Fine Line Between a White Hat and Black Hat

Columnist Linda LeBlanc says while she's not really a black hat, she can't really call herself a white hat, either. To be a security professional, sometimes you need to be a grey hat.
I have a confession to make. I do not consider myself a 'white hat' in the common sense of the word within the technology community. Although, I am certainly not a 'black hat'. I consider myself just a hat -- maybe a grey hat -- because I don't believe my security work never strays from the ethical path.

I say this because it is my job to know how the hacker thinks and works. It is incumbent on me to look at my working environment with the eyes of a hacker. In order to do this, I must look for openings and other opportunities to gain a foothold, or do damage in a more immediate sense.

Sometimes I find situations or applications that I need to explore more fully. This is where my 'grey hat' comes into play. I may set up an experimental network to determine what type of behavior specific equipment exhibits. I may need to find out what happens under the load of normal network traffic.

To do this, I might go to a public network and sample traffic to determine standard characteristics of traffic to and from that piece of equipment.

I could argue that it's a public network and therefore I am not behaving inappropriately. However, I also could argue that if I were to unintentionally bring down that public network, I would have been responsible for a Denial-of-Service (DoS) attack -- intentional or not.

It's a fine line.

Sometimes it's necessary to actually conduct the exercise. That's why Computer Science classes have lab sessions. It's not enough to be satisfied with a thought experiment or theoretical speculation about the results of given actions.

To be clear, it is well known that throwing a huge number of packets at a switch or host will eventually make it unreachable in the flood. This does not require a real-life example. Stealing usernames, passwords, and credit cards off the wireless network at a nationally known coffee chain, also is trivial work, and does not require practical application examples.

However, what about the ability of an individual to locate, identify, and crack the proprietary encryption system of a piece of lab gear? The question is whether it be done in an amount of time a professional hacker would consider acceptable. Even if a vendor touts his product as 'unbreakable', we all know that 'given an infinite number of monkeys and infinite amount of time' anything can be cracked.

Hacker or Cracker?

Let's digress for just a moment.

There are three basic hacker types. (They should really be referred to as crackers, but I'll get to that distinction in a moment).

First off, there are those who do it for money. They steal credit cards, identity information, corporate secrets... whatever they think they can use to turn a profit.

Secondly, there are those who do it for political purposes. These hackers break into and deface the Websites of corporations and organizations they wish to embarrass publicly, or to gain other political advantage. Sometimes they use their skills to cause financial harm 'for the good of the cause'.

Finally, you have crackers who do it for the thrill, the recognition and the entertainment value they derive from 'owning' a box with an address like or They use these cracked boxes for Distributed Denial-of-Service (DDoS) attacks, as launching points for new cracking activity, and as repositories for their 'Warez'. (Warez generally consist of movies, music, software and packages of hacker tools to be traded like bubble-gum cards. On average, these are your script kiddies or teenagers with exceptional skills who are just living for the moment.)

Historically, hackers have been people who just want to understand the way things work, by taking them apart and putting them back together again. The top rule of hackerdom is: First, do no harm.

Crackers on the other hand, don't really care one way or the other who they hurt, because it's all about the game, whether the game is for money, or for reputation. Some crackers believe all information should be free.

The script kiddie might seem to be the least of your problems, but they are not the least of your problems. The one commodity they have is time. They have the luxury of being able to mount an attack that in military terms comes in low and slow, or under the radar of your intrusion detection tools. The more skill they have, the better able they are to identify and exploit weakness in your corporate infrastructure.


So, where were we? Oh, yes. Is my vendor's encryption technique sufficient to ward off an attack?

Well, am I doing it live and on the fly? One defense recently suggested to me was that there was no way the 'bad guys' would have time to break the encryption and get into the system. I have to put my not-so-white hat on now, and ask myself not can it be done, but how can it be done. And is it likely to be done by a professional, or political cracker, or some kid.

In this instance, the answer is almost assuredly -- some kid. I suggested to the vendor his likely attacker had Mondays, Wednesdays and Fridays from 2 to 4 p.m. to collect data points in the encryption scheme. He also had all the lab hours necessary to run an encryption-cracking program on a couple of parallel-processor machines. I reminded the salesman that the ability to brag to friends would be sufficient reward for the hours of work invested.

I carry my little gray hat across the way to where the vendor's equipment is online. I sit down in the back of the class with my laptop. I collect data points for two hours. I run a shareware cracking program I downloaded from the Internet on my desktop machine. The next day, I send the vendor his proprietary encryption scheme in plaintext packets.

Does that make me a white hat? I am helping the guy sell a better product.

Does it make me a black hat? I was snooping traffic on a network that might have revealed sensitive data.

It really doesn't make me either. I am utilizing my skills to further the good of the network I am hired to protect. I'm also attempting to educate and improve the awareness of those who work with us. I do not take advantage of my position and ability for personal gain... even at my local branch of a nationally known coffee chain.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.