Throughout my career I have always thought that offensive security is awesome. That’s why I personally liked the term hacker, gray hat, black hat, etc. a lot because it highlights a lot of aspects in one single term. This is not necessarily an opinion everybody shares. Being prepared and ready to engage in offensive security with the highest possible gurus, expertise, passion and dedication are the main things to achieve success in it, along with a breaker mentality to dig out the most hidden detail in a system. Also, many people believe the principles for offensive thinking cannot be learned, you should have already certain abilities or talents such as:
- breaking with a tunnel (nc -lnvp 1337?);
- obtaining power (sudo su?);
- disobeying restrictions (chmod 777?).
Nevertheless, offensive thinkers probably know that:
- breaking is in fact “Usage”;
- power is related to the level of your understanding;
- restrictions are just mechanisms in the right hands.
In any case, what does a black hat looks like? The folklore tells us of a guy wearing a hoodie which is a genius computer hacker in a dark room. This is possibly true, but it doesn’t say too much about its life and motives. Although hackers are by no means a homogeneous group, blackhat hackers, often known simply by the term blackhats, are classified as the “bad guys” of the hacker world. Such hackers often have no particular care for the rule of law, the systems that they disrupt, or what ill effects that they cause. Blackhats are distinguished from whitehats, “the good guys”, who are often found working to foil the efforts of the blackhats, and grayhats, who ride the line between the two, often crossing from one side to the other.
Nonetheless for me the important part in labeling white hats and black hats is removing completely the concept of morality and ethics from the definition. What does this mean in practice, then, if we are going to remove ethics from the explanation, and how can we justify the existence of black hats?
In the reality of cyber warfare or industrial espionage, using our definition of a black hat, those individuals attacking a specific system would certainly be categorized as black hat hackers because they would be attacking without the approval of the system owners; however, the attackers would be motivated to conduct their attack within the belief that it benefits either family, community, homeland, or a combination of each; by framing their activities within this ethical framework, their attack would be seen as legitimate and appropriate by both the attacker and those who would benefit from the attack (such as a government entity maybe).
It seems difficult to justify the notion that black hats are potentially beneficial mainly because many of them just want to see the world burn. Black-hat hackers don’t always need a reason to hack a website. Sometimes they just want to play around and see what they can get away with. Additionally, the darker side of this hacker spectrum can be further subcategorized into different camps: cybercriminals, cyber spies, cyber terrorists and hacktivists. Then, what motivates this diverse assortment of black hats? A huge array of incentives and goals strongly attract hackers including money, bragging rights, revenge, media attention, advancement of their beliefs, the pursuit of valuable data and as I mentioned even pure amusement. Another aspect is that usually these black hats choose to have a lonely career, but those who collaborate in a group are often very notorious. As you might imply, hacking teams have successfully caught the attention of international media and IT community for their sophisticated attacks against people, multinational corporations, governments, etc.
Black hats capitalize on a diverse assortment of private and public means to communicate and collaborate. In search of recognition and self-satisfaction, some prolific hackers take to social media sites to publicly boast of their exploits, embarrass their targets and expose poor security practices often by offering tutos or know-hows on their practices. Others may choose to communicate in cryptic hacking communities and legally secret forums many of which can be found on the fringes of the surface Web, accessible with a simple Google search.
Having said that, though, there was a recent to ban hacking tutorials from diverse streaming platforms like YouTube. YouTube maintains a list of community guidelines that govern the types of videos that may be uploaded, and of course YouTube’s Harmful or Dangerous Content filter does not distinguish between white-hat hacking and black-hat hacking. In my opinion, hacking education is not only harmless, but it can also be beneficial. Of course, the biggest argument against hacker education is that it essentially teaches students how to commit a crime. Even so, there are other, arguably better places for a would-be hacker to get this information, honestly. There are many social platforms often simultaneously serving as a public square, university and marketplace. Data, knowledge and software are the primary commodities; the exchange of exploits, malware, information, tutorials and tools are common among members. Banning hacker education is not going to stop someone from learning how to hack. Hackers by their very nature are creative, and hacker criminals do not play by the rules.
Hence, no matter if you are white hat or black hat your skills should always be offensive-based, so when you approach security, you will be able to do so from the perspective of the attacker, if you don’t do this, I am afraid you are completely lost in the game. In retrospective:
- the dark side is powerful;
- sometimes the light side is paralyzed by dogmas, excessive trust in security vendors and by avoiding the knowledge of the dark side;
- with this approach the Sith can rule the galaxy (or be successful in their attacks many times).
If you shame attack research, you misjudge its contribution. Offense and defense aren’t peers. Defense is offense child.