Gregory Evans runs a company named LIGATT security, which has been notorious in the information security community for years.
He has been accused of plagiarism, falsifying his credentials, threatening researchers, and many other misdeeds, as detailed at Attrition.org.
A lot of security professionals have been resisting Evans' activities, including me. This week, someone ran out of patience with Evans.
Two of his sites went down completely, and his entire email database was stolen and released onto the torrents. These emails reportedly include personal information about Evans, his contacts and his victims.
I assumed that this was the work of an external attacker, but Jericho and Marcus J. Carey pointed out to me that it may have been an internal whistleblower who released the emails.
Whoever it was, he or she couldn't even be bothered to use a search-and-replace function to remove Social Security numbers, bank account routing numbers, etc. Details are posted HERE.
If the emails were taken by hacking from the outside, that would be clearly illegal and unethical. If it was a whistleblower, special protections and exigent circumstances may apply.
White Hats v. Black Hats
I posted an angry condemnation of this act on the MPICT blog. The responses I got disturbed me.
Reputable security professionals told me sternly that there are no "white hat" and "black hat" hackers, everyone is gray, and such labels are worthless. I don't agree at all, and all the protests have not changed my mind.
To more clearly understand this disagreement, I made a simple online poll to find out how certified security professionals viewed their Code of Ethics.
The results made me feel a lot better about the state of our profession: most professionals always or almost always obey the Code of Ethics.
So why do people who really are the good guys protest when I call them "white hats" and say that they are very different from the criminals who spread malware, take down websites, and steal credit card numbers? I can only guess about that - and here are my guesses:
1. Exaggerated guilt and shame: Perhaps a "white hat" has downloaded some pirated MP3 files, or re-used a product key, or done some other petty crime.
Therefore they are no longer perfect. But a trusted security professional is not required to be perfect--just reasonably responsible and honest.
2. Desire to be "cool": I personally have no problem with being an insufferable self-righteous prude. However, this attitude is not generally regarded as fun at parties, and adopting a lax, casual persona may make it easier to fit in.
3. Criminal associations: Perhaps certified professionals have friends who are "black hats", and they are unwilling to condemn them or their activities.
I remain convinced that the world of infosec is really polarized, like other aspects of law enforcement.
The "white hats" help protect society, obey the law, and can be trusted; while the "black hats" lie, steal, extort, hurt people, and cannot be trusted. There are exceptions, but that model describes the most common situations.
I welcome comments.
Legal Note: The opinions stated here are my own, and do not necessarily represent the positions of MPICT, CCSF, or any of my other employers. (Sam Bowne)When this article was first published, it contained an error, incorrectly referring to Marcus J. Carey as a member of Attriton.org. Infosec Island staff corrected that error, but, regrettably, did not insert a note explaining the change. We apologize for any confusion this may have caused.