You may be familiar with the terms “white hat”, “black hat”, and “grey hat”, but what do they really mean?
As we move further towards an IoT future, interconnectivity is both a gift and a curse. If everything is connected, everything is vulnerable. But this also means that those vulnerabilities can be exploited for good causes.
Is there such a thing as “ethical hacking”?Ethical #Hacking: How to Hack for GoodClick To Tweet
First, Let’s Define How White, Black, and Grey Refer to Hacking
The first thing to know about potential “ethical hacking” is that it doesn’t necessarily require ethical means by which you hack. If you are hacking a private security database, but not leaking the data to show how easily people’s privacy can be violated, you might be a grey hat hacker.
But let’s break that down: you can use any hacking means for any hacking goals. Think of it like a bingo board with white, black, and grey squares. Applying the terms “white”, “black”, and “grey” works similarly to how you might expect it to based on storytelling conventions.
- White relates to a security specialist or hacker assessing network security; traditionally “above board” hackers who have permission from an organization or company
- Grey relates to hackers or security specialists who may employ tactics from both white and black camps but could also relate to individuals whose goals don’t fall into “white” or “black” depending on perspective
- Black relates to hackers treated as malicious; security breachers who exploit vulnerabilities in security for personal gain
Tangible examples of these archetypes in action include Elliot from the tv series Mr. Robot. He serves in any of the three categories depending on which part of the show it is.
Another classic example is the teenagers in the 1990s film Hackers. A private sector hacker tries to frame them for black hat hacking, so they incorporate grey hat strategies to save themselves and out the actual bad guy.
But what are some real-world examples of each type of hacker and is there such a thing as ethical hacking?
The Epic Rise and Degradation of WikiLeaks as a Vigilante Hacking Group
One of the first mainstream hacking groups that started leaking information on a large scale was WikiLeaks. It started out as a source of information, specifically aimed at the United States in many ways. The mission was to avoid authoritarian, information-limited societies and to expose “secrets” for the common good.
You could loosely argue that WikiLeaks originated as a white hat hacking group before “white hat” came to solely mean security professionals. The group pursued its mission, usually releasing information that did not harm individuals.
As the group adapted over the years, however, its objective became muddled with allegations against its editor-in-chief Julian Assange. Coupled with the standing Russia conspiracy surrounding the most recent 2016 presidential election in the U.S., WikiLeaks has changed from a white hat organization into a grey hat organization.
More realistically, the organization shifted from a lighter grey to a darker color over the last few years. In trying to disperse information in more effective or provocative manners, some question if people’s information is threatened by this group that initially wanted to help the common people.
The reason for this: a shift in perspective and strategies along with allies. One other main hacking group makes headlines often. But many initially thought they were far more dangerous than WikiLeaks.
Where do Groups Like Anonymous Fall?
There are definite ethical lines when it comes to delineating grey hat hackers from black hat hackers. Ethical hacking requires adhering to a similar set of ethics or morals that the majority of society do. Blackmailing major companies for financial gain falls into the black hat category.
But many hacking groups don’t fear notoriety nor do they feel the need to live in obscurity. Vice chatted with some hackers from Basehack who were very open about making “hundreds of thousands of dollars a year”. But, they never hacked charities; mostly, they exploited “stupid” businesses (businesses with obvious security vulnerabilities).
Anonymous, loosely formed on a 4chan image board in 2003, went to bat for WikiLeaks once upon a time. Their hacking records ranges from Sony to Mastercard to the country Iran and more.
Anonymous has openly “declared war” on individuals it feels pose threats such as Donald Trump, Hillary Clinton, and Aaron Barr, someone who tried to finger Anonymous leadership. The group is very secular, claiming it has no official leadership.
These hackers also put members in two separate camps: white and black. Some, such as “Gary in the White Hat” who spoke with Huffington Post, operate in mostly legal, moral ways. Most of the members maintain a “black” or “white” status.
The group eschews the term “grey hat” in that it implies co-mingling. Again, Anonymous maintains a stance of loose associations, so it follows that the white vs. black hat hackers wouldn’t necessarily be in contact. Despite this, Anonymous could also be viewed as a “grey hat” group.
Ethical hacking is not outside their realm of actions…but it also isn’t their only focus either.
How Corporations and the Government Use Hackers to Better Their Security
White hat hackers are totally above board. In the very first episode of Mr. Robot, Elliot is recruited by the company he works for (Allsafe) to stop a DDoS attack on a client.
Due to his skillset, he becomes entrenched in helping find the perpetrator when he backtraces how the system was hacked. Of course, without spoiling how the show goes, it becomes much more complex than that.
But you see how having someone with knowledge of hacking strategies such as phishing, malware, DDoS, keystroke, or brute force hacking can be beneficial for a major company. It’s a turn toward the future many companies such as Equifax ought to consider moving forward. If you know how the enemy is going to fight you, you can better prepare your defenses.
In that same vein, online and real-world universities like Udemy and Berkeley now offer ethical hacking courses. You can become a Certified Ethical Hacker in no time at all. While black hat hacking can be profitable, white hat hacking can be, too.
The most practical, benevolent use of a hacker’s skills are employing them for bug bounties. These employ “hackers” to infiltrate a given company’s or government agency’s network or software suite to find bugs. This way, the developer is aware of flaws before bad actors find them out in the “wild”.
Ultimately, what the companies do with the result of their white hat hackers is what determines whether or not it is “ethical hacking”. That’s the troubling aspect of white hat work. You are a contractor selling your skills, but you have no real sway over how your work gets used when it is done.