The Paradox of Grey Hat Hackers (windowsitpro.com) 95
v3rgEz writes: Troy Hunt, a security researcher who tracked breached websites, reflects on the recent "grey hat" hacking of VTech, in which a hacker downloaded millions of kids' photos, chat logs, and more, to blow the whistle on a serious vulnerability. The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act and maybe helped parents better understand the dangers of lax security. Is grey hat ok when it's done for the greater good?
"helpful" hackers point out security bugs (Score:4, Insightful)
Re:"helpful" hackers point out security bugs (Score:4, Insightful)
What we need is... Bathacker. A man with the skills to track down these nefarious hackers, and give them the beating of their lives. That will stop sociopathic hackers from ever breaking into a school's website!
Sounds ridiculous? So does your suggestion. No one hacks a website, and then make a public spectacle of it, in order to do "good". They do it because they're (relatively) computer talented attention whores. Just think about what you're suggesting. "Oh gee, if the crooked school administrator only stole a small amount, then nobody would really be harmed."
Furthermore, you don't know if this problem was first pointed in the manner you suggested. District superintendents are hired by local politicians called "school board members". You can have people who are housewives basically making decisions on finance and corporate operations. School district superintendents are basically Fortune 10,000 CEOs; small company business owners. Yes, they have a requisite managerial background, but that doesn't make their staff good at hiring competent system administrators (or able to justify their salaries to district voters).
A hacker group publicly embarrassing a system administrator is only a symptom of a much larger problem. The problem doesn't go away by convincing hackers to be more "discreet" at first.
Re: (Score:2)
Umm...What someone feels is right and wrong is judged all the time, via the law.
Just because you think it's the right thing to do doesn't make it Right. Society has implemented a system for judging Right vs Wrong and we all have a voice in that system. If people can have their own definition Right, then you have anarchy. Suddenly, my right to swing my fist doesn't end at the tip of your nose, but at the back of your head...simply because I say so.
Re: "helpful" hackers point out security bugs (Score:5, Insightful)
Then it would just be ignored. I speak from experience.
People need to be hacked to act on vulnerabilities, especially the less tech-savvy.
Re:"helpful" hackers point out security bugs (Score:5, Insightful)
I graduated in 1999, and our school had just put up their website for the first time. One of my friends reported to school officials that when they put up the website, they didn't change any of the default passwords for the website software they were using (Perl based, if I remember right). and on top of that, they had opened up VNC to the world with no password. He didn't change anything and only logged in once to see how far he could get.
He was quickly suspended from school and arrested for a huge list of crimes that included computer tampering, misuse of public property, etc. All the charges did end up getting dropped, but he missed most of the last semester of his senior year, didn't get to graduate with us and sat in jail for 3 months.
Every time the website got defaced for the next few years (it happened a lot because the IT at the school didn't know what they were doing), he got a knock on the door from the local police and was taken into custody.
So, yeah. Being the good guy isn't always a good option either.
Re: (Score:1)
This is pretty much my experience. I am not a hacker by any definition of the term, I just fiddle around with technology. Generally telling somebody about a problem (a) makes them angry and (b) they never get around to fixing it.
However if you find a problem and exploit it, the problem gets fixed pretty quickly. I would never do anything truly malevolent but I have no problem with defacing a website or something else relatively simple to correct.
Re: (Score:1)
Bullshit. No one puts a kid in jail for 3 months for reporting security issues. ...
I don't know about this particular story, but during the "over-reaction" period there were some kids that got put in jail.
Never underestimate the stupidity of bureaucrats.
Re: (Score:2)
What I find tragic about the situation is the likelihood that this is an unfixable situation. The reality is that there aren't enough competent computer specialists, let alone computer specialists with competence in security issues in the private sector. So how the hell is a school district going to be able to shell out an adequate salary to hire them, or even determine which ones aren't idiots?
Unfortunately, there's no "simple" way to address the systemic issue. Frankly, in this situation, the school di
Someone will always say no - so run (Score:5, Insightful)
Is it OK?
The people embarrassed or inconvenienced will always say no even if it is "white hat" hacking and even if it is to the great benefit of society as a whole.
Someone will always say no, it's not OK - so run like Snowden even if you are exposing crimes.
P.S. The sad reality is a lot of web platforms are shit that is full of holes run by people that don't care. Exposing a hole is like pointing out a starlet is not wearing pants - both to be expected and will get you in trouble if you provide evidence.
You will not win any medals by pointing out a way to get into a poorly secured website and even well intentioned reports have landed people in deep shit.
Re: (Score:2)
It is important to draw the line. Sharing the information they want to keep private is crossing the line into black hack hacking. Filename/Dates should be enough to explain there is a problem.
Re: (Score:2)
Yes, when confronted by reality, make a rule. That will always fix the problem.
dbill has it right. No good deed goes unpunished. If you're going to do it, run like hell.
Re: (Score:3)
I've stopped reporting vulnerabilities I find to companies that don't have a bounty programme, or at least a written policy. I just post them on a public disclosure mailing list under and pseudonym, so at least the users can protect themselves.
Re: (Score:2)
The people embarrassed or inconvenienced will always say no even if it is "white hat" hacking
"White hat" generally means with permission, or without violating the law. Think penetration testers or other hired consultants. That's why this is about grey hat hacking, where the motives or the end game might be ethical but the means aren't entirely so.
It's not complicated (Score:5, Insightful)
> Is grey hat ok when it's done for the greater good?
Yes. It's great for all the people who benefit. It sucks for the person who put their liberty at risk to bring those benefits to people.
It defeats the purpose (Score:3)
Another commenter already brought up Snowden. Snowden did exactly the same thing wrong: Snowden exposed way too much classified information. In doing so, he compromised national security and turned public opinion against him. Now the message of Snowden is mostly lost to the general public, which is a shame. The general public now thinks to know stricter laws are necessary in order to protect information. Stricter laws are needed to ban encryption. Stricter laws are needed to penalize hackers. Thanks Snowden. Good job.
Re: It defeats the purpose (Score:1)
If Snowdon hadn't done what he did, you'd be buying into the 'low level incompetent contractor who misinterpreted a few crumbs he saw and has a crazy conspiracy grudge against us.'
Thanks to the massive evidence release that narrative is now impossible.
Re: (Score:2)
> Snowden exposed way too much classified information.
Says who? The bureaucrats breaking the law, if not raping everyone's Constitutional rights?
> In doing so, he compromised national security and turned public opinion against him. Now the message of Snowden is mostly lost to the general public, which is a shame.
When the general public, after the ass raping of their privacy rights, are watching the TV, and are convinced by paid whores that Snowden has committed a greater crime, that is the shame.
Re:It defeats the purpose (Score:5, Insightful)
Snowden was down to choices really do nothing more and just give up or release at least as much of what he had as he did.
He tried the official channels was ignored. The 'public' as a whole was not prepared to listen without some demonstration made. People who thought the NSA and more broadly the intelligence complex was up to no good already had reason to suspect much of what Snowden disclosed. We knew this from inferences that could be drawn about data center sizes, power being used, purchases of equipment that were public, whisperings form employees at various telco and equipment vendors etc. There was just no solid proof. It was to easy to get everyone who was speaking out dismissed as conspiracy nutters by a public that just wanted to feel 'safe'
Any foreign intel operators probably knew even more and were not the least bit surprised, they were most likely operating already under the assumption the NSA monitoring capabilities were at least at the level the Snowden releases indicated. If the officials want us to believe any real harm was done, I say its on them to show some proof of that!
The only harm Snowden did to the NSA and its efforts was political. Had he released any less nobody would have paid attention.
Shades of grey ... (Score:5, Insightful)
This dichotomy is the whole point for the Grey Hat moniker. There is no Black and White, it is always shades of Grey,.
One man's Black Hat is another's White Hat. Where many Black Hats believe they are fighting for the greater good and conducting Illegal activities but for ethical reasons and also so called White Hats acting legally but unethically while taking the corporate dollar.
Re: (Score:3)
So I guess I'm in the unethical white hat corner of the game? It's unethical to make sure customer data is protected and not open to being used by malicious hackers? It's unethical to secure the personal information of people from being lifted and abused?
I'm such a horrible, horrible person.
Why is it called grey? (Score:1)
The term intrigued me from title on and I hoped I'd find something to distinguish grey hat from white hat but couldn't find any in this case.
Re: (Score:2)
I.e. a collection of tactics/actions comprising both "white hat" and "black hat" behaviors, such that when viewed together they appear "grey".
Why is this a question? (Score:3)
The attacker went way beyond responsible disclosure, offering the data directly to a reporter, but the ensuing publicity got VTech to clean up their act
Yes, let's fight fire with fire. See how far that gets you.
Re: (Score:2)
It obviously loses a bit in translation...
Re: (Score:2)
Yes, let's fight fire with fire. See how far that gets you.
As it turns out, pretty far [wikipedia.org]. It's time to put that saying to death.
It's called a dilemma, not a paradox (Score:5, Insightful)
Re: (Score:2)
Provided the fine is big enough. Remember, in a corporate setting the question of whether a law is ignored follows the formula of fine*chance of being caught vs. cost to implement.
In other words, if the fine is too low, it's a matter of cost calculation. If the chance to get caught is too low, risk management is the department to go to. Only if both are high enough the mess hits security.
Re: (Score:2)
Please do tell, on which side of that bold razor-wire-topped fence do you put teens interested in security and casually messing around with malformed Fiddler requests to see what they can get the server to respond with?
Not "professionals", so I guess you would classify them right along side the Russian Mafia?
Re: (Score:2)
That advice leads to effectively zero security experts, of any color hat, one generation from now.
Re: (Score:2)
Re: (Score:2)
So do I! I don't need those snooty kids to muscle into my territory. They took my juuuuub!
No, seriously. We need those kids. I was one of them, and pretty much everyone I work with has at some point in time played around with computer systems and security. This ain't something you can sensibly teach in a clinical setting like a school. We need people with the "what does this button do?" mentality to computer systems who can not only press that button but also analyze the funny colors the various bits have t
Re: (Score:2)
So ... sodium chlorate and sugar didn't explode violently when you were a kid? And now it does, so it has to be banned?
I'm kinda confused.
Unsurprisingly, it's a grey area. (Score:1)
Re: (Score:3)
An anonymous coward is someone who thinks their opinion matters when they express it anonymously.
Necessary due to corporate defense mode (Score:5, Insightful)
1) Ignore it, or
2) Attack the messenger.
Given that corporate climate of "hostile indifference" to their own flaws, grey-hats fill a very necessary niche. No more of this kumba-ya "tee hee, would you mind fixing this embarassing massive security breach, Mr. Fortune-500 CIO" bullshit - Just name and shame right up front.
The "nice" way would work well if anyone cared; until it makes the NYT, though - No one cares. So lets stop giving Russian hackers an extra six months to exploit known problems, and skip right on to the NYT solution.
old hats (Score:5, Insightful)
Old discussion, rehashed. /. could use a "re-post my comment from 2002" feature.
There are two sides, and they will never reconcile. Some people think (based on past experience) that corporations generally won't take security seriously unless it impacts their business or their image, so only disclosure works. Other people think (based on past experience) that disclosure reads to the creation of exploit toolkits which leads to higher damage to more people and gives vendors not enough time to fix a problem. And a few especially delusional people think that a timer on disclosure and a few rules to make the whole thing "responsible" solves the unsolvable problem (it doesn't. Vendors will a good track record already fix quickly, vendors with a bad track record merely consider the delay additional time they don't have to do anything.)
And I think that pretty much sums it up, everything else is just elaboration.
Re: (Score:2)
Seems like the solution there. Good track record, delayed disclosure. Bad track record, full disclosure. No track record, benefit of the doubt (good track record). Change response when required.
Who decides what the track record is?
Oh wait, even that discussion has been had a hundred times already. Why we go around in circles? Because we are human beings and we can't accept that someone simply has a different opinion, comes to a different conclusion even from the same facts. We think that if someone disagrees, one of us must be wrong, and most likely they.
But if everything has been said a thousand times, and smart people on boths sides of the debate still can't agree on a common position, then mayb
Re: (Score:2)
The only time when outing the information immediately isn't a dick move is when the company has a prooven history of screwing the pooch. Otherwise consider it corporate espionage.
Old argument, made a thousand times. No need for redundancy.
In fact, everything you say has been said a hundred times, just as I already outlined. Likewise, the arguments pro and contra have been made extensively. I see no need to repeat the discussion. That was the point: If you want to discuss this topic, go to one of the many, many, many archived discussions, you will find everything you can come up with and one hundred other arguments there.
Collateral? (Score:1)
Grey hat hackers will always be more useful than your white hats.
What sounds better to you.
WH: Hey guys!!!! I found an issues in your system, you should fix it.
GH: Hey guys!!!! I was able to see your credit card numbers using this exploit on your website, you should fix that.
Re: (Score:2)
Same outcome. Really.
A sensible company that takes security serious will, if you WH them, hire some penetration testers to do what GH did. They will hand them the information and ask what damage could be done, either let the testers access their system or provide them with a 1:1 copy to avoid direct damage.
A company that doesn't give a fuck about security will ignore either of them.
Shades of Grey (Score:2)
The only truly 'white' hat is the one paid to attempt a break in, with full knowledge and cooperation of the target, who delivers the results directly to the company paying the bill, without disclosing their results to anyone else. A 'Black' hat is the one that does a similar thing entirely for their own benefit and the specifics of the exploit used are never disclosed to anyone. As you can see by these definitions, there is a great deal of spectrum between those two extremes. Therein is also a reasonabl
Re: (Score:2)
Call me consultant again and I'll replace you with a very small script! A consultant is someone who takes 500 bucks an hour from you to tell you what you already know, and if not you could have gotten that information from the cleaning lady by paying for her 50 cent coffee.
He was in the wrong. Period. (Score:2)
Re: (Score:2)
What else? (Score:1)
So why wait?
Bulletproof vest analogy (Score:2)
Both Whitehat and Greyhat find that a particular make of bulletproof vest degrades after a year and no longer offers protection. They both notify the manufacturer, who blows them off. Then the paths diverge:
Whitehat: contacts a member of the press and demonstrates the problem for them by putting one of the vests on a mannequin and shooting the mannequin through the vest. (Extra points if he puts a DVD copy of the movie, "Mannequin," inside the vest and shoots a hole in that too.)
Greyhat: contacts a membe
How is this grey-hat? (Score:2)
Tell me if something about my definition is unusual:
White-hat: only cares for ethics, does not want money
Black-hat: only cares for money/power. is not concerned about ethics
Grey-hat: accepts that he gets money/power/advantages for his skills, but only within his ethical boundaries.
Please tell me why i should not consider this guy a white-hat (tipping off journalists is *not* publishing). Side remark: While responsible disclosure is reasonable, i understand (given the reactions of companies) that younger and
How can this be for the greater good? (Score:1)
I can get behind grey hat hackers if ... (Score:2)
... the hackers have reported an exploit to the owner and the owner just doesn't give a shit and the grey hat officially declares a grace period before going public.
Then, I could see the grey hat grabbing a SMALL amount of data, as a proof of concept, to share with the owner with the warning that if something isn't done during another grace period, the shit's going to hit the fan.
The grey hat had better have the sense god gives a piss ant to be anonymous, of course.
The problem is less one of the hacker (Score:2)
The problem is more the way corporations treat such events and the information about them being vulnerable.
Corporations consider such events first and foremost a problem of PR and goodwill. THIS is the actual problem. And they do so also because their customers treat it as such. It's not a technical issue, it's not a security issue, at least not to them. To them it is one of trust in a brand.
And they handle it as such. The first goal is to avoid damage to the brand. I.e. no disclosure. Zip. Nada. No info ma
yes, (Score:2)
Sue insecure sites. (Score:4, Interesting)
What we need is a business model for law firms to profit from suing insecure sites just as the music industry has law firms that support themselves entirely from suing copyright infringers. Said law firms would solicit for "expert witnesses" to provide information as to which sites may be insecure. The law firm then does research (through legal means) to find enough people, who have information on the site, to constitute a class action lawsuit. They file the suit and pay their expert witnesses a fee for their testimony. No one can retaliate against the expert witness because that would be witness tampering. The expert witness would be working on behalf of the plaintiffs rather than working independently.