I have a confession to make. I do not consider myself a ‘white hat’ in
the common sense of the word within the technology community. Although, I
am certainly not a ‘black hat’. I consider myself just a hat — maybe a grey hat — because I don’t
believe my security work never strays from the ethical path.
I say this because it is my job to know how the hacker thinks and works.
It is incumbent on me to look at my working environment with the eyes of
a hacker. In order to do this, I must look for openings and other
opportunities to gain a foothold, or do damage in a more immediate sense.
Sometimes I find situations or applications that I need to explore more
fully. This is where my ‘grey hat’ comes into play. I may set up an
experimental network to determine what type of behavior specific
equipment exhibits. I may need to find out what happens under the load of
normal network traffic.
To do this, I might go to a public network and sample traffic to
determine standard characteristics of traffic to and from that piece of
I could argue that it’s a public network and therefore I am not behaving
inappropriately. However, I also could argue that if I were to
unintentionally bring down that public network, I would have been
responsible for a Denial-of-Service (DoS) attack — intentional or not.
It’s a fine line.
Sometimes it’s necessary to actually conduct the exercise. That’s why
Computer Science classes have lab sessions. It’s not enough to be
satisfied with a thought experiment or theoretical speculation about the
results of given actions.
To be clear, it is well known that throwing a huge number of packets at a
switch or host will eventually make it unreachable in the flood. This
does not require a real-life example. Stealing usernames, passwords, and
credit cards off the wireless network at a nationally known coffee chain,
also is trivial work, and does not require practical application
However, what about the ability of an individual to locate, identify, and
crack the proprietary encryption system of a piece of lab gear? The
question is whether it be done in an amount of time a professional hacker
would consider acceptable. Even if a vendor touts his product as
‘unbreakable’, we all know that ‘given an infinite number of monkeys and
infinite amount of time’ anything can be cracked.
Hacker or Cracker?
Let’s digress for just a moment.
There are three basic hacker types. (They should really be referred to as
crackers, but I’ll get to that distinction in a moment).
First off, there are those who do it for money. They steal credit cards,
identity information, corporate secrets… whatever they think they can
use to turn a profit.
Secondly, there are those who do it for political purposes. These hackers
break into and deface the Websites of corporations and organizations they
wish to embarrass publicly, or to gain other political advantage.
Sometimes they use their skills to cause financial harm ‘for the good of
Finally, you have crackers who do it for the thrill, the recognition and
the entertainment value they derive from ‘owning’ a box with an address
like EnormousStateUniv.edu or GiganticCorp.com. They use these cracked
boxes for Distributed Denial-of-Service (DDoS) attacks, as launching
points for new cracking activity, and as repositories for their ‘Warez’.
(Warez generally consist of movies, music, software and packages of
hacker tools to be traded like bubble-gum cards. On average, these are
your script kiddies or teenagers with exceptional skills who are just
living for the moment.)
Historically, hackers have been people who just want to understand the
way things work, by taking them apart and putting them back together
again. The top rule of hackerdom is: First, do no harm.
Crackers on the other hand, don’t really care one way or the other who
they hurt, because it’s all about the game, whether the game is for
money, or for reputation. Some crackers believe all information should be
The script kiddie might seem to be the least of your problems, but they
are not the least of your problems. The one commodity they have is time.
They have the luxury of being able to mount an attack that in military
terms comes in low and slow, or under the radar of your intrusion
detection tools. The more skill they have, the better able they are to
identify and exploit weakness in your corporate infrastructure.
So, where were we? Oh, yes. Is my vendor’s encryption technique
sufficient to ward off an attack?
Well, am I doing it live and on the fly? One defense recently suggested
to me was that there was no way the ‘bad guys’ would have time to break
the encryption and get into the system. I have to put my not-so-white hat
on now, and ask myself not can it be done, but how can it be done. And is
it likely to be done by a professional, or political cracker, or some
In this instance, the answer is almost assuredly — some kid. I suggested
to the vendor his likely attacker had Mondays, Wednesdays and Fridays
from 2 to 4 p.m. to collect data points in the encryption scheme. He also
had all the lab hours necessary to run an encryption-cracking program on
a couple of parallel-processor machines. I reminded the salesman that the
ability to brag to friends would be sufficient reward for the hours of
I carry my little gray hat across the way to where the vendor’s equipment
is online. I sit down in the back of the class with my laptop. I collect
data points for two hours. I run a shareware cracking program I
downloaded from the Internet on my desktop machine. The next day, I send
the vendor his proprietary encryption scheme in plaintext packets.
Does that make me a white hat? I am helping the guy sell a better
Does it make me a black hat? I was snooping traffic on a network that
might have revealed sensitive data.
It really doesn’t make me either. I am utilizing my skills to further the
good of the network I am hired to protect. I’m also attempting to educate
and improve the awareness of those who work with us. I do not take
advantage of my position and ability for personal gain… even at my
local branch of a nationally known coffee chain.