly secured website and even well intentioned reports have landed people in deep shit.

Re:Someone will always say no - so run

[AmiMoJo]

I've stopped reporting vulnerabilities I find to companies that don't have a bounty programme, or at least a written policy. I just post them on a public disclosure mailing list under and pseudonym, so at least the users can protect themselves.

It's not complicated

[TechyImmigrant]

> Is grey hat ok when it's done for the greater good?

Yes. It's great for all the people who benefit. It sucks for the person who put their liberty at risk to bring those benefits to people.

It defeats the purpose

[Erik+Hensema]

Doing more damage than strictly necessary defeats the purpose: opinions will turn against the hacker. Now the hacker is the bad person, in stead of the company with bad security.

Another commenter already brought up Snowden. Snowden did exactly the same thing wrong: Snowden exposed way too much classified information. In doing so, he compromised national security and turned public opinion against him. Now the message of Snowden is mostly lost to the general public, which is a shame. The general public now thinks to know stricter laws are necessary in order to protect information. Stricter laws are needed to ban encryption. Stricter laws are needed to penalize hackers. Thanks Snowden. Good job.

Re:It defeats the purpose

[DarkOx]

Snowden was down to choices really do nothing more and just give up or release at least as much of what he had as he did.

He tried the official channels was ignored. The 'public' as a whole was not prepared to listen without some demonstration made. People who thought the NSA and more broadly the intelligence complex was up to no good already had reason to suspect much of what Snowden disclosed. We knew this from inferences that could be drawn about data center sizes, power being used, purchases of equipment that were public, whisperings form employees at various telco and equipment vendors etc. There was just no solid proof. It was to easy to get everyone who was speaking out dismissed as conspiracy nutters by a public that just wanted to feel 'safe'

Any foreign intel operators probably knew even more and were not the least bit surprised, they were most likely operating already under the assumption the NSA monitoring capabilities were at least at the level the Snowden releases indicated. If the officials want us to believe any real harm was done, I say its on them to show some proof of that!

The only harm Snowden did to the NSA and its efforts was political. Had he released any less nobody would have paid attention.

Shades of grey ...

[Martin+S.]

This dichotomy is the whole point for the Grey Hat moniker. There is no Black and White, it is always shades of Grey,.

One man's Black Hat is another's White Hat. Where many Black Hats believe they are fighting for the greater good and conducting Illegal activities but for ethical reasons and also so called White Hats acting legally but unethically while taking the corporate dollar.

Re:Shades of grey ...

[Opportunist]

So I guess I'm in the unethical white hat corner of the game? It's unethical to make sure customer data is protected and not open to being used by malicious hackers? It's unethical to secure the personal information of people from being lifted and abused?

I'm such a horrible, horrible person.

Why is this a question?

[cerberusss]

The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act

Yes, let's fight fire with fire. See how far that gets you.

It's called a dilemma, not a paradox

[BitterKraut]

When I was a kid, I didn't believe my mother when she told me not to touch the hotplate. The pain of burning my palm was a memorable lesson, though. Here, it's the difference between "I could have deleted your hard disk" and "So your hard disk has been formatted? Well, if you can explain to me how this could have come about, I might even provide you with a backup copy." It may not feel quite right to think of hacker kids as educators of the general public -- wasn't that a transient phase of the 80's? -- but while the current state of general irresponsibility in matters of systems security persists, we do need the occasional burnt palm.

Necessary due to corporate defense mode

[pla]

On learning of a vulnerability, most companies have demonstrated one of two responses:

1) Ignore it, or
2) Attack the messenger.

Given that corporate climate of "hostile indifference" to their own flaws, grey-hats fill a very necessary niche. No more of this kumba-ya "tee hee, would you mind fixing this embarassing massive security breach, Mr. Fortune-500 CIO" bullshit - Just name and shame right up front.

The "nice" way would work well if anyone cared; until it makes the NYT, though - No one cares. So lets stop giving Russian hackers an extra six months to exploit known problems, and skip right on to the NYT solution.

Re:I got a definition for ya

[slashdot_commentator]

An anonymous coward is someone who thinks their opinion matters when they express it anonymously.

old hats

[Tom]

Old discussion, rehashed. /. could use a "re-post my comment from 2002" feature.

There are two sides, and they will never reconcile. Some people think (based on past experience) that corporations generally won't take security seriously unless it impacts their business or their image, so only disclosure works. Other people think (based on past experience) that disclosure reads to the creation of exploit toolkits which leads to higher damage to more people and gives vendors not enough time to fix a problem. And a few especially delusional people think that a timer on disclosure and a few rules to make the whole thing "responsible" solves the unsolvable problem (it doesn't. Vendors will a good track record already fix quickly, vendors with a bad track record merely consider the delay additional time they don't have to do anything.)

And I think that pretty much sums it up, everything else is just elaboration.

Sue insecure sites.

[GrantRobertson]

What we need is a business model for law firms to profit from suing insecure sites just as the music industry has law firms that support themselves entirely from suing copyright infringers. Said law firms would solicit for "expert witnesses" to provide information as to which sites may be insecure. The law firm then does research (through legal means) to find enough people, who have information on the site, to constitute a class action lawsuit. They file the suit and pay their expert witnesses a fee for their testimony. No one can retaliate against the expert witness because that would be witness tampering. The expert witness would be working on behalf of the plaintiffs rather than working independently.