The Paradox of Grey Hat Hackers

v3rgEz writes: Troy Hunt, a security researcher who tracked breached websites, reflects on the recent "grey hat" hacking of VTech, in which a hacker downloaded millions of kids' photos, chat logs, and more, to blow the whistle on a serious vulnerability. The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act and maybe helped parents better understand the dangers of lax security. Is grey hat ok when it's done for the greater good?

Re: "helpful" hackers point out security bugs

[loufoque]

Then it would just be ignored. I speak from experience.
People need to be hacked to act on vulnerabilities, especially the less tech-savvy.

Re:"helpful" hackers point out security bugs

I graduated in 1999, and our school had just put up their website for the first time. One of my friends reported to school officials that when they put up the website, they didn't change any of the default passwords for the website software they were using (Perl based, if I remember right). and on top of that, they had opened up VNC to the world with no password. He didn't change anything and only logged in once to see how far he could get.

He was quickly suspended from school and arrested for a huge list of crimes that included computer tampering, misuse of public property, etc. All the charges did end up getting dropped, but he missed most of the last semester of his senior year, didn't get to graduate with us and sat in jail for 3 months.

Every time the website got defaced for the next few years (it happened a lot because the IT at the school didn't know what they were doing), he got a knock on the door from the local police and was taken into custody.

So, yeah. Being the good guy isn't always a good option either.