Fifty Shades of Grey Hat: Hacking and Ethics

Wednesday, September 19, 2012

Tripwire Inc


Article by Ken Westin

Over the summer attended and presented at several security conferences including Black Hat, Security BSides and ToorCamp.  

When I  explain the conferences and activities such as penetration testing and lock picking to those outside of the security community, I get a similar responses such as “isn’t that illegal?”  When I try to explain to them that it depends on intent, it only confuses them more.

I have  experience working with law enforcement and one topic that comes up often is the fine line between “cop and criminal”.  This makes sense, as the good detective needs to think like a criminal to catch a criminal, this rings particularly true in computer security.

When I tried to explain what a gray hat hacker is to my father who is a big Clint Eastwood fan,  I said they are like Dirty Harry ( some more so than others), only armed with “the most powerful security tools in the world” instead of a magnum . The methods may be unorthodox and on the fringe, but the intentions are for the most part good, get the bad guy and keep the world safe.

Usually when there is a large scale hack in the news, the grey hat is more interested in the “how” than the “why”. There is a respect for the “black hat’s” technical abilities, while keeping a wary eye on them and not turning your back. Some grey hats have had run ins with the law, not due to purposely being malicious, but because curiosity got the best of them.

A good example of this is Joe “Kingpin” Grand who presented at ToorCamp this summer, who while young had some legal trouble due to his “technical curiosity”, turned around and has become a prolific inventor, hardware hacker and has testified before the Senate regarding homeland computer security.

When looking at those in the security field who spend countless hours scouring applications and servers for holes, it is important to not judge based on their act of exposing vulnerabilities, but their intentions for doing so. In many respects the security community holds ethics very high, more so than many other industries and I am amazed at how much effort and pride researchers put into their work.

In the end the color of your hat is dictated by your intentions, not necessarily your practice.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Information Security
Legal Research Penetration Testing hackers Black Hat White Hat Ethics Conferences Grey Hat
Post Rating I Like this!
Kathleen Jungck Kudos. Intent and context are incredibly important distinctions. How would info sec operate if we couldn't diagnose vulnerabilities and innovate to keep up with the bad actors? Personally, I think "security researcher" is a better descriptor than the color of a hat.

A great analogy is the construction code requirement for residential entry doors to have a vulnerability allowing fire fighters to "kick them down" in an emergency to save your life. Yet, if an attacker were to kick your door in, it's a crime.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.