gray hat hacking

In mainstream culture, the term hacker has a negative connotation. It is a synonym for a person who commits computer crimes, usually by breaching security systems. The hacker community prefers to bestow the name hacker to highly skilled programmers who are admired for ingenious and clever uses of technology and programming. In the security industry, there are three “shades” of hacker: white hat, black hat, and gray hat. Each type of hacker is known by his intent, ethic, and authority to breach a security system.

Three Hats

White hat hackers are members of the security industry hired specifically to test and find security vulnerabilities in production systems and applications. A company might hire a white hat hacker to attempt to breach their networks and systems without their knowledge. This is very similar to popular television shows where a homeowner learns just how easy it is to break into their own house. The television burglar is videotaped getting through all of their security systems, and then offers advice on how to secure their property. White hat hackers are obviously not going to cause any damage for their clients, and their intent is to strengthen the security measures a client takes against attack. They do not break any laws, as their access to the network, while using the same methods that a malicious hacker (or “cracker”) might use, is perfectly authorized by prior contract.

Black hat hackers are, naturally, the antithesis to a white hat hacker. The hacker community refers to these programmers (often as skilled as true hackers) as crackers, due to their malicious intent to harm or gain profit from hacking. Black hat hackers do not follow any particular ethic, and break into systems for no other reason that to commit a crime of some sort. These are the types of hackers that are most covered in the media, and are often the focus of legislation and public outcry. It is the actions of black hat hackers that have generated a negative image for hacking.

Gray hat hackers are a hybrid of the previous two types. They share the same ethical foundation as the original hacker, but they stretch the boundaries of that ethic into a sort of vigilanteism. The gray hat hacker’s intent is much the same as the white hat hacker: these hackers want to expose vulnerabilities in public and government systems in order to force these systems to become more secure. Yet they do not seek prior consent or authorization. They prefer to hack into these systems anonymously and leave their mark, informing system owners of the vulnerabilities on the way out. They often do not cause any irreparable damage, although they have been known to cross the line into black hat behavior. Because they are not regulated by the security industry’s public ethics (as white hat hackers are), there is no hard and fast code that means a gray hat hacker will always have the greatest good in mind. But for the most part, the intent is to show off by showing other people how vulnerable their systems really are. Gray hat hacking often occurs as a type of “tagging,” much like the graffiti artists of subway fame.

Case Study

In 1999, a seventeen year old hacker with the handle “ytcracker” exploited a weakness in Microsoft NT’s web service and replaced the homepage of three U.S. government agency web sites. The homepages of NASA’s Goddard Flight Center, the office of Land Management’s National Training Center, and a Defense Contracts Audit Agency suddenly showed an image of a graffiti-like rapper with gold necklaces and the message:

To the U.S. government and military–I have warned you about these security flaws. Please secure our military systems to protect us from cyber attack.

ytcracker’s message was accurate–he did send messages to the administrators of these systems notifying them of the vulnerabilities. When they did not fix the security flaws, he used them to breach their systems. The seventeen-year old was charged and fined $30,000 for unauthorized access of a computer system.

Ethical v. Legal

Ethics often entail a philosophical discussion of the greatest good, and an analysis of the “right” decision over the legal decision. This means there are times when committing a crime might still be an ethical act. Or an unethical act might not involve a victim or a crime at all. Legality, on the other hand, pertains to the protection of society. Laws determine what behavior or action is socially allowed. Damage to society or to an individual member of society is often considered illegal.

The actions of gray hat hackers often break the law. The breach of any computer or network without authorization is a violation of the law in many U.S. states and other nations. But the avowed purpose of these actions, according to many gray hat hackers, is to strengthen otherwise weak security systems. Because a question of ethics often involves both intent and a choice for the greater good, it can be argued that gray hat hackers are providing a service that benefits the greater good: the increased security of the Internet. White hat hacking, by its very nature of prior agreement (warning) with the client cannot be 100% effective at exposing unknown vulnerabilities. It is often only once a system has been breached via an unknown weakness that system administrators are forced to take action. The more gray hat hackers expose, the more security holes are closed. The Internet, being a fairly unregulated space (thus is its flexibility), is improved by a joint effort between white hat and gray hat hackers. We need both to create the best possible security environment.

5 replies on “gray hat hacking”

  1. White hacking is not the same as you said above. ytcracker was a white hack turned gray. White hacking is not just ‘security’, it can be an outside source examining the code to turn back in, not actually cracking the system, just maneuvering around it to examine it.

  2. While I do agree that a discussion of white hacking shouldn’t be limited to the security industry, I propose that all hacking is at least some sort of security concern.

    Cue, what you describe (“examining the code”) really isn’t hacking. Hacking (in technology) is by nature an attempt to get around something or take a shortcut. If a user did not have to bypass or short-circuit anything to examine some code, then I wouldn’t call that hacking. I’d consider that code in the public domain. If they did have to bypass something to access the code, then I would label that a hack and would think that any security officer would consider it a concern. To be a white hacker in that sense, they would need to have been given the authority to bypass a system to examine the code.

Comments are closed.