The Inner World of Gov-Sponsored White-Hat Hacking

romanval writes "Anonymous leaked emails of white-hat hacker firm HBGary shows how it develops and markets products to government agencies. From the article: 'In 2009, HBGary had partnered with the Advanced Information Systems group of defense contractor General Dynamics to work on a project euphemistically known as "Task B." The team had a simple mission: slip a piece of stealth software onto a target laptop without the owner's knowledge. They focused on ports—a laptop's interfaces to the world around it—including the familiar USB port, the less-common PCMCIA Type II card slot, the smaller ExpressCard slot, WiFi, and Firewire. No laptop would have all of these, but most recent machines would have at least two.'"

Re:Black hat not White

[Anonymous Coward]

It's very simple. Once you discover an exploit in someones code, you can choose to either inform them so they can fix it (White Hat) or withhold the discovery for personal gain (Black Hat).

submitter here

[romanval]

I was gonna put quotes (") around "white hat" but I was out of space. Slashdot needs to accept longer titles.

This title for was difficult to make because the TFA has subject matter that's all over the map: Collections of 0-day unpublished exploit vectors, rootkits with keyboard loggers disguising payload as ad click tracking data, and social network tracking via bot accounts. Tough to summarize in just 50 characters.

black, white, gray...

[DEmmons]

It was my understanding, gleaned from sources including the good old Jargon File, that one of the most agreed upon standards for hat color definition is a combination of permission and intention:

• White Hats are hired or are granted permission to attempt to crack a system's security by the owner(s), usually for the purpose of auditing security, discovering vulnerabilities, and understanding how to fix or minimize them.
• Gray Hats crack security without authorization, but have no ill intentions once they succeed. These are either practicing their art for practice's sake, doing the owners a favor (unsolicited) by letting them know where the vulnerabilities are so they can fix it, or most likely both.
• Black Hats crack security maliciously, for a wide variety of reasons - some personal, some financial, and some political. They intend to steal, vandalize, or otherwise harm the owners. Self-styled hacktivists may be an exception to some as they have intentions that they may believe are good, but in general fit here because they have niether the permission nor the intention of doing any good for the system's owners. This is probably the case for Cyber Warriors as well - those who are cracking security by order from their government, as soldiers in an online (but very real) war, or as spies. in these cases, it could mean that even a black hat isn't necessarily evil - and anyway, determining good and evil are probably outside of the scope of the discussion.

This is, of course, not the only way in which these terms are used, and they do in fact derive from the old spaghetti western convention of good guys in white cowboy hats, and bad guys in black. Technically, HBGary in TFA was not asked to do any form of cracking, just to develop tools and strategies. These tools, of course, were obviously for government-sanctioned attacks, and would have ended up in the hands of cyber warriors / spies. In use, it would probably qualify as a black-hat operation, although ostensibly for the cause of good if the ultimate goal is to thwart terrorists (though it must be kept in mind that many terrorists believe they are on the side of good. it's a strange world).