My 03/23/08 Missoulian column
The word “hacker” and the concept of a “hack” have evolved a great deal over the years, mostly since the early 1980s when the terms were first used in news stories to describe kids who electronically broke into banks and erased files or who burrowed into government systems. The mainstream definition of a hacker made – and still makes – great headlines.
But the definition of a hacker among computer affectionados is quite different. According to that definition, people who like to take things apart, fix them and modify them for the better – with whatever tools and duct tape it takes – can call themselves hackers.
These days, computer “hacking” is defined to an even greater degree. Think for a moment of an old B western movie: The cowboys in the white hats were the good guys, while the ones in the black hats were the bad guys. The same goes for hackers – there are “black hat” hackers and “white hat” hackers.
There’s even a term for wannabe hackers – “script kiddies” – which, to continue the cowboy analogy, brings to mind the saying “all hat and no cattle.” That’s someone who wants to be a black hat and knows the vocabulary but has to have step-by-step instructions to complete a hack. And then there are “gray hat” hackers, who have mixed motives. (I don’t recall ever seeing a movie with a cowboy in a gray hat; the battle was usually one of good versus evil, with no moral room for people sitting on the fence.)
So what are the differences?
The white hats are the good hackers, people who scan networks and find security problems and tell the system owners – the business, the government entity – about the problem without exploiting it.
They can work mostly unasked, like the white-hatted cowboy who rides into town, takes care of the bad guys and then rides off into the sunset. White hats work to expose phishing schemes and try to shut down the Web sites and networks of such scammers. Companies sometimes hire white hats to work at what’s call penetration testing – testing networks and systems to see just who can break in and how.
Then there are the black hats: They go after systems and people for profit, stealing credit cards or Social Security numbers, or other information worth money. Black hats are the phishers and botnet owners of the world.
Black hats also go after other sensitive corporate information to use in extortion schemes – either to use the stolen information itself or just the potentially embarrassing fact that they could break in. There are rumors that black hats make much more money being paid by companies to keep their exploits out of the news than by the actual thefts. Black hats are also known as “crackers,” for “cracking” a computer system like a bank safe.
Gray hats are somewhere in the middle. A gray hat might crack a business or government system out of curiosity or to impress other hackers, and then use their new access for their own private storage space on the servers for their own music collections, which may or may not legit. The gray hat might eventually tell the business they broke in, or ask for a job with them.
And then there are the script kiddies, the wannabe cowboys who are “all hat and no cattle.” They want to be black hats, but they don’t know enough to work on their own. As a result they use either programs known as scripts or a script along with detailed step-by-step instructions to break into systems. Some of the recent wireless security breaches in the news were the result of script kiddies, which shows both that information on how to hack systems is readily available and that there are still many crackable systems out there. The bottom line for the many types of hackers may simply be the information involved, rather than the money.
It’s said that information wants to be free. White Hats realize that trying to keep information from script kiddies is useless and believe that restricting any information is the real evil. Black Hats feel all software should be free and flaws in any program – commercial or open source – should be widely known.
Hacking also can be political: White hats might help circumvent the restrictions placed on YouTube by the governments of China or Pakistan, or help people use public key encryption for e-mail so news can pass – unidentified as subversive information – through restrictive government firewalls. Either color of hat could be hired to hack by a government, or to help keep its own systems from being hacked.
In the fluid world of the Internet, the color of a hacker’s hat isn’t definitive, and profit and ethical motives can be mixed. Next week, let’s forget about black and gray hats and consider another interesting question: How does a White Hat hacker go about ethically hacking?
Follow-ups: Still getting spam? According to new research (www.tinyurl.com/yowmw8), six botnets are now churning out 85 percent of all spam (the once powerful Storm botnet is nearly dead) and the largest botnets are ganging up to spam for the same products.