“Let me introduce you to John, he’s a hacker…” Should I shake his hand? Will he clone my fingerprints steal my money and give it to terrorists?
“…he’s a white hat hacker”. White hat? Black hat? Is there a grey hat? What’s a script kiddie?
A hacker is someone who hacks (!). A hack is a “shortcut”, a new inventive way to achieve a result. None of that implies any illegal action, or even computer security.
So pretty much any software developer is a hacker in some way, since programming many times involves thinking outside the box and using ingenuity to solve a particular problem beyond the realm of established and proven solutions.
Black hat hacker
That’s the stereotypical media hacker. The one who exploits computer (and human) related vulnerabilities to achieve a result (almost always illegal) for personal gain. In all cases a deep understanding of programming, operating systems, networking, and human behaviour is needed.
That leads us to…
You want to be a black hat hacker but don’t want to bother with learning anything? Just download a bunch of tools, try them without actually understanding them, and probably you will be able to steal a password, bring down a computer or something similar. A script kiddie is the annoying type of hacker, the one who brags about being a full delinquent genius for stealing your wallet while you were swimming in the sea (more your fault rather than his talent). And meanwhile looking for recognition in a group of Ocean’s-eleven-vault-robbers.
White hat hackers
So how can I defend my company against a malicious hacker? Hire a white hat hacker! Computer security is a tool, like a spanner. If the black hat hacker is the guy using the spanner to pry open your window, the white hat hacker is the other guy who uses the spanner to install a better lock on it. There are many individuals and companies who offer their services to scan for vulnerabilities, do penetration testing and report the results to anyone interested in beefing up the security on a site, application or company. Of course an explicit contract and permission must exist before doing any testing, otherwise is legally indistinguishable from a black hat attack.
Grey hat hacker
Of course everything is not black or white. And there’s a distinction between “legal” and “ethic”. Grey hat hackers usually do illegal things to achieve things ethically or morally correct. Let’s imagine the following scenario:
X car manufacturer releases the Y model. Paul buys the Y car and notices the central locking doesn’t work. His friend Richard has the same model and the same issue. Paul realizes all Y cars have the same problem. Paul now has the following options:
- The black hat way: Exploit that vulnerability and steal many Y cars! Paul is not a thief, so he doesn’t want to do that.
- The white hat way: Contact X car manufacturer and tell them about the problem for them to fix it. But X car manufacturer calculates that recalling and fixing 300.000 cars is too expensive, and only Paul had noticed. So nothing is achieved.
- The grey hat hacker way: Make the problem public, resulting in some car thefts (by script kiddies :P) but causing X car manufacturer a PR problem and putting pressure on them to fix it. The problem is fixed, Paul made the world a better place but he might not be left in a good standing legally speaking.
Computer security is huge. And it gets bigger every day at the same pace technology advances. Simplifying the subject to “hackers and credit cards”, only reveals the lack of understanding of the media, and adds confusion to the general public. And we are only scratching the surface, there are phreakers, crackers, social engineers, elite groups, hacktivists, intelligence agency hackers, information forensics, and so on.
So next time take the time to learn a little about it (it’s quite entertaining actually). And don’t be afraid to shake John’s hand.