Learn the Difference Between the Good and the Bad Hackers
Grey-hat hacking is a grey area.
The Electronic Frontier Foundation (EFF) offers the following on their Grey Hat Guide page:
“There are no easy answers for the ethical hacker who has wandered off the straight and narrow into the legal thicket of computer offense laws.”
They go on to say that “because the regulatory regime is complicated and non-intuitive, security researchers may have more reason to worry about legal challenges than other scientists. Potentially, a researcher may unintentionally violate the law through ignorance or misplaced enthusiasm, or an offended party can stretch or misuse the law to challenge research that casts its products or services in a negative light.”
As with any in-depth discussion on the matter, it wouldn’t be complete without the appropriate legal disclaimer:
“This is why we recommend that security researchers consult with an attorney before doing potentially risky research.”
According to the contributors on its Wikipedia page, “grey hat” refers to a “computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but does not have the malicious intent typical of a black hat hacker.”
“The white hat breaks into systems and networks at the request of their employer or with explicit permission for the purpose of determining how secure it is against hackers.”
As for grey hats, “when they discover a vulnerability, instead of telling the vendor how the exploit works, he or she may offer to repair it for a small fee.” This is known in some circles as a bounty.
Grey hat exploits can reach the top of an organization. Many were surprised when a grey hat from Palestine, using an old laptop with broken keys and a questionable battery, penetrated Mark Zuckerberg’s Facebook page with an unexpected post, as CNN reported in 2013. He had attempted to inform Facebook of the bug beforehand, but was largely ignored.
It probably wasn’t a surprise that, “because he violated Facebook’s terms of service by hacking the pages of other users,” Shreateh was not eligible for the reward offered in Facebook’s White Hat program.
“I could sell (information about the flaw) on the black (hat) hackers’ websites and I could make more money than Facebook could pay me,” he said in an interview with CNN. “But for me — I am a good guy. I don’t deal with the black (hat) stuff.” Shreateh was hoping his tip would lead to a reward from Facebook.
At the time, Facebook was unwilling to compensate the grey-hat hacker. So, security researcher Marc Maiffret launched an online gofundme campaign, which ended up yielding more than $13,000, well over the goal of $10,000. Since then, The Verge reported just last December that Shreateh has in fact been rewarded for ten other instances of uncovering vulnerabilities on the Facebook since exploiting Zuckerberg’s Wall.
However, LinkedIn wasn’t so hot on compensation when the ethical hacker uncovered yet another vulnerability on their site. LinkedIn has since replicated and addressed the vulnerability after The Verge contacted them about the story. A spokesman for LinkedIn told The Verge that “The issue had the potential to impact users only if they responded to a phishing email from an attacker and then entered their credentials. We do not believe any exploitation has occurred. We value our hard earned and well established track record of working with security researchers to protect our members.”
As early as 2015, as this NBC story touches on, the cybersecurity industry was thought to be running at a deficit of over a million workers globally, which is one reason several academic institutions, such as the Stanford Cyber Initiative, have or are developing programs to address a growing business need, estimated to be near $100 billion within the next year or two.
Surely some of the course content deals with ethical hacking: For example, in a profile of Charles Henderson, an ethical hacker who works at IBM, his job is to “break into networks, applications, or physical locations to find out how a real attacker would carry out their work.” IBM employs about 1,000 ethical hackers. Though white-hat hackers, it’s not inconceivable that some were recruited as greys.
In the 2016 TechWorm profile, Henderson puts it eloquently when he says, “the biggest misconception that people have about hackers is that they are all criminals. Ironically, the word ‘hacker’ has been regarded as malicious computer hacking, which is why it is very necessary to understand that the word is not a synonym for criminal.”
“To me, being a hacker means you have an unbridled curiosity about how things work. Whereas many people look at a new technology and think about the possibility for creation, hackers look at a new technology and want to understand how to deconstruct that technology. We have an insatiable appetite for understanding how the world works — and we take it as a personal challenge to find flaws in technology before criminals have a chance to.”
“There is also a preconceived notion of hackers that we are people who choose to hack because we are maladjusted or full of angst and anger.”
“Most people assume if you’re hacker, you had no friends growing up. But honestly, hacking has nothing to do with that. There are perfectly well-adjusted hackers in the world, we’re just curious people, looking for a deeper understanding of how the world works. I’m a father of two and I’m happily married.”
However, not every company has the budget to support a team of penetration testers, one reason other solutions are being developed to address the growing cybersecurity needs in the industry.
One example — the Buglab platform — detects and remedies vulnerabilities across business-critical applications by transforming penetration test services into challenges for a community of independent information security consultants with certified qualifications. The solution makes cybersecurity services accessible to even the very smallest enterprises that typically lack both the resource and budget to tackle cybersecurity vulnerabilities using traditional means.
The Buglab Token (BGL) is being introduced to incentivize penetration testing. Token exchange occurs to reward contest winners, to cover the cost of a contest, and to enable and tokenize “tipping” functionality for white hats.
The buglab solution detects and remedies vulnerabilities on various business applications, websites, mobile applications, IoT devices , and smart contracts by transforming penetration test services into challenges, referred to as contests, for a community of independent information security consultants with certified qualifications.
The buglab project is moving towards implementing blockchain capabilities, so be sure to sign up for our newsletter for project updates. In the meantime, follow the buglab team on Telegram, Reddit, Facebook, Twitter, Instagram, and LinkedIn.