Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

The Paradox of Grey Hat Hackers ( 95

v3rgEz writes: Troy Hunt, a security researcher who tracked breached websites, reflects on the recent "grey hat" hacking of VTech, in which a hacker downloaded millions of kids' photos, chat logs, and more, to blow the whistle on a serious vulnerability. The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act and maybe helped parents better understand the dangers of lax security. Is grey hat ok when it's done for the greater good?
This discussion has been archived. No new comments can be posted.

The Paradox of Grey Hat Hackers

Comments Filter:
  • by Anonymous Coward on Wednesday December 30, 2015 @04:21AM (#51207309)
    A hacker group hacked my school's website last year... They posted about it on their facebook page and the kids from my school commented on the post. They responded that they were doing this to help the school website be more secure by showing one of the bugs. They even "backed up" our server data supposedly. If they hadn't pointed out the security bug by hacking the website and replacing it with a page showing their logo and asking us to like their facebook page (and playing pretty EPIC music by the way) our website could have been more at risk to another hacker with perhaps not so benevolent intentions. To think if this was a credit card company or something you would want to know if there were security issues or bad stuff could happen.
    • What I find tragic about the situation is the likelihood that this is an unfixable situation. The reality is that there aren't enough competent computer specialists, let alone computer specialists with competence in security issues in the private sector. So how the hell is a school district going to be able to shell out an adequate salary to hire them, or even determine which ones aren't idiots?

      Unfortunately, there's no "simple" way to address the systemic issue. Frankly, in this situation, the school di

  • by dbIII ( 701233 ) on Wednesday December 30, 2015 @04:25AM (#51207319)
    Hacking in and blowing the whistle without doing any damage can earn the same jail time as making a mess that cannot be ignored so at least the Judicial system does not see it as any worse.
    Is it OK?
    The people embarrassed or inconvenienced will always say no even if it is "white hat" hacking and even if it is to the great benefit of society as a whole.

    Someone will always say no, it's not OK - so run like Snowden even if you are exposing crimes.

    P.S. The sad reality is a lot of web platforms are shit that is full of holes run by people that don't care. Exposing a hole is like pointing out a starlet is not wearing pants - both to be expected and will get you in trouble if you provide evidence.
    You will not win any medals by pointing out a way to get into a poorly secured website and even well intentioned reports have landed people in deep shit.
    • It is important to draw the line. Sharing the information they want to keep private is crossing the line into black hack hacking. Filename/Dates should be enough to explain there is a problem.

      • Yes, when confronted by reality, make a rule. That will always fix the problem.

        dbill has it right. No good deed goes unpunished. If you're going to do it, run like hell.

    • by AmiMoJo ( 196126 )

      I've stopped reporting vulnerabilities I find to companies that don't have a bounty programme, or at least a written policy. I just post them on a public disclosure mailing list under and pseudonym, so at least the users can protect themselves.

    • The people embarrassed or inconvenienced will always say no even if it is "white hat" hacking

      "White hat" generally means with permission, or without violating the law. Think penetration testers or other hired consultants. That's why this is about grey hat hacking, where the motives or the end game might be ethical but the means aren't entirely so.

  • by TechyImmigrant ( 175943 ) on Wednesday December 30, 2015 @04:25AM (#51207323) Homepage Journal

    > Is grey hat ok when it's done for the greater good?

    Yes. It's great for all the people who benefit. It sucks for the person who put their liberty at risk to bring those benefits to people.

  • by Erik Hensema ( 12898 ) on Wednesday December 30, 2015 @04:34AM (#51207339) Homepage
    Doing more damage than strictly necessary defeats the purpose: opinions will turn against the hacker. Now the hacker is the bad person, in stead of the company with bad security.

    Another commenter already brought up Snowden. Snowden did exactly the same thing wrong: Snowden exposed way too much classified information. In doing so, he compromised national security and turned public opinion against him. Now the message of Snowden is mostly lost to the general public, which is a shame. The general public now thinks to know stricter laws are necessary in order to protect information. Stricter laws are needed to ban encryption. Stricter laws are needed to penalize hackers. Thanks Snowden. Good job.
    • by Anonymous Coward

      If Snowdon hadn't done what he did, you'd be buying into the 'low level incompetent contractor who misinterpreted a few crumbs he saw and has a crazy conspiracy grudge against us.'

      Thanks to the massive evidence release that narrative is now impossible.

    • > Snowden exposed way too much classified information.

      Says who? The bureaucrats breaking the law, if not raping everyone's Constitutional rights?

      > In doing so, he compromised national security and turned public opinion against him. Now the message of Snowden is mostly lost to the general public, which is a shame.

      When the general public, after the ass raping of their privacy rights, are watching the TV, and are convinced by paid whores that Snowden has committed a greater crime, that is the shame.

    • by DarkOx ( 621550 ) on Wednesday December 30, 2015 @09:45AM (#51208247) Journal

      Snowden was down to choices really do nothing more and just give up or release at least as much of what he had as he did.

      He tried the official channels was ignored. The 'public' as a whole was not prepared to listen without some demonstration made. People who thought the NSA and more broadly the intelligence complex was up to no good already had reason to suspect much of what Snowden disclosed. We knew this from inferences that could be drawn about data center sizes, power being used, purchases of equipment that were public, whisperings form employees at various telco and equipment vendors etc. There was just no solid proof. It was to easy to get everyone who was speaking out dismissed as conspiracy nutters by a public that just wanted to feel 'safe'

      Any foreign intel operators probably knew even more and were not the least bit surprised, they were most likely operating already under the assumption the NSA monitoring capabilities were at least at the level the Snowden releases indicated. If the officials want us to believe any real harm was done, I say its on them to show some proof of that!

      The only harm Snowden did to the NSA and its efforts was political. Had he released any less nobody would have paid attention.

  • Shades of grey ... (Score:5, Insightful)

    by Martin S. ( 98249 ) <{moc.liamg} {ta} {remapS.nitraM}> on Wednesday December 30, 2015 @05:01AM (#51207393) Homepage Journal

    This dichotomy is the whole point for the Grey Hat moniker. There is no Black and White, it is always shades of Grey,.

    One man's Black Hat is another's White Hat. Where many Black Hats believe they are fighting for the greater good and conducting Illegal activities but for ethical reasons and also so called White Hats acting legally but unethically while taking the corporate dollar.

    • So I guess I'm in the unethical white hat corner of the game? It's unethical to make sure customer data is protected and not open to being used by malicious hackers? It's unethical to secure the personal information of people from being lifted and abused?

      I'm such a horrible, horrible person.

  • by Anonymous Coward

    The term intrigued me from title on and I hoped I'd find something to distinguish grey hat from white hat but couldn't find any in this case.

    • I tend to think of the "grey" in "grey hat" as being used in the dithering sense.

      I.e. a collection of tactics/actions comprising both "white hat" and "black hat" behaviors, such that when viewed together they appear "grey".
  • by cerberusss ( 660701 ) on Wednesday December 30, 2015 @05:06AM (#51207413) Homepage Journal

    The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act

    Yes, let's fight fire with fire. See how far that gets you.

  • by BitterKraut ( 820348 ) on Wednesday December 30, 2015 @05:40AM (#51207465)
    When I was a kid, I didn't believe my mother when she told me not to touch the hotplate. The pain of burning my palm was a memorable lesson, though. Here, it's the difference between "I could have deleted your hard disk" and "So your hard disk has been formatted? Well, if you can explain to me how this could have come about, I might even provide you with a backup copy." It may not feel quite right to think of hacker kids as educators of the general public -- wasn't that a transient phase of the 80's? -- but while the current state of general irresponsibility in matters of systems security persists, we do need the occasional burnt palm.
  • What is most at issue isn't just the direct effect of the attack or the indirect effect on our awareness of security and vulnerability in terms of judging the entire umbrella of grey hat. Those two forms of effect are unique to each example and should be judged on a case by case basis. The issue that isn't dependent on case by case analysis is the one of rule of law. It is possible to violate the letter of the law without violating the spirit of the law, but if a culture of taking enforcement into your own
  • by pla ( 258480 ) on Wednesday December 30, 2015 @07:17AM (#51207679) Journal
    On learning of a vulnerability, most companies have demonstrated one of two responses:

    1) Ignore it, or
    2) Attack the messenger.

    Given that corporate climate of "hostile indifference" to their own flaws, grey-hats fill a very necessary niche. No more of this kumba-ya "tee hee, would you mind fixing this embarassing massive security breach, Mr. Fortune-500 CIO" bullshit - Just name and shame right up front.

    The "nice" way would work well if anyone cared; until it makes the NYT, though - No one cares. So lets stop giving Russian hackers an extra six months to exploit known problems, and skip right on to the NYT solution.
  • old hats (Score:5, Insightful)

    by Tom ( 822 ) on Wednesday December 30, 2015 @08:39AM (#51207893) Homepage Journal

    Old discussion, rehashed. /. could use a "re-post my comment from 2002" feature.

    There are two sides, and they will never reconcile. Some people think (based on past experience) that corporations generally won't take security seriously unless it impacts their business or their image, so only disclosure works. Other people think (based on past experience) that disclosure reads to the creation of exploit toolkits which leads to higher damage to more people and gives vendors not enough time to fix a problem. And a few especially delusional people think that a timer on disclosure and a few rules to make the whole thing "responsible" solves the unsolvable problem (it doesn't. Vendors will a good track record already fix quickly, vendors with a bad track record merely consider the delay additional time they don't have to do anything.)

    And I think that pretty much sums it up, everything else is just elaboration.

  • Grey hat hackers will always be more useful than your white hats.

    What sounds better to you.

    WH: Hey guys!!!! I found an issues in your system, you should fix it.
    GH: Hey guys!!!! I was able to see your credit card numbers using this exploit on your website, you should fix that.

    • Same outcome. Really.

      A sensible company that takes security serious will, if you WH them, hire some penetration testers to do what GH did. They will hand them the information and ask what damage could be done, either let the testers access their system or provide them with a 1:1 copy to avoid direct damage.

      A company that doesn't give a fuck about security will ignore either of them.

  • The only truly 'white' hat is the one paid to attempt a break in, with full knowledge and cooperation of the target, who delivers the results directly to the company paying the bill, without disclosing their results to anyone else. A 'Black' hat is the one that does a similar thing entirely for their own benefit and the specifics of the exploit used are never disclosed to anyone. As you can see by these definitions, there is a great deal of spectrum between those two extremes. Therein is also a reasonabl

  • You go to the company first, not the fucking media.
  • Disclosing vulnerabilities directly to a corporation, without public disclosure, results in "solving" the problem by wiping it under the carpet. Sure, you can go to the company first. With the knowledge that nothing will be done to solve the problem until it is disclosed to the public.
    So why wait?
  • Both Whitehat and Greyhat find that a particular make of bulletproof vest degrades after a year and no longer offers protection. They both notify the manufacturer, who blows them off. Then the paths diverge:

    Whitehat: contacts a member of the press and demonstrates the problem for them by putting one of the vests on a mannequin and shooting the mannequin through the vest. (Extra points if he puts a DVD copy of the movie, "Mannequin," inside the vest and shoots a hole in that too.)

    Greyhat: contacts a membe

  • Tell me if something about my definition is unusual:

    White-hat: only cares for ethics, does not want money
    Black-hat: only cares for money/power. is not concerned about ethics
    Grey-hat: accepts that he gets money/power/advantages for his skills, but only within his ethical boundaries.

    Please tell me why i should not consider this guy a white-hat (tipping off journalists is *not* publishing). Side remark: While responsible disclosure is reasonable, i understand (given the reactions of companies) that younger and

  • ... the hackers have reported an exploit to the owner and the owner just doesn't give a shit and the grey hat officially declares a grace period before going public.

    Then, I could see the grey hat grabbing a SMALL amount of data, as a proof of concept, to share with the owner with the warning that if something isn't done during another grace period, the shit's going to hit the fan.

    The grey hat had better have the sense god gives a piss ant to be anonymous, of course.

  • The problem is more the way corporations treat such events and the information about them being vulnerable.

    Corporations consider such events first and foremost a problem of PR and goodwill. THIS is the actual problem. And they do so also because their customers treat it as such. It's not a technical issue, it's not a security issue, at least not to them. To them it is one of trust in a brand.

    And they handle it as such. The first goal is to avoid damage to the brand. I.e. no disclosure. Zip. Nada. No info ma

  • by unami ( 1042872 )
    it's o.k., if it's for the greater good.
  • Sue insecure sites. (Score:4, Interesting)

    by GrantRobertson ( 973370 ) on Wednesday December 30, 2015 @05:26PM (#51211599) Homepage Journal

    What we need is a business model for law firms to profit from suing insecure sites just as the music industry has law firms that support themselves entirely from suing copyright infringers. Said law firms would solicit for "expert witnesses" to provide information as to which sites may be insecure. The law firm then does research (through legal means) to find enough people, who have information on the site, to constitute a class action lawsuit. They file the suit and pay their expert witnesses a fee for their testimony. No one can retaliate against the expert witness because that would be witness tampering. The expert witness would be working on behalf of the plaintiffs rather than working independently.

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington