Black Hats, White Hats, and LIGATT Security

Monday, February 07, 2011

Sam Bowne

2e7ceec8361275c4e31fee5fe422740b

Background

Gregory Evans runs a company named LIGATT security, which has been notorious in the information security community for years.  

He has been accused of plagiarism, falsifying his credentials, threatening researchers, and many other misdeeds, as detailed at Attrition.org.

A lot of security professionals have been resisting Evans' activities, including me. This week, someone ran out of patience with Evans.

Two of his sites went down completely, and his entire email database was stolen and released onto the torrents. These emails reportedly include personal information about Evans, his contacts and his victims.

I assumed that this was the work of an external attacker, but Jericho and Marcus J. Carey pointed out to me that it may have been an internal whistleblower who released the emails.  

Whoever it was, he or she couldn't even be bothered to use a search-and-replace function to remove Social Security numbers, bank account routing numbers, etc.  Details are posted HERE.

If the emails were taken by hacking from the outside, that would be clearly illegal and unethical.  If it was a whistleblower, special protections and exigent circumstances may apply.

White Hats v. Black Hats

I posted an angry condemnation of this act on the MPICT blog. The responses I got disturbed me.  

Reputable security professionals told me sternly that there are no "white hat" and "black hat" hackers, everyone is gray, and such labels are worthless.  I don't agree at all, and all the protests have not changed my mind.

To more clearly understand this disagreement, I made a simple online poll to find out how certified security professionals viewed their Code of Ethics.

The results made me feel a lot better about the state of our profession: most professionals always or almost always obey the Code of Ethics.

So why do people who really are the good guys protest when I call them "white hats" and say that they are very different from the criminals who spread malware, take down websites, and steal credit card numbers?  I can only guess about that - and here are my guesses:

1.  Exaggerated guilt and shame:  Perhaps a "white hat" has downloaded some pirated MP3 files, or re-used a product key, or done some other petty crime.  

Therefore they are no longer perfect.  But a trusted security professional is not required to be perfect--just reasonably responsible and honest.

2.  Desire to be "cool":  I personally have no problem with being an insufferable self-righteous prude. However, this attitude is not generally regarded as fun at parties, and adopting a lax, casual persona may make it easier to fit in.

3.  Criminal associations:  Perhaps certified professionals have friends who are "black hats", and they are unwilling to condemn them or their activities. 

I remain convinced that the world of infosec is really polarized, like other aspects of law enforcement.

The "white hats" help protect society, obey the law, and can be trusted; while the "black hats" lie, steal, extort, hurt people, and cannot be trusted.  There are exceptions, but that model describes the most common situations.

I welcome comments.

Legal Note:  The opinions stated here are my own, and do not necessarily represent the positions of MPICT, CCSF, or any of my other employers.  (Sam Bowne)

When this article was first published, it contained an error, incorrectly referring to Marcus J. Carey as a member of Attriton.org.  Infosec Island staff corrected that error, but, regrettably, did not insert a note explaining the change.  We apologize for any confusion this may have caused.
Possibly Related Articles:
16663
Network->General
hackers Information Security breach Black Hat White Hat Ligatt
Post Rating I Like this!
4ce009efd2b0f7a9c9507c94ed61bb5a
Kenneth Bechtel Many, who have less than 5 years in the industry, are not grounded in practicality, they know everything from either what they were taught in school, or a limited self experimentation. they are very naive, and think that everyone has the same ideals and morals they themselves possess. It's these same people who make incorrect assumptions that call for Full disclosure, rather than responsible disclosure (look guys YOU may be able to create a temporary patch for your system, but could your GRANDMOTHER? Then how many have less than ethical morals that will use that same info to create exploits?) If you look at it logically, the number who will use the information in a responsible, reasonable manner vs unethical, illegal, maybe a wash % wise, add in those who just don't care "Let Microsoft deal with it" attitudes, and the Ethical responsible researcher is in the minority. Give them time they will either mature to the point of realizing Evil exists, and there is a such thing as bad people, and not all people are good, or they will move out of the field.
1297173309
2e7ceec8361275c4e31fee5fe422740b
Sam Bowne Kenneth:

That rings true for me. One of my ex-students has been defending the Anonymous hack of H B Gary to me, and saying there's no real difference between good and evil anyway. I think people who are that confused should just stay out of the battle until they get their head straight and decide what side they are on.
1297188117
2e7ceec8361275c4e31fee5fe422740b
Sam Bowne Silas Cutler posted a response here:

http://bit.ly/dHIEfq

His blog does not allow me to comment there from an iPad, so I am replying here.

Silas,

Thanks for your response! I appreciate you joining the conversation.

There have always been politically-motivated criminals as well as those who seek only money. But once you become a CEH or CISSP or CSO, etc., you have to agree not to be a criminal anymore, of any sort. It's like a priest's vow of celibacy. And it has to be that way, because if you are not held to a Code, and not answerable to any authority, how can you be trusted?
1297188171
4ce009efd2b0f7a9c9507c94ed61bb5a
Kenneth Bechtel As a partitioner of Computer Security or the Art of protective computing (however you want to call it) we do owe it to our customers/ employers/ colleagues to appear to the highest degree to be above reproach. That doesn't mean we're infallible, and don't stray, but we need to do our beast not to appear biased, or untrustworthy. Any errors made must be met with a full accounting. This is the only way we can be trusted with the frakels of the company, or the most sentimental valuables of the home user. If we're not trustworthy, we're useless in this field.
1297189835
2e7ceec8361275c4e31fee5fe422740b
Sam Bowne The following posts came to me via Twitter. They may, I suppose, be regarded as a response from Anonymous.


“@Peaceful_Anon: @sambowne ohhh Dear Aren´t you a member of pro-jester InfoSEXIsland? Are you improving your code or stil fraking How Evil We Are”

“@Peaceful_Anon: @sambowne Trolled LOL”

“@Peaceful_Anon: @sambowne You show your admiration toward the jester here http://bit.ly/geboBV all the members from @InfosecIsland are pro-jester”

“@Peaceful_Anon: @sambowne You are wrong, Akamai Couldnt protect Visa (now hosted in Prolexic Tech) that was taken down with our "dumb easily traceable" LOIC”

“@Peaceful_Anon: @sambowne Im just a "kid" learning from you & watching your videos. The jester doesnt act alone his las attack against wikileaks was 10 Gbps”

Apparently there is some history of the Jester here, or at least that person thinks so.
1297216992
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.