The Changing Role of the White Hat Hacker

Written by Mitnick Security | Feb 10, 2017 12:00:00 AM

The word “hacker” existed long before it entered the public consciousness as a reason to practice good cybersecurity habits. It goes back to the 1960s, where computer culture was developing at MIT. The Jargon File, a glossary for computer programmers established in 1975, has eight definitions for hacker (or nine, if you include the hat tip to the original meaning of the term as “someone who makes furniture with an axe”).

These eight definitions show there have always been multiple meanings of the word “hacker.” The first entry describes a hacker as someone “…who enjoys exploring the details of programmable systems and how to stretch their capabilities….” The eighth entry describes a hacker as “[a] malicious meddler who tries to discover sensitive information by poking around.”

By the 1990s, the word “hacker” popularly held the negative connotation of this eighth and final definition from the Jargon File. The general public saw hackers as people who used their computer skills to steal information and commit crimes.

These hackers were sometimes known as “black hats” to distinguish them from “white hats.” The names are taken from Westerns, where the color of the hat shows who’s a good guy and who’s a bad guy. White hats are hackers who use their skills to protect the internet from black hats. They are often security consultants or members of law enforcement.

As any history of the word “hacker” shows, the term is complex and its meaning changes. So what does it mean today? Specifically, what does it mean to be a white hat hacker? Why are they necessary?

On the Side of Righteousness: The White Hat Hacker

White hat hackers consider themselves ethical hackers. Their skills are on hire to find vulnerabilities, rather than exploit them the way black hat hackers do. When white hat hackers find an issue, they alert the vendor so the vendor can fix it.

Many white hat hackers work independently, finding bugs in the internet and in corporate IT systems for fun or in the hopes of receiving a reward when they point out the vulnerability. Facebook, for instance, pays “bounty” for bugs found by white hat hackers. In 2013, they paid $20,000 for a simple bug that allowed a hacker to take over any Facebook account.

Sometimes when black hat hackers are caught by law enforcement, they become white hat hackers. Some examples include:

  • Kevin Mitnick, aka Condor, who started a security company after serving five years in prison for fraud and computer-related crimes.
  • Kevin Poulson, aka Dark Dante, who got a job with Wired after serving his time. He famously used his coding skills to help Wired with an investigation of sex offenders on MySpace, which led to the arrest of a man who was actively using the social network to find underage boys.
  • Robert Tappan Morris was the first to be tried under the Computer Fraud and Abuse Act after he created the first computer virus. He now works for MIT’s electrical engineering and computer science department.

The Moral Ambiguity of Hacking

The hacking world is not as black and white as it may seem, though.

Grey hats show the complexity. Grey hat hackers sell or disclose vulnerabilities to governments, so governments can use these vulnerabilities to hack into the systems of enemies or criminal suspects. After the San Bernardino shooting, it was a grey hat hacker who hacked the shooter’s phone.

While grey hat hackers provide information on vulnerabilities that will presumably be used for the public good by governments, militaries, law enforcement and intelligence agencies, this is not always the case. Some governments use vulnerabilities to spy on dissidents and political rivals, introducing moral ambiguity.

In some cases, your perspective on whether or not a hack was good or bad depends on your politics. Adrian Lamo is a famous black-turned-white hat hacker who turned in Chelsea Manning to authorities after Manning released U.S. diplomatic cables to Wikileaks. Some call Manning a whistleblower and believe she should not have been imprisoned; others believe her charge under the Espionage Act was justified. Whether you believe Lamo’s actions to be good or bad depends on how you view Manning’s actions.

Some people reject classifying hackers as good and others as bad. “There is no ‘good’ or ‘bad’ to hacking, there is just hacking,” declared Cris Thomas, a security strategist, in an article for the New Statesman.

The Disappearing White Hat Hacker

Where hackers once took pride in their identity as white hat hackers, they are increasingly setting that identity aside to replace it with more professional titles that don’t carry the same negative weight.

Today, white hat hackers are more commonly referred to as penetration testers, malware reverse engineers, security researchers, and the like.

Though, Thomas sees the black hat hacker title dissolving, too:

“Despite one of the largest annual security conferences in the world calling itself Black Hat, even black hat hackers are seldom identified that way today. Instead, they are labelled as cyber criminals, malware authors, hacktivists or nation state actors."

“It’s sad but no one is proud to be called a hacker any longer.”

Thomas alleges the term “hacker” may be on its way out entirely. Too many white hat hackers and security researchers find themselves under legal threat when they reveal a vulnerability to a company.

As one example, in 2005, Cisco took out a court injunction and threatened to sue a security researcher to prevent him from revealing security flaws in Cisco’s IOS. Such examples dissuade others from finding security vulnerabilities, even if their purpose is to fix them.

For that reason, white hat hackers may be a disappearing breed, replaced by security firms who are paid to find and tell corporations about their vulnerabilities.

However, this relies on companies taking the initiative to hire such security firms — something not every company is willing to do. Yet, as white hat hackers become fewer and farther between, it will be more important for companies to be proactive about hiring security firms to find vulnerabilities and do penetration testing — it’s the only true defense against cyberattack.

Read this article and more at Business 2 Community

Source: Business 2 Community