howtogeek at April 20th, 2013 06:42 — #1
Originally published at: http://www.howtogeek.com/157460/hacker-hat-colors-explained-black-hats-white-hats-and-gray-hats/
Hackers aren’t inherently bad — the word “hacker” doesn’t mean “criminal” or “bad guy.” Geeks and tech writers often refer to “black hat,” “white hat,” and “gray hat” hackers. These terms define different groups of hackers based on their behavior.
beeven at April 20th, 2013 12:27 — #2
white vs black also includes methodologies
grey willing to employ black for white objectives: MY hardware, MY terms (death2drm)
iszi at April 20th, 2013 15:04 — #3
Sadly, I think "Black Hat" and "White Hat" will be taking on new meaning to Americans for awhile, given the events of the past week.
domo at April 21st, 2013 12:59 — #4
Well, in reality, the Grey Hat aren't nesessarily between White and Black. They are moslty hackers "doing it for the luls". Also, teenagers who like to break stuff - vandalism.
wilsontp at April 22nd, 2013 12:21 — #5
I've never even heard the term "gray hat" hacker, but it's an interesting distinction.
INAL, but as far as I can tell from the law, you either have permission to enter a system or you don't. We have seen several prosecutions now for otherwise innocent transgressions. the AT&T iPad "hack", which involved nothing more than changing a URL, or the kid who discovered a flaw in his University's web site and got treated very badly for reporting it.
With CISPA looming, it's going to be even more critical that so-called gray hats not engage in this activity: it's obvious that companies and law enforcement want to crack down a lot harder on computer crime, and the Zero Cools of the world will get caught up right alongside the Plagues.
iszi at April 22nd, 2013 12:45 — #6
Legally, there isn't one. White/Black/Grey Hat isn't usually a matter of legality, although there are some cases where the laws are unclear or just haven't been written. Generally though, matters of law are "white" or "black" with little room in between.
Morality is a bit more flexible though, and this is where the "grey" term comes in. Let me give you some examples.
- Hacker who always asks for permission, and discloses vulnerabilities only to the affected parties and/or public per processes approved by the affected parties: White Hat.
- Hacker who rarely, if ever, asks for permission and keeps vulnerability data for his own use or sells it to other malicious actors: Black Hat.
That's as clear-cut as it gets. The greying comes in when you have someone who uses Black Hat methods (e.g.: pentesting without permission) to achieve White Hat goals (e.g.: informing vendors of vulnerabilities in their product).
This is the functional (though not legal) equivalent of someone going around the neighborhood and jiggling door knobs, then telling homeowners that their doors were left unlocked. Is that guy maybe a little creepy? Sure. But you can't argue (with the presumption that this is all that he's done) that his intentions are not noble.
In terms of testing the security of your systems, the grey hats aren't doing much that black hats aren't already doing. The grey hats are just nice enough to not be doing damage while they're at it, and will actually tell you about it when they're done.
wilsontp at April 22nd, 2013 13:05 — #7
Looks like you got in before the edit. =)
My real concern has always been one of permission. If you don't have permission to do penetration testing of a system, you are violating the law. Noble purposes or not, it's illegal and you can see jail time.
Now the guy who goes jiggling doorknobs? He can argue that he was "testing the neighborhood security", but he can still be arrested for trespassing. He could even be shot by a scared homeowner, and the police would probably call it self-defense.
I'm not condemning curiosity; I'm just pointing out that the best of intentions don't matter when someone decides to punish you for cracking their security.
scott_vt at February 19th, 2014 20:00 — #9
This topic is now closed. New replies are no longer allowed.