September 11, 2020 - Posted by Guzman Gonzalez Jesus Alexander Cybersecurity

Hat Hackery and the Colour Spectrum

Hacker, a word that seems to be appearing with greater frequency in the media for the last few years. A word that has been completely distorted by the media for the better part of the last thirty years. A word that has become almost synonymous ...

Hacker, a word that seems to be appearing with greater frequency in the media for the last few years. A word that has been completely distorted by the media for the better part of the last thirty years. A word that has become almost synonymous with criminal, and which requires a qualifier in front of it to try and signify otherwise (“ethical” hacking), and still manages to leave some people unconvinced.

hat hackery

History of the word ‘Hacker’

The word originated from MIT’s Railroad club which later gave way to MIT’s Artificial Intelligence Lab. Many people have spoken about the pure beginnings of the word, which many times was used as a compliment or for giving praise to others. I’d just like to include here the eight definitions of “Hacker” from the Jargon Files (see references below):

  1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. RFC1392, the Internet Users’ Glossary, usefully amplifies this as A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.
  2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.
  3. A person capable of appreciating hack value.
  4. A person who is good at programming quickly.
  5. An expert at a particular program, or one who frequently does work using it or on it; as in ‘a Unix hacker’. (Definitions 1 through 5 are correlated, and people who fit them congregate.)
  6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example.
  7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.
  8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence password hacker, network hacker. The correct term for this sense is cracker.

The first seven definitions are definitely not in line with the media’s portrayal or the general public’s understanding of what a hacker is, and the eighth is deprecated.

It’s also clear that most hackers, at least at the beginning, were motivated by their curiosity to learn (see [3]).

Colour Spectrum

As hacking and Information Security as a whole were pushed towards the mainstream, it became evident that the best way for organizations to secure themselves was to try and see if they could be breached.

Suddenly, penetration testing or “ethical hacking” became a profession. To differentiate between the various kinds of hackers, coloured hats were used (like in old American Western films).

White

The “good hackers”, who carry out authorized security assessments (such as penetration tests and vulnerability assessments) on behalf of clients in order to help them secure their organizations from the “bad guys” (see Black Hats below).

Black

The “bad hackers”, those who carry out unauthorized illegal activities with malicious intent for their own self-interest, usually financial gain. Usually, they pose the biggest threats to most organizations since almost all organizations, when breached, can be leveraged in some way or another to elicit monetary funds.

Grey

This one is the most tricky colour; the generally-accepted definition of grey-hat hackers is that they are carrying out activities whose legal status is not clear, albeit for a good cause; this could include hacktivists practising some type of civil disobedience and/or whistleblowers leaking confidential documents etc

Red

This is relatively not so well known; the hackers who actively go after the black-hats.

Not a rainbow

Others have in the past proposed that the word Hacker should be neutral and should not denote criminal or illegal intent by default, just like most other descriptions of craftspeople (see [1] below for an excellent explanation). For example, the terms “ethical banker” or “ethical lawyer” is not widely used because most people would assume they are ethical by default. However, obviously unethical bankers and unethical lawyers exist.Set featured image

So why not extend the same line of thinking to hack and leave the coloured hats at home?

Conclusion

Most organizations are at risk from:

Criminal hackers who are motivated by financial gain (organized cybercrime syndicates, corporate spies etc)

Activist hackers (hacktivists), whose activities are usually illegal, who are targeting the organization for a specific purpose, such as retrieving confidential corporate information.

Illegal hackers, who might only be motivated by their curiosity to learn and expand their knowledge, but benevolently attack or compromise the organization.

Organizations can benefit greatly from employing or contracting hackers (notice lack of adjective since we assume the default is good/ethical) to simulate potential adversaries so they find potential security vulnerabilities before the criminals do, and help organizations fix these.

In parting, I’d like to leave you with a quote from [1]:

Hackers find and release the vulnerabilities in computer systems which, if not found, could remain secret and one day lead to the downfall of our increasingly computer dependant civilization. In a way, hackers are the regulators of electronic communication

See Also

[1] https://www.helpnetsecurity.com/2002/04/08/the-history-of-hacking

[2] http://www.catb.org/~esr/jargon/html/H/hacker.html

[3] https://en.wikisource.org/wiki/The_Hacker_Manifesto